Written by washingtonpost.com's tech policy team, the e-mail version of this weekly feature includes an original news article and links to policy and cyber-security stories from the previous week. • Click Here for Free Sign-up • Read E-letter Archive
By Brian Krebs washingtonpost.com Staff Writer
Friday, March 26, 2004; 10:16 AM
Most computer security experts agree that the Phatbot Trojan horse program that burst onto the Internet earlier this month is a nasty bug, capable of giving hackers control over legions of computers.
What's not so clear is how much of a threat it poses. According to officials at several academic institutions, Phatbot and a family of variants has infected hundreds of thousands of computers. Other experts are lowballing their estimates.
Phatbot is the "Swiss Army knife of attack software," according to one expert, more versatile than the average piece of attack software. It allows hackers to seize infected computers and link them into "peer-to-peer" (P2P) networks similar to ones like Kazaa or Limewire, normally used for trading music. Those networks can be used to send large amounts of spam e-mails or take down Web sites by flooding them with more data than their servers can handle.
It is also elusive, often escaping the notice of security software created by leading antivirus companies. One of its calling cards is a file it instructs infected computers to send to more than 22 Web servers around the world. The amount of time it takes the data to get to those servers tells hackers which of the infected computers would be the fastest spam generators and most useful in a data attack.
The more files that the servers receive, the theory goes, the more widespread Phatbot and its family are on the Internet. According to that logic, their numbers are legion.
Files from more than 1 million Internet addresses presumably infected with Phatbot-style Trojans hit Stanford University's computer system during the week of March 8, said spokeswoman Elaine Ray.
German Internet service provider Schlund.net said its servers received queries from about 1.9 million Internet addresses between Feb. 15 and March 19, indicating that there could be that many infected computers.
The numbers back up those of Igor Ybema, a network administrator at the Dutch University of Twente in Enschede. Ybema estimated that between 1 million to 2 million computers worldwide were infected with Phatbot. In an interview last week, Ybema said he saw roughly 200,000 to 300,000 Internet addresses running the speed test every day. Officials at the University of California at Santa Cruz and the Swiss education and research network Switch.ch said they observed similar patterns.
But the real number might be less than that, said Colleen Shannon, senior security researcher at the Cooperative Association for Internet Data Analysis (CAIDA). Shannon said that some computers might run the speed test each time that they go online. Since many dial-up and DSL Internet services assign a new Internet protocol number to a computer each time it goes online, one infected PC could be responsible for multiple tests.
Shannon said a similar process happened with "Code Red," a virus that surfaced in the summer of 2001, directing infected machines to attack the White House's Web site. "Over the course of a few weeks, we saw at least two million [Internet addresses] primed to attack. We later learned there were only about 300,000 infected machines."
