Phatbot has been detected (HTTP_PhatBot_AgoBot)

About this signature or vulnerability

RealSecure Desktop Protector 3.6, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects a specially-crafted POST to a number of well known domains wherein the content-length is greater than or equal to pam.http.phatbot.contentlength bytes (default 256,000).

.

Default risk level

High risk vulnerability  High

Sensors that have this signature

RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, RealSecure Desktop: baseline, RealSecure Server Sensor: XPU 22.13, RealSecure Network: XPU 22.13, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, BlackICE Agent for Server: 3.6eof, Proventia Network IDS: XPU 22.13, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: XPU 22.13, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: XPU 1.11, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Suspicious Activity

Vulnerability description

Phatbot has been detected. Phatbot, which is derived from Agobot, is a backdoor affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 4387, to allow the client system to connect. Phatbot could allow a remote attacker to gain unauthorized access to the system.

How to remove this vulnerability

If the system is designed to run an SSH server, then verify that the installation of OpenSSH has been configured according to your corporate security policy.

References

Phatbot Web site
Phatbot
http://phatbot.com/

LURHQ Threat Intelligence Group Web site
Phatbot Trojan Analysis
http://www.lurhq.com/phatbot.html

ISS X-Force
Phatbot has been detected
http://www.iss.net/security_center/static/15534.php