Question
A dangerous new Trojan bot named Phatbot has already infected hundreds of thousands of computers worldwide and it's just starting. Phatbot has some alarming capabilities. Among other things, it can disable firewalls, evade anti-virus programs, steal AOL login names and passwords and sniff Internet network traffic for PayPal cookies containing personal data. http://community.here.com/infopop/em...s/icon_eek.gif
http://www.detnews.com/2004/technolo...logy-95388.htm
Bolding is mine
<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Computer security experts warn of sophisticated new hacker program
By Brian Krebs / Associated Press
Computer security experts in both the private sector and U.S. government are monitoring the emergence of a new, sophisticated hacker program that connects infected computers to far-flung peer-to-peer file-sharing networks.
By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already been infected worldwide. The program, software code that security researchers have dubbed "Phatbot," allows its authors to gain control over computers and link them into file-sharing networks that can be used to send large amounts of spam e-mail messages or to flood Web sites with data in an attempt to knock them offline.
The new hacker threat caught the attention of cybersecurity officials at the U.S. Department of Homeland Security, prompting the agency to send an alert last week to a select group of computer security experts. In the alert, the agency warned that Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software.
A copy of the DHS alert was made available by two sources at different companies who asked that their identities not be used because they did not want to risk losing access to future government alerts. Officials at the department and US-CERT _ the U.S. Computer Emergency Readiness Team, a government-funded cybersecurity monitoring agency _ confirmed that the message was genuine.
Joe Stewart, a researcher at the Chicago-based computer security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include the ability to: evade antivirus software; steal America Online login names and passwords; harvest e-mail addresses from the Web for spam purposes; and sniff Internet network traffic for small computer files, or cookies, that contain personal data used by the PayPal online payment system.
Phatbot is "a virtual Swiss Army knife of attack software," said Vincent Weafer, senior director of security response at Cupertino, Calif.-based Symantec Corp.
Phatbot infects a computer through one of several routes, such as through security flaws in Microsoft's Windows operating system or through backdoors installed on machines by the recent "Mydoom" and "Bagle" Internet worms.
But because Phatbot links infected computers into a larger network, hackers can issue orders to the infected machines through many routes, and cybersecurity officials can only effectively shut down a Phatbot attack if they track down every infected computer.
"The concern here is that the peer-to-peer-like characteristics of these 'bot networks may make them more resilient and more difficult to shut down," said a cybersecurity official at the Department of Homeland Security who asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot.
Most major antivirus products detect Phatbot, but as soon as it infects computers it disables many antivirus and firewall software tools. The majority of the infections appeared to come from home user broadband connections and from colleges and universities in the United States and the Asia-Pacific region, computer security experts said.
Roger Lawson, director of computing and information technology at the University of Vermont in Burlington, said he quarantined more than 200 computers _ more than 5 percent of the machines on the school's network _ because of Phatbot infestations. None of the school's antivirus programs detected the malicious code, and attempts to delete it caused Phatbot to recreate and restart itself, he said.
Security experts are divided on whether a full-force Phatbot attack would result in ruin or simply a ruinous headache.
"If there are indeed hundreds of thousands of computers infected with Phatbot, U.S. e-commerce is in serious threat of being massively attacked by whoever owns these networks," said Russ Cooper, a chief scientist at Herndon, Va.-based TruSecure Corp.<HR></BLOCKQUOTE>
Here is a complete list of Phatbot commands and capabilities:
Phatbot Trojan Analysis http://www.lurhq.com/phatbot.html
Blanche
[This message was edited by bhearsch on Thu March 18, 2004 at 09:50 PM.]
Answer
Not all security experts agree that Phatbot is widespread:
Experts debate danger of Phatbot worm http://www.net-security.org/news.php?id=4856
Blanche
Answer
Phatbot....
must have been named after me http://community.here.com/infopop/em...on_biggrin.gif
_____________________
Answer
Blanche or anyone-
On a daily basis, I'm getting those "returned emails" stating that an infected email was sent by one of my emails. (I have 5, and the notices are only for one.)
Anyho, McAfee is updated every morning as needed, run and clean. I also downloaded, installed and run Stinger every day. Still clean. Adaware/Spybot show zip.
So how do I know that Bagle and even this newer one have not slipped in and infected, and disabled Virus/Stinger/Adaware/Spybot?
I've got a router, McAfee firewall (paid version, not XP's freebie), Gibson Research shows all my ports stealthed, etc. Everything is updated, including Windows.
Just looking for some peace of mind.
_____________________________
~Weaving thru life on a silver cloud~
www.simplybaskets.com
www.simplynantucketbaskets.com
*Abe's* Antique Silver Shop
Answer
Hi Kathleen. Phatbot is a variation of the Gaobot or Agobot family and is called different names by different anti-virus companies. The one thing you can do to see if you have phatbot or just about any other Trojan/worm is to look in the registry for the CURRENT VERSION RUN key and see if there's a value in the right pane that corresponds to the Trojan. The value for Gabot is "Video"="%System%\explored.exe" but I'm not certain that phatbot has the same value. However, if you have ANY value listed next to the current version run key, I would be suspicious and do some further investigation to determine what program is connected to that registry key and value.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
Instructions are located at the bottom of this page: http://www.sarc.com/avcenter/venc/da...gaobot.rf.html
The bagel worm now has three new variants which don't include an email attachment. An email recipient can become infected simply by opening the email IF their computer isn't patched.
http://www.marketwire.com/mw/release...lease_id=64611
Here's info about the IE patch: http://www.microsoft.com/technet/sec.../ms04-004.mspx
You can find out if you have any variants of the bagel worm by looking next to the same registry key as I mentioned above for the value "direct.exe" = "%SysDir%\direct.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
Blanche
Answer
Blanche
Does these things show up if you check for startup with Toni's program?
Answer
Hi commentary. No, not always. They like to hide in the CURRENT VERSION RUN registry key.
Blanche
Answer
Doesn't appear to affect win98, or at least no fix for it.
Answer
I've been getting a ton of those returned emails to 2 of my accounts for the past couple of months too.. its really annoying...
**********
I list at many different sites : My Ebay Storefront and My Ioffer Storefront
Or perhaps you'd prefer to visit SYI Listings and finally My Website
Answer
Empires, the patch is for Internet Explorer, ALL versions. Also, Win98 is affected. This is the original patch that was superceded by the more current one above which mentions Win98:
http://www.microsoft.com/technet/sec.../ms03-048.mspx
You need to apply the patch for your version of IE if you haven't already done so.
Blanche