[Dshield] PhatBot

Joe Stewart jstewart at lurhq.com
Thu Mar 18 21:42:47 GMT 2004

On Thursday 18 March 2004 4:19 pm, Paul Marsh wrote:
> What's the word on the inside about this nasty thing?
> LURGQ's write up is good http://www.lurhq.com/phatbot.html but it
> doesn't really give any pointers as to what we should be on the look
> out for.

It's not really that much worse than all the other Agobot variants out 
there. The article could use a little perspective - think about just 
how many DDoS/spam botnets there are in total compared to the numbers 
provided for Phatbot (which seem to be fairly accurate from reports 
I've received). There's no real cause for alarm from Phatbot other than 
the general alarm you should feel about the hundreds of thousands of 
compromised hosts in the collective hands of kiddies and spammers at 
any given time.
If you really want to watch for it you can use the Snort signatures I 
provided on the analysis to watch for the control and infection 
traffic. The infection sig will also catch Agobot variants.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the list mailing list