New Virus Alert......

Discussion in 'malware problems & news' started by dontana, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    Phatbot Trojan Ravages Computers
    Category: PC Security
    Posted 17.03.04 at 17:30:01


    There’s a new threat on the Internet: Phatbot. Phatbot is a Trojan that can slip onto your hard drive many different ways – Peer-to-Peer file sharing, downloading certain “free” items, or holes in your operating system.

    Phatbot hit the ground running on Monday, causing massive headaches around the US and Asia.

    The Trojan does several things to your PC. The main things, however, are the following:
    1. Turns your machine into a spam monster, and can send up to several thousand emails a day from your email address.
    2. Can detect many of your passwords and other information.
    3. Can spread itself to others linked to your computer if they have some type of backdoor or other security hole.

    Because there are no immediate effects, you could be infected for days before you realize it.

    Most antivirus software companies have updates their software to keep Phatbot at bay, so visit your company’s site as soon as possible to download any available updates.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi dontana :)

    This is more of an article than it is an Update Alert. ;)

    I will move it to Trojans and Backdoors where it will get more attention.


    snowbound
     
  3. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    Hey Thanks Snowbound! I just wanted to keep folks updated. Say, speaking of updated, where is the spybotsd located...say,if somebody accidentally screwed it up,had to uninstall it, realized after it was too late, and would like to re-download it.? :doubt:
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U mean the download Link?

    If so, here it is,

    http://www.safer-networking.org/index.php?page=download


    snowbound
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    What most articles miss is that Phatbot includes rootkit technology, and is also polymorphic. Even worse, it is derived from PRIVATE open source, of which only a few people have. Recently, this was leaked and us AV and AT vendors do have a copy of the recent source.

    This helps a lot, but protection against something which can rootkit and potentially never be discovered (because no sample was submitted) is near impossible with AV, unless the AV Monitor - running at the driver level implements very strong heuristics. This would be unlikely due to an on-access monitor slowing down the PC too much..
     
  6. Godzilla

    Godzilla AV Expert

    Joined:
    Nov 1, 2003
    Posts:
    63
    I second that.
     
  7. FFMProx01

    FFMProx01 Guest

    How does PhatBot's rootkit component work (CreateRemoteThread? Driver based?)? Shouldn't a system firewall like PG or SSM prevent PhatBot from installing its rootkit component?
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I just tried a variant and it failed against Process Guard with my default setup - it tried to install a service and PG can of course easily block this - the rootkit blocking information in the help file will outline this.

    I cant speak for SSM but PG definitely stops it. This type of malware is becoming so abundant we had no choice but to create something for blocking the attack method. All known stealth malware will, by design, fail to do what they need to do :D
     
    Last edited: May 2, 2004
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I hadn't noticed previously - but at least THIS variant only hides from Task Manager. It has NOT hidden itself from Windows Explorer or regedit. I can plainly see the startups and the file itself, so things COULD be much worse. Of course this is probably only a matter of time, the newest versions could quite easily be more stealthy and install more hooks already.

    Just manually removed it too, it didnt even rewrite the registry entries. Many trojans do at least monitor their startup to protect themselves from a simple removal and I suspect newer versions will start to do this. Currently I would say the strongest features Phatbot has to avoid detection is the open source problem..
     
Loading...
Thread Status:
Not open for further replies.