Malware Writers Target P2P Networks with Phatbot and Polybot Variants

Some malware that packs an unusual assortment of tools for mischief and has infected thousands of computers on the Internet is being closely watched by security experts.

Although the “Phatbot” or “Polybot” program currently poses a low risk to online systems, its potential for devilry prompted the U.S. Department of Homeland Security last week to issue an alert about the malware to a select group of computer experts.

“It’s fairly widespread, but it hasn’t reached epidemic levels,” Tony Magallanez, a system engineer with F-Secure, a security firm in San Jose, California, told TechNewsWorld. “Most antivirus applications now detect it, so it’s not spreading as well right now.”

New Variants Daily

According to Joe Stewart, a senior security researcher at the secure operations center of Lurhq in Myrtle Beach, South Carolina, Phatbot is most threatening to people who have become infected because they have out-of-date software or because their systems have been compromised by a virus like MyDoom.

“As far as being a threat to people with well-patched systems, it’s not a threat at all,” he told TechNewsWorld.

Virus writers appear to be countering measures taken by virus fighters. In the last few days, plenty of new variants have appeared of Agobot, on which Phatbot is based, and Phatbot itself, according to Craig Schmugar, virus research manager at McAfee Security in Santa Clara, California.

Top of List

Schmugar told TechNewsWorld that McAfee is primarily concerned about the L variant of Phatbot, which the company refers to as Polybot. He noted that McAfee saw a good number of customer reports on that variant Monday, primarily from the Asia-Pacific region.

“It caused us to put it at the top of our watch list,” he said. “We have it as a low-risk assessment, but we’re watching it closely.”

Estimates of infected machines are “not as high” as others McAfee has seen in the hundreds of thousands, he added.

Pernicious Behavior

What distinguishes Phatbot from its progenitors is the sheer amount of monkey business it can carry out and its ability to use peer-to-peer (P2P) networking to control its infected hosts.

Lurhq lists among Phatbot’s pernicious behaviors:

  • stealing passwords, PayPal cookies, software registration codes and product activation keys;
  • perpetrating denial-of-service attacks against half a dozen Web sites;
  • harvesting e-mail addresses for spamming;
  • creating altered versions of itself to evade detection by antivirus software;
  • disabling antivirus software and firewalls; and
  • making its host into a server for spam or for spreading itself to other computers.

“What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC,” Lurhq reports at its Web site.

“Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot’s IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL’s Nullsoft division (and subsequently canceled by AOL).”

Advantages and Disadvantages

Lurhq’s Stewart noted that there are advantages and disadvantages to incorporating P2P into malware.

“One disadvantage is that it’s harder to program,” he said. “In this case, the author didn’t even program it himself; he borrowed it from somebody else.”

In addition, P2P may not be as scalable in terms of the number of hosts you can connect, he explained, although he has seen as many as a thousand hosts on a Phatbot network.

Lock Out

However, with Internet Relay Chat — most commonly called IRC — if the owner of an IRC server discovers shenanigans on one of the channels, the owner can simply lock the channel and essentially kill the bot net, Stewart noted.

With a P2P network, you can’t shut down a single host, he said. You have to disrupt communications between the hosts or disinfect all of them.

In the big picture, Phatbot is just the latest in a line of virus threats that have been evolving over the last year, according to F-Secure’s Magallanez.

“These blended threats do multiple things,” he said. “We see that as the evolution of viruses.”

It’s difficult to predict what virus writers are going to do, he added. “But we see a trend of them becoming more and more complicated and doing more and more things.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels