Phatbot arrest throws open trade in zombie PCs

10 cents a PC for access


The arrest of the suspected author of the Phatbot Trojan could lead to valuable clues about the illicit trade in zombie PCs. The arrest of the alleged Phatbot perp was overshadowed by the unmasking of the admitted Sasser author, Sven Jaschan. But the Phatbot case may shed the mostlight into the dark recesses of the computer underground.

Phatbot is much less common than NetSky but is linked much more closely with the trade in compromised PCs to send spam or for other nefarious purposes. Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to hackers. This expanding network of infected, zombie PCs can be used either for spam distribution or as platforms for DDoS attacks, such as those that many online bookies have suffered in recent months. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass IP address blacklists.

Phatbot was been used to spam, steal information or perform DDoS attacks, according to Mikko Hyppönen, director of anti-virus research at F-Secure. "You could do anything you wanted with it," he said. Phatbot is a variant of Agobot, a big family of IRC bots. Hyppönen said people were selling tailor-made versions of the bot for various illegal purposes.

NetSky also contains a backdoor component but this was designed only to upgrade malicious code: it is not a conscious attempt by its designer to turn compromised PC into spam zombies, Hyppönen says. Alex Shipp of MessageLabs said hackers ware still able to seize machines compromised by NetSky but he agreed with Hyppönen that worms such as Bagle and MyDoom, and Trojans like Phatbot, are far more commonly used in zombie spam networks.

As reported last month, networks of compromised hosts (BotNets) are commonly traded between virus writers, spammers and middlemen over IRC networks.

The price of these BotNets (DoSNets) was roughly $500 for 10,000 hosts last Summer when the MyDoom and Blaster (the RPC exploit worm) first appeared on the scene. "I have no doubt it's doubled since then as hosts are cleaned and secured," Andrew Kirch, a security admin at the Abusive Hosts Blocking List told El Reg. By his reckoning, non-exclusive access to compromised PCs sells for about 10 cent a throw.

An unnamed 21 year-old man from the southern German state of Baden-Wuerttemberg was arrested last Friday on suspicion of creating the Agobot and Phatbot Trojans. He is yet to be formally charged. ®

Related stories

German police arrest Sasser worm suspect and alleged Phatbot perp
Phatbot primed to steal your credit card details
The illicit trade in compromised PCs


Other stories you might like

  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading
  • NASA's Psyche mission: 2022 launch is off after software arrives late
    Launch window slides into 2023 or 2024 for asteroid-probing project

    Sadly for NASA's mission to take samples from the asteroid Psyche, software problems mean the spacecraft is going to miss its 2022 launch window.

    The US space agency made the announcement on Friday: "Due to the late delivery of the spacecraft's flight software and testing equipment, NASA does not have sufficient time to complete the testing needed ahead of its remaining launch period this year, which ends on October 11."

    While it appears the software and testbeds are now working, there just isn't enough time to get everything done before a SpaceX Falcon Heavy sends the spacecraft to study a metallic-rich asteroid of the same name.

    Continue reading

Biting the hand that feeds IT © 1998–2022