News

Truly Interesting Software

• By Mike Gunderloy
• March 18, 2004

Sometimes, interesting software turns up where you might (depending on your experience) least expect it. Case in point: the Phatbot Trojan. While it's not clear just how widely this thing is distributed - I've seen some sources say thousands of systems, others say hundreds of thousands. But in any case, it's certainly a capable little piece of software.

The folks over at LURHQ have provided their own analysis of the capabilities of this little bundle of joy. Among the things that it can do (and remember, this is all under remote control of some kid who's managed to slip it on to your computer):

• Run commands on the system
• Create or delete file shares
• Load plugins (presumably with even more commands)
• Flood other systems with TCP/IP packets
• Set up proxy servers
• Join in a network with other copies of the software
• Send spam
• Steal product IDs, passwords, and PayPal cookies

The list goes on from there for quite a while. And it does all this in a bit over 100K of executable. I just wrote Hello World in VB .NET and it came out at 16KB, not counting the 21MB .NET runtime. So real functionality in 100K is pretty amazing to me.

So, clearly, there are some very smart developers out there in the computer underground. One of the interesting questions here is who wrote this particular thing (or, more precisely, who refined it from trojans that came before, since this has been an active area of development for quite some time). I've seen three different conspiracy theories bandied about:

• It's just bored kids, who like breaking into other people's computer systems and playing with them. This explains stuff like the proxies and chat capabilities.
• It's all part of some testosterone-fueled competition between hackers. This explains the way that the bot spreads (by infesting machines that have already fallen to worms such as Bagle or NetSky) and the distributed denial of service features.
• It's those darned spammers. This explains the bandwidth-checking, email-testing, and other spamming features.

Or maybe it's all of the above. I'm sure there are people out there who know, and I'm equally sure they're not telling me about it.

The mischievous side of me just can't help pointing out one bit of coincidence here. If you read the list of phatbot commands, one thing stands out: there are a whole bunch of different things built into this application. It appears that it's just accreted more and more capabilities over the years, without ever having anything trimmed out, or any particular attention paid to a feature set that makes sense. Yes, that's right: phatbot is the Microsoft Office of the computer netherworld.

Oh, one last thing: the page at LURHQ also contains information on detecting and removing this particular trojan. If your computer has been acting oddly of late, especially if your antivirus program was mysteriously deleted, check it out.