Sign Up: Free Daily Tech E-letter  
Technology Home
Tech Policy
Government IT
Personal Tech
Special Reports

Page 2 of 2    < Back   

Hackers Embrace P2P Concept


E-Mail This Article
Print This Article
Permission to Republish
_____Related Coverage_____
Is Your Computer Infected With Phatbot? (, Mar 17, 2004)
Virus Overwhelms Google, 3 Other Search Engines (The Washington Post, Jul 27, 2004)
Web Worm Spreads, Slows Google Searches (, Jul 26, 2004)
Report Faults Cyber-Security (The Washington Post, Jul 23, 2004)
More Security News

"With these P2P Trojan networks, even if you take down half of the affected machines, the rest of the network continues to work just fine," said Mikko Hypponen, director of F-Secure, an antivirus software company based in Finland.

Most major antivirus products detect Phatbot, but as soon as the Trojan infects computers it disables many antivirus and firewall software tools.

Roger Lawson, director of computing and information technology at the University of Vermont in Burlington, said he quarantined more than 200 computers -- more than 5 percent of the machines on the school's network -- because of Phatbot infestations. None of the school's antivirus programs detected the Trojan, and attempts to delete it caused Phatbot to recreate and restart itself, he said.

Phatbot's ability to disable computer security software means that the estimated number of infected computers could rise to as high as "several hundred thousand," said F-Secure's Hypponen.

A few computer experts said the rate of infection is much higher.

Igor Ybema, a network administrator at the University of Twente in Enschede in The Netherlands, put the number between 1 million and 2 million computers. His conclusion was based on a Phatbot command that forces infected computers to test their Internet connection speed by sending a file to one of 22 specifically selected Web servers around the world -- one of them at Twente.

He said Twente began monitoring traffic from computers running the tests in mid-February, about the time that rival hacker gangs began an online turf war that resulted in a volley of new worms like Bagle and "Netsky." By early last week, Ybema said he was tracking an average of 200,000 to 300,000 Internet addresses running the speed test every day. Ybema believes such traffic indicates that attackers who have previously relied on less advanced remote-access Trojans are now using Phatbot.

The majority of the infections appeared to come from home user broadband connections and from colleges and universities in the United States and the Asia-Pacific region, he said.

Earlier this month, computer network engineers at University of California, Santa Cruz monitored the same type of speed testing traffic as Twente's Ybema observed. Mark Boolootian, the network engineer who discovered the activity, said one reason infected computers may be conducting the speed tests is to give Phatbot authors an idea of which infected computers would be the fastest in sending out large amounts of spam or data aimed at overwhelming a major Web site.

Security experts are divided on whether a full-force phatbot attack will result in ruin or simply a ruinous headache.

"If there are indeed hundreds of thousands of computers infected with Phatbot, U.S. e-commerce is in serious threat of being massively attacked by whoever owns these networks," said Russ Cooper, a chief scientist at Herndon, Va.-based TruSecure Corp.

There are several incidents in the past several years that show how hackers used multiple ensnared computers to cause damage. In February 2000, a Canadian juvenile commandeered high-speed computers at University of California, Santa Barbara to knock Amazon, eBay,, and a host of other Web sites off-line for hours. In October 2002, hackers used an army of commandeered computers to assault the 13 root servers that serve as the roadmap for Internet traffic.

But Lurhq's Stewart said his analysis of Phatbot indicates that the Trojan is designed to link computers into groups no larger than 50 computers, which would significantly limit the Trojan's effectiveness as a denial-of-service tool.

As a result, he said, Phatbot-infected PCs will more likely be used as highly effective spamming machines. Staff Writer David McGuire contributed to this article.

< Back    1 2
Print This Article Home

© 2004 Washingtonpost.Newsweek Interactive

Company Postings: Quick Quotes | Tech Almanac
About | Advertising | Contact | Privacy
My Profile | Rights & Permissions | Subscribe to print edition | Syndication