Heads Up! - Phatbot Trojan (Hacker Tool)


Sep 25, 2000
Computer security experts, in both the private sector and U.S. government, are monitoring the emergence of PhatBot , a new, sophisticated hacker program that is capable of infecting systems by a variety of methods, such as through network security flaws in Microsoft's Windows operating system, peer-to-peer networks, and backdoors installed by the recent "Mydoom" and "Bagle" Internet worms. (Phatbot does not appear to use e-mail for propagation.)

Phatbot allows the attacker to gain control over infected computers and link them into P2P networks that can then be used to send large amounts of spam e-mail messages, flood web sites with data in an attempt to create a denial of service (DoS) condition, or to perform other unauthorized activities. When Phatbot infects a system, it searches for passwords that are stored on hard drives and those that are traveling on local area networks. It also attempts to disable security applications, including tools used to update anti-virus and other security software. Most major anti-virus products are capable of detecting Phatbot, if kept up-to-date with the latest virus signatures, prior to an attack. The majority of the infections appeared to come from home user broadband connections and from colleges and universities in the United States and the Asia-Pacific region.

Home users with unpatched systems and out-of-date anti-virus software will be at greatest risk...

Presence of the following registry keys may indicate a Phatbot infection:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process

Phatbot has an extensive command list, much of which is derived from the Agobot Trojan. The complete command list includes:

bot.command runs a command with system()
bot.unsecure enable shares / enable dcom
bot.secure delete shares / disable dcom
bot.flushdns flushes the bots dns cache
bot.quit quits the bot
bot.longuptime If uptime > 7 days then bot will respond
bot.sysinfo displays the system info
bot.status gives status
bot.rndnick makes the bot generate a new random nick
bot.removeallbut removes the bot if id does not match
bot.remove removes the bot
bot.open opens a file (whatever)
bot.nick changes the nickname of the bot
bot.id displays the id of the current code
bot.execute makes the bot execute a .exe
bot.dns resolves ip/hostname by dns
bot.die terminates the bot
bot.about displays the info the author wants you to see
shell.disable Disable shell handler
shell.enable Enable shell handler
shell.handler FallBack handler for shell
commands.list Lists all available commands
plugin.unload unloads a plugin (not supported yet)
plugin.load loads a plugin
cvar.saveconfig saves config to a file
cvar.loadconfig loads config from a file
cvar.set sets the content of a cvar
cvar.get gets the content of a cvar
cvar.list prints a list of all cvars
inst.svcdel deletes a service from scm
inst.svcadd adds a service to scm
inst.asdel deletes an autostart entry
inst.asadd adds an autostart entry
logic.ifuptime exec command if uptime is bigger than specified
mac.login logs the user in
mac.logout logs the user out
ftp.update executes a file from a ftp url
ftp.execute updates the bot from a ftp url
ftp.download downloads a file from ftp
http.visit visits an url with a specified referrer
http.update executes a file from a http url
http.execute updates the bot from a http url
http.download downloads a file from http
rsl.logoff logs the user off
rsl.shutdown shuts the computer down
rsl.reboot reboots the computer
pctrl.kill kills a process
pctrl.list lists all processes
scan.stop signal stop to child threads
scan.start signal start to child threads
scan.disable disables a scanner module
scan.enable enables a scanner module
scan.clearnetranges clears all netranges registered with the scanner
scan.resetnetranges resets netranges to the localhost
scan.listnetranges lists all netranges registered with the scanner
scan.delnetrange deletes a netrange from the scanner
scan.addnetrange adds a netrange to the scanner
ddos.phatwonk starts phatwonk flood
ddos.phaticmp starts phaticmp flood
ddos.phatsyn starts phatsyn flood
ddos.stop stops all floods
ddos.httpflood starts a HTTP flood
ddos.synflood starts an SYN flood
ddos.udpflood starts a UDP flood
redirect.stop stops all redirects running
redirect.socks starts a socks4 proxy
redirect.https starts a https proxy
redirect.http starts a http proxy
redirect.gre starts a gre redirect
redirect.tcp starts a tcp port redirect
harvest.aol makes the bot get aol stuff
harvest.cdkeys makes the bot get a list of cdkeys
harvest.emailshttp makes the bot get a list of emails via http
harvest.emails makes the bot get a list of emails
waste.server changes the server the bot connects to
waste.reconnect reconnects to the server
waste.raw sends a raw message to the waste server
waste.privmsg sends a privmsg
waste.part makes the bot part a channel
waste.netinfo prints netinfo
waste.mode lets the bot perform a mode change
waste.join makes the bot join a channel
waste.gethost prints netinfo when host matches
waste.getedu prints netinfo when the bot is .edu
waste.action lets the bot perform an action
waste.disconnect disconnects the bot from waste

Phatbot Feature List

(Many of these features are also present in Agobot)
Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
Checks to see if it is allowed to send mail to AOL, for spamming purposes
Can steal Windows Product Keys
Can run an IDENT server on demand
Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection :)."
Can run a socks, HTTP or HTTPS proxy on demand
Can start a redirection service for GRE or TCP protocols
Can scan for and use the following exploits to spread itself to new victims:
MyDoom backdoor
Locator Service
Shares with weak passwords
WKS - Windows Workstation Service
Attempts to kill instances of MSBlast, Welchia and Sobig.F
Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
Can sniff FTP network traffic for usernames and passwords
Can sniff HTTP network traffic for Paypal cookies
Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
Tests the available bandwidth by posting large amounts of data to the following websites:
Can steal AOL account logins and passwords
Can steal CD Keys for several popular games
Can harvest emails from the web for spam purposes
Can harvest emails from the local system for spam purposes

P2P Functionality

What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC. Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).

WASTE uses an encrypted P2P protocol designed for private messaging and file transfer between a small number of trusted parties. interestingly, the encryption has been removed from the WASTE code used in Phatbot. This may be due to the fact that sharing of public keys has been a stumbling block in the adoption of WASTE - currently it must be done manually. Rather than devise a system for distributing keys among infected hosts (or giving all hosts the same public/private keypair) the author(s) decided to scrap the encryption altogether.

Since there is no central server in the WASTE network, the infected hosts also have to find each other somehow. This is accomplished by utilizing Gnutella cache servers - anyone can use the CGI scripts provided by these servers to register themselves as a Gnutella client. The Phatbot WASTE code registers itself with a list of URLs pretending to be a version of GNUT, a Gnutella client. Other Phatbot hosts then retrieve the list of Gnutella clients from these cache hosts using the same CGI scripts. The Phatbots differentiate themselves from the Gnutella clients by using TCP port 4387 instead of the standard Gnutella port.

To connect to the Phatbot WASTE network, one only needs to have a custom WASTE client and connect to a peer found on the cache servers. At this point it is only necessary to have the correct username and password (stored as an md5sum in the Phatbot binary) in order to control the entire Phatbot network.

One problem with the WASTE approach is scalability; WASTE was not designed with large networks in mind. The protocol specifications state that WASTE is intended for nets with 10-50 nodes. For the typical IRC botnet, 1000 nodes would be on the small side.

Manual Removal

Look for the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process

The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.