[ISN] Shadow Group Sees Patterns with Network Hackers

From: mea culpa (jerichot_private)
Date: Mon Oct 26 1998 - 15:01:56 PST

  • Next message: mea culpa: "[ISN] Philips Semiconductors Sets New Smart Card Security Benchmark"

    Forwarded From: hackerelitet_private
    From: http://www.andovernews.com/cgi-bin/news_story.pl?90350
    Shadow Group Sees Patterns With Network Hackers
    WASHINGTON, D.C., U.S.A., 1998 OCT 23 (Newsbytes) -- Shawn P McCarthy,
    Government Computer News. Most people picture a network hacker as a
    furtive, isolated operator who breaks in, looks around and gets out fast,
    perhaps doing some damage along the way. 
    But recent break-ins at unclassified Defense Department networks have
    altered that image. Some hackers have been moving at snail-like speeds,
    sending just a few packets per hour so they don't trip sensors set to pick
    up unusual traffic patterns. 
    To make up for the slowness, several hackers may band together in teams,
    channeling information through multiple IP addresses. 
    That's the discovery made recently by the Shadow group, an anti-hacker
    coalition made up of members from several Defense sites, civilian agencies
    and industry. 
    Shadow, which works closely on network security issues with the Sans
    Institute Inc. of Bethesda, Md., at http://www.sans.org/ , publicizes what
    it has learned about hacker penetration of government and private networks
    and analyzes break-in attempts. 
    Steven Northcutt, director of the Shadow project at the Naval Surface
    Warfare Center in Dahlgren, Va., said Shadow members have identified five
    1. Attacks from up to five different sources that all contain the same
    signature, or mode of attack; 
    2. Simultaneous reset scans that help a hacker tell where machines are
    located on a network; 
    3. Probes against a firewall at a very low rate from several addresses,
    revealed only by TCP flags and malformed packets; 
    4. Scans that search specifically for domain name servers, often via
    identical scans coming from different addresses; such probes generally
    arrive from Internet service providers, indicating that hackers were
    hiding elsewhere and using the provider as a springboard for the attack;
    5. Coordinated exploits in which hackers search for copies of Back Orifice
    that may have made their way into a system. 
    A hacker group known as the Cult of the Dead Cow came up with Back
    Orifice, a play on the name of Microsoft Corp.'s BackOffice transactional
    Back Orifice is relatively small at 120K and can be disseminated as an
    e-mail attachment or embedded in a downloaded file. Once launched, Back
    Orifice literally opens a back door that gives hackers partial control of
    the computer. 
    These new types of probes mark a watershed in the way hackers operate,
    said Northcutt and Shadow analyst Tim Aldrich. 
    The DOD analysts previously believed single attackers were targeting
    multiple sites. Now they see multiple attackers working together to target
    either single or multiple sites. 
    Are they sure this isn't still a bunch of lone attackers working from
    multiple IP addresses? No. But Northcutt and Aldrich believe multiple
    hackers must be involved because of the variety of machines used and other
    subtle differences. 
    What this means is that government networks aren't necessarily safe even
    if they have intrusion detection software in place.  Most current software
    isn't designed to look for such subtle traffic patterns. 
    For details about the coordinated attacks, visit
    http://www.nswc.navy.mil/ISSEC/CID/ .  Look for the narrative about a
    coordinated attack against Langley Air Force Base, Va.  You can also
    download Unix Shadow software that probes system logs to look for the
    If you dare to download and experiment with Back Orifice, find a copy at
    http://www.schippers.net/welcome.html , along with a cleaner that
    supposedly removes it from a system. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:51 PDT