Experts downplay Phatbot danger

IDG News Service - Security experts downplayed the danger of a Trojan horse program named Phatbot that uses peer to peer (P-to-P) technology to create a network of infected zombies for carrying out attacks or spreading malicious code.
Antivirus experts at two security companies said that Phatbot was a low level threat, one day after a Washington Post report warned of hundreds of thousands of infections from the program and cited an alert issued by the U.S. Department of Homeland Security (DHS).
"I think there are a lot of people getting very excited about something that's not very important," said Graham Cluley, senior technology consultant at Sophos PLC.
The DHS did not respond to a request for comment on Phatbot.
Trojan horse is a term used to describe malicious computer programs that hide inside other, benign software or run surreptitiously on a computer. Trojans can give remote attackers access to the machines on which they run or receive and respond to remotely issued commands.
Phatbot spreads by infecting computers running vulnerable versions of Microsoft Corp.'s Windows operating system. Phatbot can spot machines with a number of high profile Windows holes, including the DCOM (Distributed Component Object Model) vulnerability that spawned the Blaster worm. It can also find and infect machines that have an open "back door" created by the MyDoom worm, according to managed security services company Lurhq Corp.
When installed on infected machines, the Phatbot Trojan joins a P-to-P network similar to Kazaa or Gnutella. The network uses a specially developed communications protocol that allows infected computers to identify and communicate with each other, transmit commands and share infected files, said Joe Stewart, a senior security researcher at Lurhq.
The Phatbot software supports a long list of commands that can be used by remote attackers to cause infected machines to launch a denial of service attack, scan the Internet for vulnerable Windows computers to infect or update their Phatbot software. Phatbot-infected systems find each other using the same servers that clients running the Gnutella P-to-P software use, but use a different communications protocol and listen on a different communications port, which keeps them separate from the Gnutella clients, he said.
The remote control aspect of Phatbot makes it very similar to so-called "IRC bots," that use Internet Relay Chat software and servers to communicate, he said. However, unlike IRC bots, the Phatbot software does not rely on IRC servers to communicate with each other and coordinate their efforts, Stewart said.
"It gives [the Phatbot authors] the ability to be a little bit more

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.