Experts downplay Phatbot danger

Security experts downplayed the danger of a Trojan horse program named Phatbot that uses peer to peer (P-to-P) technology to create a network of infected zombies for carrying out attacks or spreading malicious code.

Antivirus experts at two security companies said that Phatbot was a low level threat, one day after a Washington Post report warned of hundreds of thousands of infections from the program and cited an alert issued by the U.S. Department of Homeland Security (DHS).

"I think there are a lot of people getting very excited about something that's not very important," said Graham Cluley, senior technology consultant at Sophos PLC.

The DHS did not respond to a request for comment on Phatbot.

Trojan horse is a term used to describe malicious computer programs that hide inside other, benign software or run surreptitiously on a computer. Trojans can give remote attackers access to the machines on which they run or receive and respond to remotely issued commands.

Phatbot spreads by infecting computers running vulnerable versions of Microsoft Corp.'s Windows operating system. Phatbot can spot machines with a number of high profile Windows holes, including the DCOM (Distributed Component Object Model) vulnerability that spawned the Blaster worm. It can also find and infect machines that have an open "back door" created by the MyDoom worm, according to managed security services company Lurhq Corp.

When it is installed on infected machines, the Phatbot Trojan joins a P-to-P network similar to Kazaa or Gnutella. The network uses a specially developed communications protocol that allows infected computers to identify and communicate with each other, transmit commands and share infected files, said Joe Stewart, a senior security researcher at Lurhq.

The Phatbot software supports a long list of commands that can be used by remote attackers to cause infected machines to launch a denial of service attack, scan the Internet for vulnerable Windows computers to infect or update their Phatbot software. Phatbot-infected systems find each other using the same servers that clients running the Gnutella P-to-P software use, but use a different communications protocol and listen on a different communications port, which keeps them separate from the Gnutella clients, he said.

The remote control aspect of Phatbot makes it very similar to so-called "IRC bots," that use Internet Relay Chat software and servers to communicate, he said. However, unlike IRC bots, the Phatbot software does not rely on IRC servers to communicate with each other and coordinate their efforts, Stewart said.

"It gives (the Phatbot authors) the ability to be a little bit more discreet, because they don't have to connect to an IRC server where an administrator could notice and shut down their channel," he said.

In fact, Phatbot is just the latest generation of a long line of IRC bots known as "Agobot," or "Gaobot," Sophos and Lurhq said. "We've seen hundreds of versions of (Agobot) over the past few weeks," Cluley said, noting that Sophos, which assigns a letter to each new variant, recently identified Agobot "FG."

"That means we've been around the alphabet five times!" he said.

The Trojans, including P-to-P Trojans like Phatbot, are a nuisance and a threat to users running vulnerable versions of Windows, but are not a new threat, Cluley and Stewart agreed.

Contrary to reports of hundreds of thousands of infected hosts, Sophos has received only two or three reports from customers about Phatbot infections. Stewart said that he has joined the Phatbot network using an infected host and saw "around 1,000" infected hosts on the network in one hour. "It really wasn't a big deal. I'm surprised there's been so much attention to it," he said.

Regular operating system patching, antivirus updates and firewall software will prevent infections from Phatbot and similar threats, Cluley and Stewart said.