Bot nets use Windows for wicked work

TalkBack 11 of 28:

Next »

« Previous

• Thread View
• Flat View

Day late and couple dollars short

Phatbot P2P Functionality
What sets Phatbot apart from its predecessors is the use of P2P to control the botnet instead of IRC. Although Agobot has a rudimentary P2P system, IRC is still the main control vector. The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).

WASTE uses an encrypted P2P protocol designed for private messaging and file transfer between a small number of trusted parties. interestingly, the encryption has been removed from the WASTE code used in Phatbot. This may be due to the fact that sharing of public keys has been a stumbling block in the adoption of WASTE - currently it must be done manually. Rather than devise a system for distributing keys among infected hosts (or giving all hosts the same public/private keypair) the author(s) decided to scrap the encryption altogether.

Since there is no central server in the WASTE network, the infected hosts also have to find each other somehow. This is accomplished by utilizing Gnutella cache servers - anyone can use the CGI scripts provided by these servers to register themselves as a Gnutella client. The Phatbot WASTE code registers itself with a list of URLs pretending to be a version of GNUT, a Gnutella client. Other Phatbot hosts then retrieve the list of Gnutella clients from these cache hosts using the same CGI scripts. The Phatbots differentiate themselves from the Gnutella clients by using TCP port 4387 instead of the standard Gnutella port.

To connect to the Phatbot WASTE network, one only needs to have a custom WASTE client and connect to a peer found on the cache servers. At this point it is only necessary to have the correct username and password (stored as an md5sum in the Phatbot binary) in order to control the entire Phatbot network.

One problem with the WASTE approach is scalability; WASTE was not designed with large networks in mind. The protocol specifications state that WASTE is intended for nets with 10-50 nodes. For the typical IRC botnet, 1000 nodes would be on the small side.

Ain't no system safe - once that Cat 5 cable is plugged in even penguinistas are compromised.....

Posted by: quietLee   Posted on: 03/17/05 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Reducing Server Total Cost of Ownership with VMware Virtualization Software VMware VMware virtualization enables customers to reduce their server TCO and ... Download Now
• Get top-ranked Novell support for Red Hat at 50% less Novell A simplified IT environment isn't just less complex, it's more reliable. ... Download Now
• Building the Virtualized Enterprise with VMware Infrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now