[ISN] Hackers Embrace P2P Concept

From: InfoSec News (isn@private)
Date: Thu Mar 18 2004 - 00:31:00 PST

  • Next message: InfoSec News: "[ISN] New Bagle Worm Variant Can Run Without Launching Attachment"

    Forwarded from: William Knowles <wk@private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    March 17, 2004
    
    Computer security experts in the private sector and U.S. government 
    are monitoring the emergence of a new, highly sophisticated hacker 
    tool that uses the same peer-to-peer (P2P) networking abilities that 
    power controversial file-sharing networks like Kazaa and BearShare.
    
    By some estimates, hundreds of thousands of computers running 
    Microsoft's Windows operating system have already been infected 
    worldwide. The tool, a program that security researchers have dubbed 
    "Phatbot," allows its authors to gain control over computers and link 
    them into P2P networks that can be used to send large amounts of spam 
    e-mail messages or to flood Web sites with data in an attempt to knock 
    them offline. 
    
    The new hacker threat caught the attention of cyber-security officials 
    at the U.S. Department of Homeland Security, prompting the agency to 
    send an alert last week to a select group of computer security 
    experts. In the alert, the agency warned that Phatbot snoops for 
    passwords on infected computers and tries to disable firewall and 
    antivirus software.
    
    A copy of the DHS alert was made available to washingtonpost.com by 
    two sources at different companies who asked that their identities not 
    be used because they did not want to risk losing access to future 
    government alerts. Officials at the department and US-CERT -- a 
    government-funded cyber-security monitoring agency -- confirmed that 
    the message was genuine.
    
    Phatbot is "a virtual Swiss Army knife of attack software," said 
    Vincent Weafer, senior director of security response at Cupertino, 
    Calif.-based Symantec Corp.
    
    Joe Stewart, a researcher at the Chicago-based security firm Lurhq, 
    has catalogued Phatbot's many capabilities in an online posting. Those 
    capabilities include: the "ability to polymorph on install in an 
    attempt to evade antivirus signatures as it spreads from system to 
    system"; "steal AOL account logins and passwords"; "harvest emails 
    from the web for spam purposes" and "sniff [Internet] network traffic 
    for Paypal cookies."
    
    Phatbot is a kind of "Trojan horse," a type of program named after the 
    legendary stealth attack because it let hackers take quiet control of 
    unsecured computers. Security firms have catalogued hundreds if not 
    thousands of Trojan horse programs in recent years, but Phatbot has 
    raised substantial concern because it represents a leap-forward in its 
    sophistication and is proving much harder for law enforcement 
    authorities and antivirus companies to eliminate.
    
    Like traditional Trojan horse programs, Phatbot infects a computer 
    through one of several routes, such as through security flaws in 
    Microsoft's Windows operating system or through "backdoors" installed 
    on machines by the recent "Mydoom" and "Bagle" Internet worms. 
    
    But because Phatbot links infected computers into a larger network, 
    hackers can issue orders to the infected machines through many routes, 
    and cyber-security officials can only effectively shut down a Phatbot 
    attack if they track down every infected computer.
    
    "The concern here is that the peer-to-peer like characteristics of 
    these 'bot networks may make them more resilient and more difficult to 
    shut down," said a cyber-security official at the Department of 
    Homeland Security who asked not be identified because the agency is 
    still considering whether to issue a more public alert about Phatbot.
    
    "With these P2P Trojan networks, even if you take down half of the 
    affected machines, the rest of the network continues to work just 
    fine," said Mikko Hypponen, director of F-Secure, an antivirus 
    software company based in Finland.
    
    Most major antivirus products detect Phatbot, but as soon as the 
    Trojan infects computers it disables many antivirus and firewall 
    software tools. 
    
    Roger Lawson, director of computing and information technology at the 
    University of Vermont in Burlington, said he quarantined more than 200 
    computers -- more than 5 percent of the machines on the school's 
    network -- because of Phatbot infestations. None of the school's 
    antivirus programs detected the Trojan, and attempts to delete it 
    caused Phatbot to recreate and restart itself, he said.
    
    Phatbot's ability to disable computer security software means that the 
    estimated number of infected computers could rise to as high as 
    "several hundred thousand," said F-Secure's Hypponen.
    
    A few computer experts said the rate of infection is much higher. 
    
    Igor Ybema, a network administrator at the University of Twente in 
    Enschede in The Netherlands, put the number between 1 million and 2 
    million computers. His conclusion was based on a Phatbot command that 
    forces infected computers to test their Internet connection speed by 
    sending a file to one of 22 specifically selected Web servers around 
    the world -- one of them at Twente.
    
    He said Twente began monitoring traffic from computers running the 
    tests in mid-February, about the time that rival hacker gangs began an 
    online turf war that resulted in a volley of new worms like Bagle and 
    "Netsky." By early last week, Ybema said he was tracking an average of 
    200,000 to 300,000 Internet addresses running the speed test every 
    day. Ybema believes such traffic indicates that attackers who have 
    previously relied on less advanced remote-access Trojans are now using 
    Phatbot.
    
    The majority of the infections appeared to come from home user 
    broadband connections and from colleges and universities in the United 
    States and the Asia-Pacific region, he said.
    
    Earlier this month, computer network engineers at University of 
    California, Santa Cruz monitored the same type of speed testing 
    traffic as Twente's Ybema observed. Mark Boolootian, the network 
    engineer who discovered the activity, said one reason infected 
    computers may be conducting the speed tests is to give Phatbot authors 
    an idea of which infected computers would be the fastest in sending 
    out large amounts of spam or data aimed at overwhelming a major Web 
    site.
    
    Security experts are divided on whether a full-force phatbot attack 
    will result in ruin or simply a ruinous headache.
    
    "If there are indeed hundreds of thousands of computers infected with 
    Phatbot, U.S. e-commerce is in serious threat of being massively 
    attacked by whoever owns these networks," said Russ Cooper, a chief 
    scientist at Herndon, Va.-based TruSecure Corp.
    
    There are several incidents in the past several years that show how 
    hackers used multiple ensnared computers to cause damage. In February 
    2000, a Canadian juvenile commandeered high-speed computers at 
    University of California, Santa Barbara to knock Amazon, eBay, 
    CNN.com, and a host of other Web sites off-line for hours. In October 
    2002, hackers used an army of commandeered computers to assault the 13 
    root servers that serve as the roadmap for Internet traffic.
    
    But Lurhq's Stewart said his analysis of Phatbot indicates that the 
    Trojan is designed to link computers into groups no larger than 50 
    computers, which would significantly limit the Trojan's effectiveness 
    as a denial-of-service tool.
    
    As a result, he said, Phatbot-infected PCs will more likely be used as 
    highly effective spamming machines.
    
    washingtonpost.com Staff Writer David McGuire contributed to this 
    article. 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 18 2004 - 03:34:15 PST