Computer security's new 'polybot' nightmare
A new malicious computer program has been detected that can create networks of remotely controlled computers to take part in online attacks, send junk e-mail messages as spam and engage in other shady activities common to the bad neighborhoods of cyberspace. The new program, known as "phatbot" or "polybot," uses technology like that developed for file-sharing networks like Gnutella and KaZaa to control the machines. ("Bot" is shorthand for "software robot," a term generally applied to automated software.) Once the program has made its way onto a victim's computer, it spreads across networks and searches for passwords that are stored on hard drives and are passing across local networks. It also disables antivirus programs and systems for upgrading software security. Phatbot, which is technically known as a computer worm, was considered to be novel enough that the Department of Homeland Security asked a group of computer analysts last week to examine and monitor it, said Donald Tighe, a spokesman for the department. The department was expected to announce reports on Thursday by Internet security task forces as part of the Bush administration's National Strategy to Secure Cyberspace, which was developed to bring government, business and academic resources together to address computer security issues. The phatbot program, which was detected by security researchers, was described in an article on the Web site of The Washington Post on Wednesday morning. Craig Schmugar, virus research manager with Network Associates, a computer security company, said his company currently rated phatbot as "low risk" because it had not spread as widely as recent worms, like MyDoom, Netsky and Bagle. But he added that "the potential for this one is huge" because it can spread in many ways and performs many surreptitious functions on the machines. But Joe Stewart, senior security researcher at LURHQ , a company that manages security services for businesses, expressed some surprise over the attention that the program had received from the government and antivirus researchers. "It's got extra features that make it a little bit more formidable, but it's certainly not a quantum leap in bot technology," said Stewart, who published a detailed analysis of the new program on the company's Web site, www.lurhq.com. Phatbot is a variant of an earlier program known as agobot or gaobot. It takes advantage of security flaws in Microsoft's Windows operating systems that have been exploited by recent Internet viruses like MyDoom. Such malicious programs open back doors on computers whose owners do not keep up with the patches available from Microsoft at www.windowsupdate.com and who do not regularly update their antivirus software. Computer owners who have kept their systems up to date and who are not already infected by a virus like MyDoom, Stewart said, are "probably not going to see any effect of this at all." Previous bot programs have commandeered large networks of machines and used them to anonymously send spam, advertise pornographic Web sites and launch online attacks that block access to Web sites. Phatbot is one of a more recent wave that uses technology developed for file-sharing networks; earlier programs used a technology for instant online messages called Internet Relay Chat to accomplish the same ends. Stewart said research showed that the program would create networks consisting of as many as 50 computers, far smaller than the networks usually assembled to launch massive attacks on particular Web sites. He said that it was likely that the purpose of these networks, therefore, was to send spam without being detected and without having to pay an Internet service provider. Any computer that is infected with the new program, he said, is probably also burdened with other malicious software. In that case, he added, "You've got a lot more to worry about than this."
Reproduced from an article published by The New York Times
© The New York Times
The original article can be viewed here:
http://www.iht.com/cgi-bin/generic.cgi?template=articleprint.tmplh&ArticleI...
Permalink Bookmark Digg this story
