Phatbot and stealthy polymorphic Alphabot Soup, ISS Product ICQ parsing vuln.

Published: 2004-03-18
Last Updated: 2004-03-19 09:03:23 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
ISS Security Brief: Vulnerability in ICQ Parsing in ISS Products

ISS Alert:

ISS Updates:

Phatbot and stealthy polymorphic Alphabot Soup

"Phatbot" is essentially an "alias" label used by some AV vendors for a Trojan and it's also a name assigned to a particular Trojan analyzed by the LURHQ Threat Intelligence Group. These Trojans - Phatbot, Polybot, Agobot Gaobot, SDBot, RandBot .... which have similar functionality and purpose, are "lumped together" by some AV Vendors into families of Trojans. Most of these Trojans can trace their roots to powerful warez Trojans that have plagued University network environments for a number of years (groundbreaking threat analysis was done Dave Dittrich at the University of Washington and others). In addition all of the "Agobot"'s should be thrown in as relatives, after all what's in a name. The variants released in later 2003 and 2004 include true Internet worm
functionality enabled by Microsoft vulnerabilities associated with Ports 135, 445, and 80.

PolyBots, Phatbots, polymorphism and stealth

McAfee describes a "Polybot" virus family. Their perception of the family structure is that "There are several other very closely related IRC bot families based on widely circulated Sdbot sources - IRC-Sdbot, W32/Sdbot.worm, W32/Randbot.worm, W32/Gaobot.worm." I'll get to one variant's "stealth" in a minute.

Joe Stewart and the LURHQ team's analysis indicates to me that Phatbot is related to this Trojan family under discussion here. LURHQ goes on to describes Phatbot as having the "ability to polymorph on install in an
attempt to evade antivirus signatures as it spreads from system to system." (URL to their excellent analysis is below). The polymorph is interesting in that Phatbot morphs "on install". McAfee's analysis of Polybot shows a different pattern of morphing, McAfee says "The polymorphism in W32/Polybot worms is achieved by adding an "envelope" over a compiled HLL program of the worm. The envelope code reencrypts the whole file every time it runs." Morphing at "install" is one thing, morphing every time it runs is notably different.

Bot File Submissions Requested by Vendors - In addition to the polymorphing information, a recent email submission to the ISC by a Handlers Diary reader detailed how an AV Vendor recently emailed customers and stated their concern that a Polybot variant would not be detected by customers because of the Trojan's "stealthing" techniques. One vendors description of the stealthing (MacAfee) describes W32/Polybot.l!irc as "Stealthy and hides itself in memory. The file is deleted." The AV Vendor who wrote their customers specifically asks for submissions by customers of suspicious files, submissions needed to develop defenses against this stealthy Trojan.

All in all, this family of bots seems close to marrying stealth with a polymorphism implementation that'll morph it right out of the range of iterations AV engines can detect soon after it hits a host.

If you find any variants of this large family of Trojans please submit the files you find to your favorite Trojan Hunting application developer and AV vendor. Every submission "click" helps.

Rebuild versus cleaning with "tools".

If any "sensitive" system "you think you own" is actually owned by one of this family of bots, standard recommendations are to rebuild the infected systems from scratch.

For other information, check mailing lists for the many discussions going on concerning the number of systems "owned" by the botboyz.

Phatbot Trojan Analysis by LURHQ Threat Intelligence Group, material used with permission.
Release Date March 15, 2004
ALIASES Phatbot, W32.HLLW.Gaobot.gen (Symantec), Win32.Agobot (CA), WORM_AGOBOT.HM (Trend)
NAME: Agobot.FO, ALIAS:, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot
ALIAS: Phatbot, Phat

Symantec's generic Gaobot family description is here;

Patrick Nolan
0 comment(s)


Diary Archives