posted by pingywon
A new malicious computer program has been detected that can create networks of remotely controlled computers to take part in online attacks, send junk e-mail messages and engage in other shady activities common to the bad neighborhoods of cyberspace.
The program, known as phatbot or polybot, uses technology like that developed for file sharing networks such as Gnutella and Kazaa to control the machines. (“Bot” is shorthand for “software robot,” a term generally applied to automated software.)
Once the program has made its way onto a victim’s computer, it spreads across networks and searches for passwords that are stored on hard drives and are passing across local networks. It also disables antivirus programs and systems for upgrading software security.
Phatbot, which is technically known as a computer worm, was considered novel enough that the Department of Homeland Security asked a group of computer analysts last week to examine and monitor it, Donald Tighe, a spokesman for the Department of Homeland Security, said. The department will announce reports today by Internet security task forces as part of the administration’s National Strategy to Secure Cyberspace, which was developed to link the resources of government, business and academia to address computer security issues.
Craig Schmugar, virus research manager with Network Associates, a computer security company, said his company currently rated phatbot as a “low risk” because it had not spread as widely as recent worms, like MyDoom, Netsky and Bagle. But he added that “the potential for this one is huge” because it could spread in many ways and perform many surreptitious functions on the machines.
But Joe Stewart, senior security researcher at the LURHQ Corporation, a company that manages security services for businesses, expressed some surprise over the attention that the program has received. “It’s got extra features that make it a little bit more formidable, but it’s certainly not a quantum leap in bot technology,” said Mr. Stewart, who published a detailed analysis of the new program on his company’s Web site, www.lurhq.com.
Phatbot is a variant of an earlier program known as agobot or gaobot. It takes advantage of security flaws in the Microsoft Corporation’s Windows operating systems that have been exploited by recent Internet viruses like MyDoom.
Such malicious programs open back doors on computers whose owners do not keep up with the patches available from Microsoft at www.windowsupdate.com, and who do not regularly update their antivirus software.
Computer owners who have kept their systems up to date and who are not already infected by a virus like MyDoom, Mr. Stewart said, are “probably not going to see any effect of this at all.”
Previous bot programs have commandeered large networks of machines and used them to anonymously send spam, advertise pornographic Web sites and launch online attacks that block access to Web sites.
Phatbot is one of a more recent wave that uses technology developed for file sharing networks; earlier programs used a technology for instant online messages called Internet Relay Chat to accomplish the same ends.
Mr. Stewart said that research showed the program would create networks comprising as many as 50 computers, far smaller than the networks usually assembled to launch intense attacks on particular Web sites. He said that it was likely that the purpose of these networks, therefore, was to send spam without being detected and without having to pay an Internet service provider.
Any computer that is infected with the new program, he said, is probably also burdened with other malicious software. In that case, he added, “you’ve got a lot more to worry about than this.”