[ISN] Worm paves way for crippling DDoS attack

From: InfoSec News (isnat_private)
Date: Mon Mar 10 2003 - 01:49:24 PST

  • Next message: InfoSec News: "[ISN] RIAA's 'Hide The Website' game moves to Virginia"

    By Patrick Gray
    ZDNet Australia
    10 March 2003
    A new worm that leaves behind two Trojan horse programs has begun
    spreading over the Internet, and may be paving the way for a crippling
    distributed denial of service (DDoS) attack.
    Although the experts are not yet rating this worm as a high-risk to
    users, the technical make-up of the Trojans it leaves behind is of
    concern. They consist of a commonly used piece of network
    administration software called Virtual Network Computing (VNC), and an
    Internet Relay Chat (IRC) "bot".
    The VNC component allows an attacker to connect to an infected system
    and control it as if they were in front of it. They have full access
    through a graphical user interface.
    The IRC bot, when activated, connects to a remote server and waits for
    commands, which could mean that infected systems are going to be used
    for a massive DDoS attack.
    This worm, unlike others such as Klez, requires no user interaction to
    spread - it exploits common passwords, such as "password" and
    "computer", in share directories in Windows NT/2000/XP machines and
    hence spreads automatically.
    However because the virus attacks through weak share directory
    passwords, the effect on corporations has been minimal because share
    directories are typically firewalled.
    Daniel Zatz, a security spokesman from Computer Associates, says that
    they haven't received any reports of their customers being infected
    "Very little has been reported to the [anti-virus] vendors
    themselves... I haven't spoken to any customers that have been
    impacted yet," he said.
    Aside from potential DDoS implications, Zatz says that end users may
    be stung through identity theft - even a novice malicious hacker can
    access an infected system with ease.
    "This is one of the ways that identity theft occurs," he said.
    Despite this, Melbourne based security consultant Adam Pointon says
    that the worm is hitting home users hard.
    "It's been increasing threefold over the last few days," he said.
    The SANS Institute's Internet Storm Centre, a research group that
    monitors the Internet for attacks, have lifted their alert status from
    green to yellow.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 04:40:18 PST