Meet the Phatbot

[janett999]

Big Music and the mainstream media will have a field day with Phatbot.

The Washington Post's Brian Krebs already has a piece slugged Hackers Embrace P2P Concept which kicks off, "Computer security experts in the private sector and U.S. government are monitoring the emergence of a new, highly sophisticated hacker tool that uses the same peer-to-peer (P2P) networking abilities that power controversial file-sharing networks like Kazaa and BearShare."


Of course, 'hacker tool' plus 'p2pnet' will automatically equal lots of learned analyses and dire warnings from pundits and security gurus.


And it'll be gleefully picked by by the RIAA: it's always looking for new weapons with which to attack p2p and/or file sharing, whether the 'new weapons' have any genuine relevance or not. The fact 'p2p' is mentioned in a (potentially) negative context is is sufficient, especially bearing in mind Hollywood's latest triumph - using the office of the California attorney general to stick it to p2p operators.

In the leaked Lockyer/Stevenson p2p letter, a version of which will almost certainly be circulated to AGs across the US, Lockyer and/or Stevenson say(s):

"Whether it is the widespread availability of pornography, including child pornography, the disclosure of sensitive personal information to millions of people, the exposure to pernicious computer worms and viruses, or the threat of legal liability for copyright infringement, P2P file-sharing software has proven costly and dangerous for many consumers," it says.

Lumping e-bugs in with porn always guarantees headlines, and lots of ammunition for the many paid and unpaid entertainment industry supporters on Capitol Hill.

"By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already been infected worldwide," the WP report states.

"The tool, a program that security researchers have dubbed 'Phatbot,' allows its authors to gain control over computers and link them into P2P networks that can be used to send large amounts of spam e-mail messages or to flood Web sites with data in an attempt to knock them offline."


That'll do it.

"For the last couple of days yet another bot is hunting for MyDoom infected systems," says a March 10 inetsecurity posting here. "This bot/worm will also scan for vulnerable dame-ware installs, systems vulnerable to the RPC DCOM exploit, and open file shares.


"At this point, this bot does not appear to make a significant impact globally. This bot is however significant as it is using P2P techniques to communicate. Infected systems can be spotted by outbound port 1025 scans. At this point, we track about 5,000 infected systems."

F-Secure, the Finnish company that discovered Mydoom, says Phatbot is an Agobot.FO alias, along with Backdoor.Agobot.fo, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot and just plain Phat.

"The Agobot.FO variant was found in March 2004 and became relatively widespread." it states. "This backdoor has functionality similar to its previous variants, but this variant is more powerful than earlier versions ... this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor."

LURHQ agrees that Phatbot is descendant of Agobot with outside code rolled in to make it "a more versatile and dangerous threat in the realm of Internet security" and although Agobot has a rudimentary p2p system, IRC is still the main control vector, it says, continuing:

"The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL)."


WASTE was meant to combine file sharing with instant messaging, chat and file searches and at one poiont was used to share files between AOL San Francisco and Nullsoft.

But, "interestingly, the encryption has been removed from the WASTE code used in Phatbot," LURHQ ays, theorizing, "Rather than devise a system for distributing keys among infected hosts (or giving all hosts the same public/private keypair) the author(s) decided to scrap the encryption altogether.


"Since there is no central server in the WASTE network, the infected hosts also have to find each other somehow. This is accomplished by utilizing Gnutella cache servers - anyone can use the CGI scripts provided by these servers to register themselves as a Gnutella client. The Phatbot WASTE code registers itself with a list of URLs pretending to be a version of GNUT, a Gnutella client. Other Phatbot hosts then retrieve the list of Gnutella clients from these cache hosts using the same CGI scripts. The Phatbots differentiate themselves from the Gnutella clients by using TCP port 4387 instead of the standard Gnutella port.


"To connect to the Phatbot WASTE network, one only needs to have a custom WASTE client and connect to a peer found on the cache servers. At this point it is only necessary to have the correct username and password (stored as an md5sum in the Phatbot binary) in order to control the entire Phatbot network.


"One problem with the WASTE approach is scalability; WASTE was not designed with large networks in mind. The protocol specifications state that WASTE is intended for nets with 10-50 nodes. For the typical IRC botnet, 1000 nodes would be on the small side."

The, "concern here is that the peer-to-peer like characteristics of these 'bot networks may make them more resilient and more difficult to shut down," a cyber-security official at the Department of Homeland Security "who asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot" adds the Post story.

Stay tuned ...


http://p2pnet.net/story/1005