By Brian Krebs washingtonpost.com Staff Writer
Wednesday, March 17, 2004; 6:23 AM
Computer security experts in the private sector and U.S. government are monitoring the emergence of a new, highly sophisticated hacker tool that uses the same peer-to-peer (P2P) networking abilities that power controversial file-sharing networks like Kazaa and BearShare.
By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already been infected worldwide. The tool, a program that security researchers have dubbed "Phatbot," allows its authors to gain control over computers and link them into P2P networks that can be used to send large amounts of spam e-mail messages or to flood Web sites with data in an attempt to knock them offline.
The new hacker threat caught the attention of cyber-security officials at the U.S. Department of Homeland Security, prompting the agency to send an alert last week to a select group of computer security experts. In the alert, the agency warned that Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software.
A copy of the DHS alert was made available to washingtonpost.com by two sources at different companies who asked that their identities not be used because they did not want to risk losing access to future government alerts. Officials at the department and US-CERT -- a government-funded cyber-security monitoring agency -- confirmed that the message was genuine.
Phatbot is "a virtual Swiss Army knife of attack software," said Vincent Weafer, senior director of security response at Cupertino, Calif.-based Symantec Corp.
Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."
Phatbot is a kind of "Trojan horse," a type of program named after the legendary stealth attack because it lets hackers take quiet control of unsecured computers. Security firms have catalogued hundreds if not thousands of Trojan horse programs in recent years, but Phatbot has raised substantial concern because it represents a leap-forward in its sophistication and is proving much harder for law enforcement authorities and antivirus companies to eliminate.
Like traditional Trojan horse programs, Phatbot infects a computer through one of several routes, such as through security flaws in Microsoft's Windows operating system or through "backdoors" installed on machines by the recent "Mydoom" and "Bagle" Internet worms.
But because Phatbot links infected computers into a larger network, hackers can issue orders to the infected machines through many routes, and cyber-security officials can only effectively shut down a Phatbot attack if they track down every infected computer.
"The concern here is that the peer-to-peer like characteristics of these 'bot networks may make them more resilient and more difficult to shut down," said a cyber-security official at the Department of Homeland Security who asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot.