TechSpot

Hackers Embrace P2P Concept

By tkteo
Mar 17, 2004
  1. Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or Denial-of-Service Attacks

    By Brian Krebs
    washingtonpost.com Staff Writer
    Wednesday, March 17, 2004; 6:23 AM


    Computer security experts in the private sector and U.S. government are monitoring the emergence of a new, highly sophisticated hacker tool that uses the same peer-to-peer (P2P) networking abilities that power controversial file-sharing networks like Kazaa and BearShare.

    By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already been infected worldwide. The tool, a program that security researchers have dubbed "Phatbot," allows its authors to gain control over computers and link them into P2P networks that can be used to send large amounts of spam e-mail messages or to flood Web sites with data in an attempt to knock them offline.

    The new hacker threat caught the attention of cyber-security officials at the U.S. Department of Homeland Security, prompting the agency to send an alert last week to a select group of computer security experts. In the alert, the agency warned that Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software.

    A copy of the DHS alert was made available to washingtonpost.com by two sources at different companies who asked that their identities not be used because they did not want to risk losing access to future government alerts. Officials at the department and US-CERT -- a government-funded cyber-security monitoring agency -- confirmed that the message was genuine.

    Phatbot is "a virtual Swiss Army knife of attack software," said Vincent Weafer, senior director of security response at Cupertino, Calif.-based Symantec Corp.

    Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

    Phatbot is a kind of "Trojan horse," a type of program named after the legendary stealth attack because it let hackers take quiet control of unsecured computers. Security firms have catalogued hundreds if not thousands of Trojan horse programs in recent years, but Phatbot has raised substantial concern because it represents a leap-forward in its sophistication and is proving much harder for law enforcement authorities and antivirus companies to eliminate.

    Like traditional Trojan horse programs, Phatbot infects a computer through one of several routes, such as through security flaws in Microsoft's Windows operating system or through "backdoors" installed on machines by the recent "Mydoom" and "Bagle" Internet worms.

    But because Phatbot links infected computers into a larger network, hackers can issue orders to the infected machines through many routes, and cyber-security officials can only effectively shut down a Phatbot attack if they track down every infected computer.

    "The concern here is that the peer-to-peer like characteristics of these 'bot networks may make them more resilient and more difficult to shut down," said a cyber-security official at the Department of Homeland Security who asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot.

    "With these P2P Trojan networks, even if you take down half of the affected machines, the rest of the network continues to work just fine," said Mikko Hypponen, director of F-Secure, an antivirus software company based in Finland.

    Most major antivirus products detect Phatbot, but as soon as the Trojan infects computers it disables many antivirus and firewall software tools.

    Roger Lawson, director of computing and information technology at the University of Vermont in Burlington, said he quarantined more than 200 computers -- more than 5 percent of the machines on the school's network -- because of Phatbot infestations. None of the school's antivirus programs detected the Trojan, and attempts to delete it caused Phatbot to recreate and restart itself, he said.

    Phatbot's ability to disable computer security software means that the estimated number of infected computers could rise to as high as "several hundred thousand," said F-Secure's Hypponen.

    A few computer experts said the rate of infection is much higher.

    Igor Ybema, a network administrator at the University of Twente in Enschede in The Netherlands, put the number between 1 million and 2 million computers. His conclusion was based on a Phatbot command that forces infected computers to test their Internet connection speed by sending a file to one of 22 specifically selected Web servers around the world -- one of them at Twente.

    He said Twente began monitoring traffic from computers running the tests in mid-February, about the time that rival hacker gangs began an online turf war that resulted in a volley of new worms like Bagle and "Netsky." By early last week, Ybema said he was tracking an average of 200,000 to 300,000 Internet addresses running the speed test every day. Ybema believes such traffic indicates that attackers who have previously relied on less advanced remote-access Trojans are now using Phatbot.

    The majority of the infections appeared to come from home user broadband connections and from colleges and universities in the United States and the Asia-Pacific region, he said.

    Earlier this month, computer network engineers at University of California, Santa Cruz monitored the same type of speed testing traffic as Twente's Ybema observed. Mark Boolootian, the network engineer who discovered the activity, said one reason infected computers may be conducting the speed tests is to give Phatbot authors an idea of which infected computers would be the fastest in sending out large amounts of spam or data aimed at overwhelming a major Web site.

    Security experts are divided on whether a full-force phatbot attack will result in ruin or simply a ruinous headache.

    "If there are indeed hundreds of thousands of computers infected with Phatbot, U.S. e-commerce is in serious threat of being massively attacked by whoever owns these networks," said Russ Cooper, a chief scientist at Herndon, Va.-based TruSecure Corp.

    There are several incidents in the past several years that show how hackers used multiple ensnared computers to cause damage. In February 2000, a Canadian juvenile commandeered high-speed computers at University of California, Santa Barbara to knock Amazon, eBay, CNN.com, and a host of other Web sites off-line for hours. In October 2002, hackers used an army of commandeered computers to assault the 13 root servers that serve as the roadmap for Internet traffic.

    But Lurhq's Stewart said his analysis of Phatbot indicates that the Trojan is designed to link computers into groups no larger than 50 computers, which would significantly limit the Trojan's effectiveness as a denial-of-service tool.

    As a result, he said, Phatbot-infected PCs will more likely be used as highly effective spamming machines.
     
  2. SNGX1275

    SNGX1275 TS Forces Special Posts: 10,714   +397

    Created by our own news moderator PHATMAN5050 :) jk
     
  3. StormBringer

    StormBringer TS Rookie Posts: 2,244

    [​IMG] I really wish people would stop using the term "hacker" when they mean "cracker" It is slander and defamation of character to hackers, to be put in the same class as a cracker.
     
  4. XtR-X

    XtR-X TS Rookie Posts: 863

    But times change though...

    we all know that a long time ago "Hackers" were the good people, it's just happened to turn out that now the name is being misused. It's basically still "hacker" and "cracker" but its changing over. Just like how we got a nickname in the first place.

    Same thing.
     
  5. me(who else?)

    me(who else?) TS Rookie Posts: 387

    I agree. Crackers are malicious, while hackers are usually curious and have good intentions. The words, however, have become synomymous to most people. A few days ago a friend of mine asked if I was a hacker...of course, I said 'depends on what you mean". She instantly thought I was a cracker (this wasn't helped by the fact I've messed around with school computers several times).

    I think the stereotype of hackers is beginning to get out of control.

    P.S. If you haven't noticed, I'm not a cracker.
     
  6. milky

    milky TS Enthusiast Posts: 85

    When in that article did anyone use the word "cracker"?? as far as I could see the "hacker" term was used properly as a person attacking another computer. nothing about "cracking" a program's protection.
     
  7. Spike

    Spike TS Evangelist Posts: 2,168

    You misunderstand. Completely in fact.

    HACKERS...
    A hacker isn't a bad person. I actually aspire to be a hacker - I'm not one, but I might be good enough one day to consider calling myself one. Hacking isn't about breaking into places with malicious intent and/or doing damage. It's about learning and understanding how things work - sometimes just for the sake of knowledge, and sometimes for the sake of improving things. If you use a custom WinXP scheme, you are using a patched DLL, which is also known as a hacked DLL - it's been customised in a view to improve the system. You changnge the bootscreen of WinXP by hacking NTOSKRNL.EXE.

    I have a 98 starup disk I'm trying to add NTFS support into, in a VERY loose sense of the term hacking it. I had two dececet audio quite large audio system speakers and a set of broken computer speakers. By hacking them together, I created a super loud pair of computer stereo speakers.

    Hackers don't tend to attack things, and when they do, it's almost always in such a way that is non-destructive. Hacking doesn't carry malicious intent - it's kindo of a moral code.

    CRACKERS...

    Crackers tend to have malicious intent, wanton vandalism, money, fame and notoriety, etc as root causes for their actions. Truth be known, most of them couldn't give a damn about making anything better, and are usually out for personal and material gain. they try to crack open doorways into security systems, they are the ones that vandalise websites by finding little cracks in program security and exploiting them to get in and screw up all your hard work. They find cracks in systems they can use to install things like remote controlled trojans as above in this thread which exploit cracks in system security to install themselves (though the biggest crack in a systems security is usually the user :rolleyes: )

    conclusion
    I think you get the idea. They've used the word hacker when hackers actually have nothing to do with it. Not entirely suprising from the Washington Post, I must admit. Essentially they used the wrong term - they were talking about crackers but used the word hacker instead, as though the two terms were synonymous and they're not.

    Why? Well there's two possibles. ..

    One is that the writer or the edito (or both) aren't educated enough in the world of hackers and crackers to know what their talking about when using the terms, and so treat them synonymously

    Reason Two is that US authorities, for reasons historical, have traditionally gone to great lengths to try and make the two terms synonymous in the public mind - ever since the days of Phone Preaking, and later, Kevin Mitnick.
     
  8. milky

    milky TS Enthusiast Posts: 85

    yeah, ok. maybe if you actually were a hacker, i might take you seriously, but seeing as how you're just a wanna-be, i will school you a little here:

    Definitions:


    Random House Unabridged Dictionary:

    hacker (hak'er), n. 1. a person or thing that hacks. 2. Slang.
    a person who engages in an activity without talent or skill.
    3. Computer Slang. a. a computer enthusiast. b. a
    microcomputer user who attempts to gain unauthorized
    access to proprietary computer systems
    .

    cracker (krak'er), n. 1. a thin, crisp biscuit.


    Dictionary.com:

    hack·er n. Informal

    1. One who is proficient at using or programming a computer; a computer buff.
    2. One who uses programming skills to gain illegal access to a computer network or file.
    3. One who enthusiastically pursues a game or sport: a weekend tennis hacker.

    crack·er n.

    1. A thin crisp wafer or biscuit, usually made of unsweetened dough.
    2. One that cracks, especially:
    1. A firecracker.
    2. A small cardboard cylinder covered with decorative paper that...
    3. The apparatus used in the cracking of petroleum.
    4. One who makes unauthorized use of a computer, especially to tamper with data or programs.
    3. Offensive:
    1. Used as a disparaging term for a poor white person of the rural, especially southeast United States.
    2. Used as a disparaging term for a white person.


    Encarta Dictionary:

    hacker 1. somebody who uses computer expertise to gain unauthorized access to a computer system belonging to another, either to learn about the system or to examine its data. 2. somebody who is very interested or skilled in computer technology and programming 3. somebody who enjoys a sport but is not very good at it 4. somebody who cuts or chops something

    cracker 1. a flat crisp wafer 2. somebody who comes from or lives in the states of Georgia or Florida 3. somebody who gains unauthorized access to a computer system, especially to acquire or interfere with data.




    see, if you were really really smart, you might understand. Completely in fact.
    that the public's perception of a definition is in fact the definition.

    there is no government conspiracy! take the locks off the cupboards. get out of the house once in a while. and try aspiring to be something a little more important in life than a hacker!
     
  9. Didou

    Didou Bowtie extraordinair! Posts: 4,274

    There's no right or wrong here. Both terms have been used wrong for so long that you can't really tell what the good definition is. Both definitions are valid I would say.
    & there's really no need to use that tone here. If you can't have a discussion without name calling, you might as well find somewhere else to "talk".
     
  10. milky

    milky TS Enthusiast Posts: 85

    who's name calling? if you're referring to "wanna-be", Spike basically called himself that:

    besides that, he got me stirred up a little when he started his post with:

    I never asked him.
    maybe he should read this: Guide to Making a Good Post/Thread
     
  11. Spike

    Spike TS Evangelist Posts: 2,168

    No, I basically said I aspired to be a hacker. I'm not a "wanna-be" hacker as you put it, simply for the fact that I am reasonable and knowledgeable enought to know that I have no right to call myself one, and it'll take me a long long time to ever be good enough to do so, if I ever am. It implies that I look up to people that knowledgeable, rather than calim to be such a person - in training or otherwise.


    Admittedly a very bad way of saying what I said there, but none the less it wasn't agressive. I was referring to your misunderstanding with the way you had misunderstood the statements of SNGX and the others - clearly you didn't understand which definition set they were using, else you wouldn't have reacted the way you did.

    That's the beauty of forums - you often get opinions from people you didn' directly ask. It will please you to know that I've read that thread multiple times - even after it was originally posted and before it became sticky. What I fosted was completely factual - the definitions of the terms used in previous replies.

    I do thankyou - you considered to take my statement of "you misunderstand. Completely in fact" as some sort of challenge to your authority, when there was in fact no challenge intended. As a result your self-percieved dents to your pride drove you to aggressively reply and belittle the person that made you feel just a little smaller than you felt before.

    This is interesting incidentally, because I didn't in fact make you fee smaller - there was no aggression nore any name calling in my post. it was you yourself that belittled yourself on the basis of a misconception of what I'd posted.

    If we are talking about the outside theis thread then your statement "the public's perception of a definition is in fact the definition." is incorrect. the publics perception is only one part of the meaning of the word. Other parts of its meaning are the understanding of the person using it, that of the person listening, and that who understand it to mean anything else, be it as part of a culture, sub-culture or not. Language is a very dynamic thing. However, in the context of this thread, perhaps the washington post article did use your definitions, but the overriding context of the immediate replies were otherwise. You had a go at everyone else for completely miscontruing the article, and I pointed out that things had moved on beyond the definitions of the article and so you were misunderstanding their views.

    on those last points...
    1, I did not even mention a government conspiracy. All I mentioned was the fact that the US government wished=s to portray ALL hackers in a bad linght for its own reasons - that's simply called a policy. It's always been the policy.

    2, Now that's just a little childish. , but just to enquire - I went to Vienna Twice last year - once in October and once in November. I'm going to a town just outside Bratislava in May. I won't bother with my mundane day to day activities, but do my trips abroudad to foriegn cultures apply here?

    For your information, Hackers, in the context not used in the article, but used by subsequent replies, are in fact very very useful people. As it was this definition that I was using in describing my aspirations, I fail to see the problem. Just because I aspire to one thing, it doesn nessecarily mean that I don't wish to do many others with my life.

    Honestly, this is a non-aggressive reply, and the only aggresive statement in it is the following - don't have time for this and don't much care for it. You are at a techsite and may or may not be good with computers, and I'm here for the same reasons. To help and to be helped, but also to discuss. to argue isn't really on my wish list.

    edit: I shall leave my mulitple typing errors intact, which should really demonstrate how uninterested I am - if I was interested in getting flamed or flaming I'd sign up at an evangelical christian forum and tell everybody that I'm a pagan witch. I've had a go at one person on these boards for good reason in my entire membership - and it's staying that way.
     
  12. SNGX1275

    SNGX1275 TS Forces Special Posts: 10,714   +397

    Guys....

    No reason to get all hot and bothered by a post that is just a few days short of 2 years old...
     
  13. milky

    milky TS Enthusiast Posts: 85

    SNGX: Is this guy for real?

    I have no idea how I stumbled across this old thread, but I did and read the article before even seeing that there were replies. When I saw all the chatter started by StormBringer's remarks, I thought I would ask him why he was feeling the way he was about the article (at this time, I didn't see it was an old thread) when I felt the term was used correctly.


    Spike:
    back to school...
    wanna-be is slang for 'want to be' which are the words by which 'aspire' is defined. I am truly sorry if you were offended by that. :rolleyes:
    I think we're all in agreement here. :haha:
    Dude, your idea of 'aggressive' is pretty screwed up; your spelling too. Do yourself a favor, go buy a dictionary and look up the big words before you use them.
    My first post was a simple question (maybe you need to look up 'react' also) CLEARLY directed at StormBringer (not SNGX and the others and definitely not you) who was clearly offended by the article's use of the word 'hacker'. You can tell it was directed at StormBringer by the way I QUOTED HIM!!! I think you should probably read this entire thread again so you can feel a little smaller than I probably just made you feel.
    Looks like you should read it 1 more time.
    What you 'fosted' was your own opinion of how the two words should be defined. What I posted was the 'completely factual' definitions according to Random House, Dicitionary.com, and Encarta. :knock:
    :confused:
    That was one of the longest posts ever!

    Here it is again incase you forgot how much time you actually spent on it:
     
  14. Spike

    Spike TS Evangelist Posts: 2,168

    No. It wasn't. I've written some far longer posts before now on various boards - A long post by my definition has to be posted in to parts.

    In terms of the manner in which language can be incredibly dynamic, it appears that I hold to a different definition of "wanna-be" to yourself. "A wannabe (sometimes spelled wannabee) is a person who likes to imitate, or even wishes to be, another" - http://en.wikipedia.org/wiki/Wannabe

    Yes, I mistook SNGX for Stormbringer - not the first time I've done it, and won't be the last no doubt.

    Otherwise, I'm in agreement with what SNGX really did say - old post and I don't care for flame wars. I regret that I can't be made to feel any smaller than I already do for reasons medical, which quite honestly, are nobodies business but my own. Of course, the one bright side of this is that I have no real feelings to hurt, and so if you wish to continue along the line you've chosen to follow here feel free to do so in the knowledge that it's not actually getting you anywhere, nor is it in anyway gaining you anything.

    It might be a suggestion that in future, if you are specifically asking for the opinion of one person, that you specifically state as much when you ask it.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...