New Virus Alert......

Phatbot Trojan Ravages Computers
Category: PC Security
Posted 17.03.04 at 17:30:01


There’s a new threat on the Internet: Phatbot. Phatbot is a Trojan that can slip onto your hard drive many different ways – Peer-to-Peer file sharing, downloading certain “free” items, or holes in your operating system.

Phatbot hit the ground running on Monday, causing massive headaches around the US and Asia.

The Trojan does several things to your PC. The main things, however, are the following:
1. Turns your machine into a spam monster, and can send up to several thousand emails a day from your email address.
2. Can detect many of your passwords and other information.
3. Can spread itself to others linked to your computer if they have some type of backdoor or other security hole.

Because there are no immediate effects, you could be infected for days before you realize it.

Most antivirus software companies have updates their software to keep Phatbot at bay, so visit your company’s site as soon as possible to download any available updates.

 

Hi dontana

This is more of an article than it is an Update Alert.

I will move it to Trojans and Backdoors where it will get more attention.


snowbound

 

Hey Thanks Snowbound! I just wanted to keep folks updated. Say, speaking of updated, where is the spybotsd located...say,if somebody accidentally screwed it up,had to uninstall it, realized after it was too late, and would like to re-download it.?

 

U mean the download Link?

If so, here it is,

http://www.safer-networking.org/index.php?page=download


snowbound

 

What most articles miss is that Phatbot includes rootkit technology, and is also polymorphic. Even worse, it is derived from PRIVATE open source, of which only a few people have. Recently, this was leaked and us AV and AT vendors do have a copy of the recent source.

This helps a lot, but protection against something which can rootkit and potentially never be discovered (because no sample was submitted) is near impossible with AV, unless the AV Monitor - running at the driver level implements very strong heuristics. This would be unlikely due to an on-access monitor slowing down the PC too much..

 

I second that.

 

How does PhatBot's rootkit component work (CreateRemoteThread? Driver based?)? Shouldn't a system firewall like PG or SSM prevent PhatBot from installing its rootkit component?

 

I just tried a variant and it failed against Process Guard with my default setup - it tried to install a service and PG can of course easily block this - the rootkit blocking information in the help file will outline this.

I cant speak for SSM but PG definitely stops it. This type of malware is becoming so abundant we had no choice but to create something for blocking the attack method. All known stealth malware will, by design, fail to do what they need to do

 

I hadn't noticed previously - but at least THIS variant only hides from Task Manager. It has NOT hidden itself from Windows Explorer or regedit. I can plainly see the startups and the file itself, so things COULD be much worse. Of course this is probably only a matter of time, the newest versions could quite easily be more stealthy and install more hooks already.

Just manually removed it too, it didnt even rewrite the registry entries. Many trojans do at least monitor their startup to protect themselves from a simple removal and I suspect newer versions will start to do this. Currently I would say the strongest features Phatbot has to avoid detection is the open source problem..