Experts Debate Danger of Phatbot Worm

By Larry Seltzer  |  Posted 2004-03-17 Print this article Print

The new Phatbot worm, a k a Agobot, Gaobot and Polybot, is out in the wild. But experts on Wednesday debated on its name and how far it has spread.

Security discussion lists and reports were abuzz Wednesday with talk of a new worm, named "Phatbot," that had spread to as many as hundreds of thousands of systems. But not all security experts agreed that the worm was widespread. As of late Wednesday afternoon, no major antivirus company had listed the worm as more than a "low" risk. Craig Schmugar, virus researcher for Network Associates Inc.s McAfee Avert research group, said the interesting variant began appearing on Monday, especially in the Asia-Pacific region, but has since toned down. There have been several variations since the initial attack, Schmugar said, some more dangerous than others. The Santa Clara, Calif. company are keeping a close eye on them, but maintaining their risk assessment of "low."

Adding to the confusion is a bewildering variety of names used for the strain, and numerous variations during the last few days. Few companies use the name Phatbot. Most call it a variation of the longstanding Gaobot or Agobot family, and sometimes as Polybot. Symantec Corp.s write-up of the worm refers to it as Gaobot.RF, declaring it to be variation number 172.

Like most of the other recent threats, Phatbot, or Gaobot, spreads through a variety of vulnerabilities in Windows, some quite old, others more recent. When the worm is run, it sets the system to autostart the worm at boot time; attempts to terminate security software running on the computer; and probes network shares in an attempt to spread itself. In addition, it seeks to terminate processes associated with other worms.

Phatbot also opens a connection to a specific IRC channel with its own built-in client and awaits commands. Reports from security analysts have differed on whether this IRC client has been used to create a "botnet" of systems for a distributed denial of service attack, and even how large a network it can practically form.

According to Ken Dunham, director of malicious code at iDEFENSE Inc., of Reston, Va., there are "at least four Phatbot variants now. "Weve been tracking this entire situation," he said in a Wednesday posting on the SecurityFocus Incidents list. "Its not a matter of how many there are but which networks end up being compromised. ... And it is growing."

Check out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel