Найдено на просторах сети...
Звучит малоутешительно..
| Forums -> Флейм -> Warning!!! | | Full Version |
| QUOTE |
| Some stupid turd for brains is at it again.... A new malicious computer program has been detected that can create networks of remotely controlled computers to take part in online attacks, send junk e-mail messages as spam and engage in other shady activities common to the bad neighborhoods of cyberspace. The program, known as phatbot or polybot, uses technology like that developed for file sharing networks such as Gnutella and Kazaa to control the machines. ("Bot" is shorthand for "software robot," a term generally applied to automated software.) Once the program has made its way onto a victim's computer, it spreads across networks and searches for passwords that are stored on hard drives and are passing across local networks. It also disables antivirus programs and systems for upgrading software security. Phatbot, which is technically known as a computer worm, was considered novel enough that the Department of Homeland Security asked a group of computer analysts last week to examine and monitor it, Donald Tighe, a spokesman for the Department of Homeland Security, said. The department will announce reports today by Internet security task forces as part of the administration's National Strategy to Secure Cyberspace, which was developed to link the resources of government, business and academia to address computer security issues. URL: http://news.com.com/2100-1009_3-5175025.html?tag=nefd_top A new “Trojan horse“ program called Phatbot is spreading across Windows computers connected to the Internet, employing a range of nefarious tactics including some borrowed from the world of peer-to-peer file sharing systems such as Kazaa and the original Napster. According to the Washington Post, which broke the story on March 17, Phatbot can create invisible networks of up to 50 infected machines. This gives the hackers who wrote the program a highly efficient way to issue orders to the machines, in essence recruiting them into an underground hacker army. For example, the networks could be used to launch massive spam or denial-of-service attacks. The resilient nature of peer-to-peer networks -- if one node is removed, communications will simply flow around it -- means that security officials will have a very hard time slowing Phatbot’s spread, short of tracking down every single infected machine. Just as alarming, the malicious program can evade and shut down many popular anti-virus programs. URL: http://www.technologyreview.com/blog/blog.asp?blogID=1326 Phatbot Feature List (Many of these features are also present in Agobot) Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system Checks to see if it is allowed to send mail to AOL, for spamming purposes Can steal Windows Product Keys Can run an IDENT server on demand Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection ." Can run a socks, HTTP or HTTPS proxy on demand Can start a redirection service for GRE or TCP protocols Can scan for and use the following exploits to spread itself to new victims: DCOM DCOM2 MyDoom backdoor DameWare Locator Service Shares with weak passwords WebDav WKS - Windows Workstation Service Attempts to kill instances of MSBlast, Welchia and Sobig.F Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords Can sniff FTP network traffic for usernames and passwords Can sniff HTTP network traffic for Paypal cookies Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans Tests the available bandwidth by posting large amounts of data to the following websites: www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.stanford.edu www.xo.net www.utwente.nl www.schlund.net Can steal AOL account logins and passwords Can steal CD Keys for several popular games Can harvest emails from the web for spam purposes Can harvest emails from the local system for spam purposes P2P Functionality What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC. Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL). WASTE uses an encrypted P2P protocol designed for private messaging and file transfer between a small number of trusted parties. interestingly, the encryption has been removed from the WASTE code used in Phatbot. This may be due to the fact that sharing of public keys has been a stumbling block in the adoption of WASTE - currently it must be done manually. Rather than devise a system for distributing keys among infected hosts (or giving all hosts the same public/private keypair) the author(s) decided to scrap the encryption altogether. Since there is no central server in the WASTE network, the infected hosts also have to find each other somehow. This is accomplished by utilizing Gnutella cache servers - anyone can use the CGI scripts provided by these servers to register themselves as a Gnutella client. The Phatbot WASTE code registers itself with a list of URLs pretending to be a version of GNUT, a Gnutella client. Other Phatbot hosts then retrieve the list of Gnutella clients from these cache hosts using the same CGI scripts. The Phatbots differentiate themselves from the Gnutella clients by using TCP port 4387 instead of the standard Gnutella port. To connect to the Phatbot WASTE network, one only needs to have a custom WASTE client and connect to a peer found on the cache servers. At this point it is only necessary to have the correct username and password (stored as an md5sum in the Phatbot binary) in order to control the entire Phatbot network. One problem with the WASTE approach is scalability; WASTE was not designed with large networks in mind. The protocol specifications state that WASTE is intended for nets with 10-50 nodes. For the typical IRC botnet, 1000 nodes would be on the small side. Manual Removal Look for the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Process HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Generic Service Process Be carefull, strange s**t nowadays, that's for sure, people trying to poision us.... |
| QUOTE (Brait @ 20-03-2004, 12:34) |
| Я такого по НАСТОЯЩЕМУ ужасного вируса уже 3 года жду. Ну вот и дождался... :( |