Truly Interesting Software
Sometimes, interesting software turns up where you might (depending on your
experience) least expect it. Case in point: the Phatbot Trojan. While it's not
clear just how widely this thing is distributed - I've seen some sources say
thousands of systems, others say hundreds of thousands. But in any case, it's
certainly a capable little piece of software.
The folks over at LURHQ have provided their own analysis of the capabilities of
this little bundle of joy. Among the things that it can do (and remember, this
is all under remote control of some kid who's managed to slip it on to your
- Run commands on the system
- Create or delete file shares
- Load plugins (presumably with even more commands)
- Flood other systems with TCP/IP packets
- Set up proxy servers
- Join in a network with other copies of the software
- Send spam
- Steal product IDs, passwords, and PayPal cookies
The list goes on from there for quite a while. And it does all this in a bit
over 100K of executable. I just wrote Hello World in VB .NET and it came out
at 16KB, not counting the 21MB .NET runtime. So real functionality in 100K
is pretty amazing to me.
So, clearly, there are some very smart developers out there in the computer
underground. One of the interesting questions here is who wrote this particular
thing (or, more precisely, who refined it from trojans that came before, since
this has been an active area of development for quite some time). I've seen
three different conspiracy theories bandied about:
- It's just bored kids, who like breaking into other people's computer systems
and playing with them. This explains stuff like the proxies and chat
- It's all part of some testosterone-fueled competition between hackers. This
explains the way that the bot spreads (by infesting machines that have already
fallen to worms such as Bagle or NetSky) and the distributed denial of service
- It's those darned spammers. This explains the bandwidth-checking,
email-testing, and other spamming features.
Or maybe it's all of the above. I'm sure there are people out there who know,
and I'm equally sure they're not telling me about it.
The mischievous side of me just can't help pointing out one bit of
coincidence here. If you read the list of phatbot commands, one thing stands
out: there are a whole bunch of different things built into this application. It
appears that it's just accreted more and more capabilities over the years,
without ever having anything trimmed out, or any particular attention paid to a
feature set that makes sense. Yes, that's right: phatbot is the Microsoft Office
of the computer netherworld.
Oh, one last thing: the page at LURHQ also contains information on detecting
and removing this particular trojan. If your computer has been acting oddly of
late, especially if your antivirus program was mysteriously deleted, check it
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.