Phatbot has been detected (HTTP_PhatBot_AgoBot)

About this signature or vulnerability

Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, BlackICE PC Protection:

This signature detects a specially-crafted POST to a number of well known domains wherein the content-length is greater than or equal to pam.http.phatbot.contentlength bytes (default 256,000).

.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network MFS: XPU 1.11, Proventia-G 1.1 and earlier: XPU 22.13, Proventia Network IDS: XPU 22.13, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, RealSecure Network: XPU 22.13, RealSecure Server Sensor: XPU 22.13, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, RealSecure Desktop: baseline

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Suspicious Activity

Vulnerability description

Phatbot has been detected. Phatbot, which is derived from Agobot, is a backdoor affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 4387, to allow the client system to connect. Phatbot could allow a remote attacker to gain unauthorized access to the system.

How to remove this vulnerability

If the system is designed to run an SSH server, then verify that the installation of OpenSSH has been configured according to your corporate security policy.

References

Phatbot Web site
Phatbot
http://phatbot.com/

LURHQ Threat Intelligence Group Web site
Phatbot Trojan Analysis
http://www.lurhq.com/phatbot.html

ISS X-Force
Phatbot has been detected
http://www.iss.net/security_center/static/15534.php