Security Incidents: Re: Phatbox: Media Hype? Scare Tactics?

[Joe Stewart <jstewart () lurhq com>]

On Wednesday 17 March 2004 12:08 pm, Dante Mercurio wrote:
> http://isc.incidents.org/diary.html?date=2004-03-11
>
> Reports about 5000 infections on the 11th.
>
> http://story.news.yahoo.com/news?tmpl=story&cid=1804&ncid=1804&e=3&u=
> /wa shpost/20040317/tc_washpost/a444_2004mar17
>
> Claims hundreds of thousands of systems are infected.
>
> Is this hype or is this really spreading? Smells like hype to me
> because SARC reports nothing described as Phatbox and turns up
> nothing in the Symantec virus/backdoor database.
Try searching for Phatbot with a "t".

I have heard reports that lead me to believe the current number of 
infections may indeed be in the low hundreds of thousands. The question 
I would pose is; are those hundreds of thousands infected hosts 
actually part of the botnet at any given time? The WASTE P2P protocol 
the botnet uses is not built for large numbers of peers. I did connect 
to some of the clients and examine the traffic passing through the node 
and found about 1000 unique nicknames in about an hour or so. So, even 
though total infections may be high, the actual number of bots 
available to the owner at any one time is still in question in my mind.

My analysis of Phatbot is here: http://www.lurhq.com/phatbot.html

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------