[ISN] Thousands 'trojaned' through net shares: CERT

From: InfoSec News (isnat_private)
Date: Thu Mar 13 2003 - 00:52:54 PST

  • Next message: InfoSec News: "[ISN] Anti-Terror Pioneer Turns In the Badge"

    By Patrick Gray
    ZDNet Australia
    12 March 2003
    CERT/CC, a US based group responsible for alerting the Internet
    community to security threats, has today warned that an increase in
    network share-based attacks may be paving the way for a distributed
    denial of service (DDoS) attack.
    "Using these [network share based] techniques, many attackers have
    built sizeable networks of DDoS agents, each comprised of thousands of
    compromised systems," the advisory said.
    The attacks have consisted of both manual and self-propagating worm
    style assaults. One worm to have used the technique is Deloder, which
    first began spreading over the weekend.
    Although it barely popped up on the corporate radar as a direct
    threat, its success in compromising home user systems has been
    widespread. The worm uses poorly protected Windows network shares to
    compromise the targeted system, and then installs two Trojans.
    It's the IRC "bot" Trojan that should be of serious concern to the
    online community, according to Matthew McGlashan, a security analyst
    with the University of Queensland's AusCERT security organisation.
    An Internet Relay Chat (IRC) bot automatically connects back to an IRC
    chat channel and awaits commands from whoever created the worm.
    "This is a total turn-around, [malicious hackers are] bringing the
    worms to them...the bot nets is where the action is at the moment,"  
    McGlashan said.
    The author of the Deloder worm may have access to thousands upon
    thousands of DDoS "zombies" on the Internet waiting for the command to
    strike out at a target of choice. But McGlashen believes there would
    undoubtedly be turf wars over control of the slave systems, with rival
    malicious hacking groups trying to wrestle control of the networks
    from each other.
    Although the exploitation of weak network shares is nothing new, the
    practice has in the past primarily targeted Windows 95/98/ME machines.  
    The most recent attacks are taking aim at Windows NT/2000/XP machines,
    which according to CERT has "...resulted in the successful compromise
    of thousands of systems, with home broadband users' systems being a
    prime target". A plethora of these are becoming infected and
    pre-loaded with DDoS tools, they say.
    McGlashan said that malicious hackers building networks of DDoS agents
    have become much better at taking aim on 'soft' targets, such as home
    users, because network shares are invariably firewalled at corporate
    network boundaries.
    According to the CERT advisory, the "...problem is exacerbated by...  
    intruders specifically targeting Internet address ranges known to
    contain a high density of weakly protected systems".
    McGlashan said that although those infecting hosts with IRC bots are
    doing so with fairly new techniques, the number of hosts loaded up
    with them is on the rise.
    "They haven't been able to distribute them this efficiently before,"  
    he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 03:18:14 PST