Naked PhatBot

| | Comments (1)
A denial of service (DOS) attack typically requires a coordinated effort of a large number of Internet hosts to simultaneously flood the host under attack. A sizable number of machines all sending copious amounts of packets to a single machine or network can overload it to the point where it becomes unusable, or perhaps even cause it to crash.

The hosts involved in the attacking are often regular home computers that have been hijacked into doing the attacker's bidding. The computers have somehow become infected with a program that takes commands remotely. Many of these programs login to the Internet Relay Chat (IRC) network and join a predefined IRC chat area. Once logged in, they sit and wait for commands. When their master wants to launch an attack, he connects to IRC, informs all of the connected servant programs what he wants done, and they go do it. Spooky, eh?

The LURHQ Threat Intelligence Group has dissected one of these servant programs named PhatBot and posted information about its feature-set, just how advanced they have become and the list of commands they can respond to.

Here are a few of the more interesting commands:
  • bot.command :: runs a command with system()
  • rsl.reboot :: reboots the computer
  • ddos.synflood :: starts an SYN flood
  • redirect.https :: starts a https proxy
  • harvest.cdkeys :: makes the bot get a list of cdkeys
Remotely starting proxy servers? Harvesting product CD-KEYs? Things have apparently come a long way since back in 1995 when we thought sending disruptive vt100 codes to someone's terminal over 'talk' or IRC was way cool. Too bad such an impressive distributed network of computers is being used for petty mischief rather than something worthwhile.

1 Comments

I blogged some thoughts - see URL.

Leave a comment

About this Entry

This page contains a single entry by Dylan published on April 3, 2004 2:01 AM.

HOWTO: WUSB11 and Windows XP was the previous entry in this blog.

VDS/VPS Hosting is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.