[ISN] More Net Attacks Loom, CERT Says

From: InfoSec News (isnat_private)
Date: Tue Mar 18 2003 - 05:42:20 PST

  • Next message: InfoSec News: "[ISN] Ridge steps up homeland security"

    By Dennis Fisher
    March 17, 2003 
    The recent rash of Internet worms has produced an army of hundreds of
    thousands of compromised machines that could ultimately be used to
    launch a massive distributed-denial-of-service attack at any time,
    according to security officials.
    Officials at the CERT Coordination Center said the organization is
    monitoring at least five large networks of compromised machines
    installed with so-called bots. The bots connect compromised PCs or
    servers to Internet Relay Chat servers, which attackers commonly use
    to execute commands on the remote systems. At least one of these
    networks has more than 140,000 machines, officials said.
    "We have seen indications that these networks are being used [for
    attacks]," said Marty Lindner, team leader for incident handling at
    the CERT center at Carnegie Mellon University, in Pittsburgh. "The
    potential is there for them to cause serious long-term damage."
    Unfortunately, CERT officials said, there is little they can do about
    a potential attack, other than sound the warning and hope users
    identify and patch infected machines. Officials of the FBI's National
    Infrastructure Protection Center, in Washington, did not respond to
    calls seeking comment.
    CERT's dire warning is underscored by last week's emergence of the
    Deloder and Code Red.F worms. While neither worm does any immediate
    damage to infected machines, both install back doors that enable
    attackers to use compromised machines for future, much more damaging
    operations, such as DDoS attacks.
    At the heart of this new trend, according to security experts, are
    poor security practices. But more important is the mistaken belief by
    corporate IT that once crises such as those caused by Code Red or SQL
    Slammer die down, the trouble's over. In fact, after an initial flurry
    of advisories, warnings and patches, there are often months or years
    of sustained infections and residual DDoS attacks, Lindner said.
    For example, Code Red reached its peak in July 2001 when more than
    450,000 servers were infected and scanning for new targets. Since
    then, there are some 60,000 Code Red-infected machines scanning the
    Internet at any given time. Even a novice cracker would need only a
    tiny fraction of those machines to launch a devastating DDoS attack.
    "This not only shows you that these systems haven't been patched but
    that they're not running anything even remotely close to a current
    anti-virus product," Lindner said.
    Many older worms are still among the most active threats on the
    Internet, studies indicate. SQL Spida, Opaserv and Nimda are among the
    top five most active worms thus far for this month, according to
    statistics compiled by the WormCatcher network, a distributed group of
    machines that monitors worm activity and is run by Roger Thompson,
    technical director of malicious code research at TruSecure Corp., in
    Herndon, Va. Each of these worms is at least 6 months old, with Nimda
    first appearing in September 2001.
    "All of these worms have done a nice job of populating the world with
    PCs that are easily accessible for hackers to bounce things off of,"  
    said George Bakos, senior security expert at the Institute for
    Security Technology Studies at Dartmouth College, in Hanover, N.H. "In
    the past, you needed some skill to do this."
    In addition to making it easier for attackers to plan and execute
    their attacks, these worms have made it much more difficult for
    investigators and administrators to trace attacks to their sources,
    experts say.
    Contributing to the problem is the poor overall security posture of
    many corporations. Lovgate, which appeared several weeks ago, and
    Deloder both try to spread by exploiting weak or null passwords used
    to protect shared network drives and folders. Networks exhibiting this
    lack of security are just ripe for the taking, security experts say.
    "Traditionally, we've been looking at viruses and worms exploiting the
    application layer. But the biggest crevice you can crack is a weak
    user," said Mark Boroditsky, president and CEO of Passlogix Inc., a
    security software maker based in New York. "Behavior is a lot harder
    to patch than software."
    Also problematic are the many affected machines belonging to home
    users, few of whom do any logging of the activity on their PCs. As a
    result, attackers can easily hide their tracks by using these
    anonymous computers, according to the experts.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 18 2003 - 08:17:17 PST