http://www.zdnet.com.au/newstech/security/story/0,2000024985,20272806,00.htm By Patrick Gray ZDNet Australia 12 March 2003 CERT/CC, a US based group responsible for alerting the Internet community to security threats, has today warned that an increase in network share-based attacks may be paving the way for a distributed denial of service (DDoS) attack. "Using these [network share based] techniques, many attackers have built sizeable networks of DDoS agents, each comprised of thousands of compromised systems," the advisory said. The attacks have consisted of both manual and self-propagating worm style assaults. One worm to have used the technique is Deloder, which first began spreading over the weekend. Although it barely popped up on the corporate radar as a direct threat, its success in compromising home user systems has been widespread. The worm uses poorly protected Windows network shares to compromise the targeted system, and then installs two Trojans. It's the IRC "bot" Trojan that should be of serious concern to the online community, according to Matthew McGlashan, a security analyst with the University of Queensland's AusCERT security organisation. An Internet Relay Chat (IRC) bot automatically connects back to an IRC chat channel and awaits commands from whoever created the worm. "This is a total turn-around, [malicious hackers are] bringing the worms to them...the bot nets is where the action is at the moment," McGlashan said. The author of the Deloder worm may have access to thousands upon thousands of DDoS "zombies" on the Internet waiting for the command to strike out at a target of choice. But McGlashen believes there would undoubtedly be turf wars over control of the slave systems, with rival malicious hacking groups trying to wrestle control of the networks from each other. Although the exploitation of weak network shares is nothing new, the practice has in the past primarily targeted Windows 95/98/ME machines. The most recent attacks are taking aim at Windows NT/2000/XP machines, which according to CERT has "...resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target". A plethora of these are becoming infected and pre-loaded with DDoS tools, they say. McGlashan said that malicious hackers building networks of DDoS agents have become much better at taking aim on 'soft' targets, such as home users, because network shares are invariably firewalled at corporate network boundaries. According to the CERT advisory, the "...problem is exacerbated by... intruders specifically targeting Internet address ranges known to contain a high density of weakly protected systems". McGlashan said that although those infecting hosts with IRC bots are doing so with fairly new techniques, the number of hosts loaded up with them is on the rise. "They haven't been able to distribute them this efficiently before," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 03:18:14 PST