jstewart at lurhq.com
Thu Mar 18 21:42:47 GMT 2004
On Thursday 18 March 2004 4:19 pm, Paul Marsh wrote:
> What's the word on the inside about this nasty thing?
> LURGQ's write up is good http://www.lurhq.com/phatbot.html but it
> doesn't really give any pointers as to what we should be on the look
> out for.
It's not really that much worse than all the other Agobot variants out
there. The article could use a little perspective - think about just
how many DDoS/spam botnets there are in total compared to the numbers
provided for Phatbot (which seem to be fairly accurate from reports
I've received). There's no real cause for alarm from Phatbot other than
the general alarm you should feel about the hundreds of thousands of
compromised hosts in the collective hands of kiddies and spammers at
any given time.
If you really want to watch for it you can use the Snort signatures I
provided on the analysis to watch for the control and infection
traffic. The infection sig will also catch Agobot variants.
Joe Stewart, GCIH
Senior Security Researcher
More information about the list