HighProventia-G 1.1 and earlier, Proventia Network MFS, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection:
This signature detects a specially-crafted POST to a number of well known domains wherein the content-length is greater than or equal to pam.http.phatbot.contentlength bytes (default 256,000).
. High
Proventia-G 1.1 and earlier: XPU 22.13, Proventia Network MFS: XPU 1.11, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, Proventia Server IPS for Linux technology: 1.0, BlackICE Agent for Server: 3.6eof, RealSecure Network: XPU 22.13, RealSecure Server Sensor: XPU 22.13, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa
Microsoft Windows 2003 Server, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 98, Microsoft Windows NT: 4.0, Microsoft Windows 95
Suspicious Activity
Phatbot has been detected. Phatbot, which is derived from Agobot, is a backdoor affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 4387, to allow the client system to connect. Phatbot could allow a remote attacker to gain unauthorized access to the system.
If the system is designed to run an SSH server, then verify that the installation of OpenSSH has been configured according to your corporate security policy.
Phatbot Web site
Phatbot
http://phatbot.com/
LURHQ Threat Intelligence Group Web site
Phatbot Trojan Analysis
http://www.lurhq.com/phatbot.html
ISS X-Force
Phatbot has been detected
http://www.iss.net/security_center/static/15534.php