[ISN] Phatbot arrest throws open trade in zombie PCs

InfoSec News isn at c4i.org
Thu May 13 05:49:38 EDT 2004


By John Leyden
Published 12th May 2004 

The arrest of the suspected author of the Phatbot Trojan could lead to
valuable clues about the illicit trade in zombie PCs. The arrest of
the alleged Phatbot perp was overshadowed by the unmasking of the
admitted Sasser author, Sven Jaschan. But the Phatbot case may shed
the mostlight into the dark recesses of the computer underground.

Phatbot is much less common than NetSky but is linked much more
closely with the trade in compromised PCs to send spam or for other
nefarious purposes. Viruses such as My-Doom and Bagle (and Trojans
such as Phatbot) surrender the control of infected PCs to hackers.  
This expanding network of infected, zombie PCs can be used either for
spam distribution or as platforms for DDoS attacks, such as those that
many online bookies have suffered in recent months. By using
compromised machines - instead of open mail relays or unscrupulous
hosts - spammers can bypass IP address blacklists.

Phatbot was been used to spam, steal information or perform DDoS
attacks, according to Mikko Hyppönen, director of anti-virus research
at F-Secure. "You could do anything you wanted with it," he said.  
Phatbot is a variant of Agobot, a big family of IRC bots. Hyppönen
said people were selling tailor-made versions of the bot for various
illegal purposes.

NetSky also contains a backdoor component but this was designed only
to upgrade malicious code: it is not a conscious attempt by its
designer to turn compromised PC into spam zombies, Hyppönen says. Alex
Shipp of MessageLabs said hackers ware still able to seize machines
compromised by NetSky but he agreed with Hyppönen that worms such as
Bagle and MyDoom, and Trojans like Phatbot, are far more commonly used
in zombie spam networks.

As reported last month, networks of compromised hosts (BotNets) are
commonly traded between virus writers, spammers and middlemen over IRC

The price of these BotNets (DoSNets) was roughly $500 for 10,000 hosts
last Summer when the MyDoom and Blaster (the RPC exploit worm) first
appeared on the scene. "I have no doubt it's doubled since then as
hosts are cleaned and secured," Andrew Kirch, a security admin at the
Abusive Hosts Blocking List told El Reg. By his reckoning,
non-exclusive access to compromised PCs sells for about 10 cent a

An unnamed 21 year-old man from the southern German state of
Baden-Wuerttemberg was arrested last Friday on suspicion of creating
the Agobot and Phatbot Trojans. He is yet to be formally charged.

More information about the ISN mailing list