Phatbot Trojan Analysis

• URL: http://www.secureworks.com/research/threats/phatbot
• Date: March 15, 2004
• Author: Joe Stewart

A kind of Darwinism pervades the world of trojan botnet development. With time, the more effective bots become increasingly popular, leading to additional development from secondary developers who provide "mods" to the bots. One very successful bot known as "Agobot" has now found itself superceded by "Phatbot". Phatbot is actually a direct descendant of Agobot, with additional code rolled in from other sources. These additions have made Phatbot a more versatile and dangerous threat in the realm of Internet security. The analysis that follows attempts to detail the functionality of Phatbot for purposes of detection and elimination.

Phatbot has quite an extensive command list, much of which is derived from Agobot. The complete command list includes:

bot.command     runs a command with system()
bot.unsecure    enable shares / enable dcom
bot.secure      delete shares / disable dcom
bot.flushdns    flushes the bots dns cache
bot.quit        quits the bot
bot.longuptime  If uptime > 7 days then bot will respond
bot.sysinfo     displays the system info
bot.status      gives status
bot.rndnick     makes the bot generate a new random nick
bot.removeallbut        removes the bot if id does not match
bot.remove      removes the bot
bot.open        opens a file (whatever)
bot.nick        changes the nickname of the bot
bot.id          displays the id of the current code
bot.execute     makes the bot execute a .exe
bot.dns         resolves ip/hostname by dns
bot.die         terminates the bot
bot.about       displays the info the author wants you to see
shell.disable   Disable shell handler
shell.enable    Enable shell handler
shell.handler   FallBack handler for shell
commands.list   Lists all available commands
plugin.unload   unloads a plugin (not supported yet)
plugin.load     loads a plugin
cvar.saveconfig saves config to a file
cvar.loadconfig loads config from a file
cvar.set        sets the content of a cvar
cvar.get        gets the content of a cvar
cvar.list       prints a list of all cvars
inst.svcdel     deletes a service from scm
inst.svcadd     adds a service to scm
inst.asdel      deletes an autostart entry
inst.asadd      adds an autostart entry
logic.ifuptime  exec command if uptime is bigger than specified
mac.login       logs the user in
mac.logout      logs the user out
ftp.update      executes a file from a ftp url
ftp.execute     updates the bot from a ftp url
ftp.download    downloads a file from ftp
http.visit      visits an url with a specified referrer
http.update     executes a file from a http url
http.execute    updates the bot from a http url
http.download   downloads a file from http
rsl.logoff      logs the user off
rsl.shutdown    shuts the computer down
rsl.reboot      reboots the computer
pctrl.kill      kills a process
pctrl.list      lists all processes
scan.stop       signal stop to child threads
scan.start      signal start to child threads
scan.disable    disables a scanner module
scan.enable     enables a scanner module
scan.clearnetranges     clears all netranges registered with the scanner
scan.resetnetranges     resets netranges to the localhost
scan.listnetranges      lists all netranges registered with the scanner
scan.delnetrange        deletes a netrange from the scanner
scan.addnetrange        adds a netrange to the scanner
ddos.phatwonk   starts phatwonk flood
ddos.phaticmp   starts phaticmp flood
ddos.phatsyn    starts phatsyn flood
ddos.stop       stops all floods
ddos.httpflood  starts a HTTP flood
ddos.synflood   starts an SYN flood
ddos.udpflood   starts a UDP flood
redirect.stop   stops all redirects running
redirect.socks  starts a socks4 proxy
redirect.https  starts a https proxy
redirect.http   starts a http proxy
redirect.gre    starts a gre redirect
redirect.tcp    starts a tcp port redirect
harvest.aol     makes the bot get aol stuff
harvest.cdkeys  makes the bot get a list of cdkeys
harvest.emailshttp      makes the bot get a list of emails via http
harvest.emails  makes the bot get a list of emails
waste.server    changes the server the bot connects to
waste.reconnect reconnects to the server
waste.raw       sends a raw message to the waste server
waste.quit
waste.privmsg   sends a privmsg
waste.part      makes the bot part a channel
waste.netinfo   prints netinfo
waste.mode      lets the bot perform a mode change
waste.join      makes the bot join a channel
waste.gethost   prints netinfo when host matches
waste.getedu    prints netinfo when the bot is .edu
waste.action    lets the bot perform an action
waste.disconnect        disconnects the bot from waste

Phatbot Feature List

(Many of these features are also present in Agobot)

• Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
• Checks to see if it is allowed to send mail to AOL, for spamming purposes
• Can steal Windows Product Keys
• Can run an IDENT server on demand
• Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection :)."
• Can run a socks, HTTP or HTTPS proxy on demand
• Can start a redirection service for GRE or TCP protocols
• Can scan for and use the following exploits to spread itself to new victims:
• DCOM
• DCOM2
• MyDoom backdoor
• DameWare
• Locator Service (Update: This exploit appears to be non-functional)
• Shares with weak passwords
• WebDav
• WKS - Windows Workstation Service
• Update 2004-04-20 - Newer versions of Agobot and Phatbot have added scanner modules for:
• Bagle virus backdoor
• CPanel resetpass vulnerability
• UPnP (MS01-059)
• MSSQL weak administrator passwords
• Attempts to kill instances of MSBlast, Welchia and Sobig.F
• Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
• Can sniff FTP network traffic for usernames and passwords
• Can sniff HTTP network traffic for Paypal cookies
• Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
• Tests the available bandwidth by posting large amounts of data to the following websites:
• www.st.lib.keio.ac.jp
• www.lib.nthu.edu.tw
• www.stanford.edu
• www.xo.net
• www.utwente.nl
• www.schlund.net
• Can steal AOL account logins and passwords
• Can steal CD Keys for several popular games
• Can harvest emails from the web for spam purposes
• Can harvest emails from the local system for spam purposes

P2P Functionality

What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC. Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).

WASTE uses an encrypted P2P protocol designed for private messaging and file transfer between a small number of trusted parties. Interestingly, the encryption has been removed from the WASTE code used in Phatbot. This may be due to the fact that sharing of public keys has been a stumbling block in the adoption of WASTE - currently it must be done manually. Rather than devise a system for distributing keys among infected hosts (or giving all hosts the same public/private keypair) the author(s) decided to scrap the encryption altogether.

Since there is no central server in the WASTE network, the infected hosts also have to find each other somehow. This is accomplished by utilizing Gnutella cache servers - anyone can use the CGI scripts provided by these servers to register themselves as a Gnutella client. The Phatbot WASTE code registers itself with a list of URLs pretending to be a version of GNUT, a Gnutella client. Other Phatbot hosts then retrieve the list of Gnutella clients from these cache hosts using the same CGI scripts. The Phatbots differentiate themselves from the Gnutella clients by using TCP port 4387 instead of the standard Gnutella port.

To connect to the Phatbot WASTE network, one only needs to have a custom WASTE client and connect to a peer found on the cache servers. At this point it is only necessary to have the correct username and password (stored as an md5sum in the Phatbot binary) in order to control the entire Phatbot network.

One problem with the WASTE approach is scalability; WASTE was not designed with large networks in mind. The protocol specifications state that WASTE is intended for nets with 10-50 nodes. For the typical IRC botnet, 1000 nodes would be on the small side.

Manual Removal

Look for the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process

The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.

Snort Signatures

Here are some Snort signatures to detect Phatbot on a network:

alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/phatbot; sid:1000075; rev:1;)