Phatbot — also known as Agobot, also known by various variant-specific names — is currently the most visible IRC-controlled bot family. The source has been semi-public for some time; new variants appear weekly; the architecture is sufficiently mature that it deserves a structural treatment.
This is going to be a longer post than my recent operational notes. The category — modular bot family with public source — is structurally important enough to write up properly.
What Phatbot is
Phatbot is a Windows malware family that:
- Compromises hosts via multiple exploitation paths (network exploits for unpatched Windows services, weak SMB credentials, file-share exploitation).
- Connects compromised hosts to IRC servers as bots.
- Receives commands from the IRC channel.
- Executes specific operations on demand.
The architecture is modular. The core bot has a small footprint; specific functionality is loaded as needed. Plugins exist for:
- DDoS attacks (multiple flood types).
- Spam-relay operation.
- Credential harvesting (browser cookies, cached passwords).
- Self-propagation to additional hosts.
- Self-update from external URLs.
- Information gathering about the compromised host.
The plugin model means that operators can deploy tailored functionality to specific bots without recompiling the entire bot.
Why this matters
Three structural properties.
The source is public. Several variants of the Phatbot/Agobot source have been leaked or distributed. New authors can take the source, modify it slightly, and produce a "new" variant. The barrier to producing new bot families is now substantially lower than it was a year ago.
The operational tempo is established. New variants appear weekly. Each variant typically has small modifications — different IRC server, slightly different file paths, slightly different exploitation paths. The cumulative effect is that signature-based detection cannot keep up.
The economic infrastructure is mature. Compromised hosts can be rented or sold to operators who want to use them — for spam, for DDoS, for any purpose. The bot infrastructure is the substrate; the rental market is the value capture.
The combination produces a category that is structurally durable. The defensive responses against any specific variant are bounded; the defensive responses against the category require structural changes.
What is in the variants
A rough taxonomy of recent Phatbot/Agobot variants:
The IRC-server pool varies. Different operators run different IRC servers; specific variants connect to specific servers. The cumulative set of bot-control servers is large enough that takedown of any individual server is not a structural defeat.
The exploitation paths shift. Earlier variants targeted Windows DCOM/RPC. Later variants added LSASS exploitation. Newer ones include weak-SMB-password brute-force. The exploitation surface keeps expanding.
The plugins evolve. Earlier variants had limited plugins; current variants have substantial plugin libraries. The cumulative capability per bot is growing.
The persistence techniques harden. Earlier variants used simple registry persistence; current variants use multiple persistence paths and self-protection against removal.
The trajectory across the variants is clear: better exploitation, better persistence, more capability per bot.
Defensive implications
For network operators:
Outbound IRC blocking at perimeters where IRC is not legitimate business. Most enterprise networks have no legitimate IRC use; blocking outbound IRC ports (default 6667 plus common alternatives) disrupts the bot-controller channel for any internal compromise.
Signature deployment for known bot variants. The signatures lag the variants but still catch a meaningful fraction.
Anomalous-behaviour detection for compromised hosts. A workstation that suddenly starts speaking to many external IPs on uncommon ports is a strong signal; the detection is straightforward; the response is investigation.
Patch management for the standard exploitation paths. DCOM, NetBIOS, the older Windows RPC paths — the patches exist; the operators who apply them quickly are not added to the bot population.
For end users:
Standard malware defences. Antivirus, current patches, careful with attachments. The advice is unchanged from previous categories; the hosts that follow it are not added to the substrate.
What I am observing on my own infrastructure
The honeypot range is seeing substantial Phatbot-class activity. Specific patterns:
- Targeted scanning for Windows hosts with unpatched LSASS.
- Brute-force attempts against weak SMB credentials.
- Scanning for hosts with the MyDoom backdoor still open.
The compromise attempts that succeed against my emulated hosts proceed predictably: install the bot, attempt outbound connection to a hardcoded IRC server, attempt to download additional plugins, attempt to scan for additional targets. My outbound filtering disrupts the workflow; the captures show the intended sequence.
For my structured-log analysis: the volume of bot-related noise in the captures has grown substantially since the start of the year.
What this trajectory points to
Three predictions:
Continued bot-variant proliferation. 95%. The category is established; the source is public; new variants will appear weekly through the rest of 2004.
A specific high-profile bot-related incident. 70%. Some specific commercial entity will be visibly affected by a bot-driven DDoS or credential-theft incident this year; the public visibility will follow.
Continued maturation of the underground rental market. 85%. The economic infrastructure that lets operators monetise compromised hosts will continue to mature.
For my own writing: more on this category as the trajectory develops. The cumulative archive of bot-related writing will be useful reference for future incidents.
More in time.