Thousands 'trojaned' through net shares: CERT

[InfoSec News <isn () c4i org>]

http://www.zdnet.com.au/newstech/security/story/0,2000024985,20272806,00.htm

By Patrick Gray
ZDNet Australia
12 March 2003

CERT/CC, a US based group responsible for alerting the Internet
community to security threats, has today warned that an increase in
network share-based attacks may be paving the way for a distributed
denial of service (DDoS) attack.

"Using these [network share based] techniques, many attackers have
built sizeable networks of DDoS agents, each comprised of thousands of
compromised systems," the advisory said.

The attacks have consisted of both manual and self-propagating worm
style assaults. One worm to have used the technique is Deloder, which
first began spreading over the weekend.

Although it barely popped up on the corporate radar as a direct
threat, its success in compromising home user systems has been
widespread. The worm uses poorly protected Windows network shares to
compromise the targeted system, and then installs two Trojans.

It's the IRC "bot" Trojan that should be of serious concern to the
online community, according to Matthew McGlashan, a security analyst
with the University of Queensland's AusCERT security organisation.

An Internet Relay Chat (IRC) bot automatically connects back to an IRC
chat channel and awaits commands from whoever created the worm.

"This is a total turn-around, [malicious hackers are] bringing the
worms to them...the bot nets is where the action is at the moment,"  
McGlashan said.

The author of the Deloder worm may have access to thousands upon
thousands of DDoS "zombies" on the Internet waiting for the command to
strike out at a target of choice. But McGlashen believes there would
undoubtedly be turf wars over control of the slave systems, with rival
malicious hacking groups trying to wrestle control of the networks
from each other.

Although the exploitation of weak network shares is nothing new, the
practice has in the past primarily targeted Windows 95/98/ME machines.  
The most recent attacks are taking aim at Windows NT/2000/XP machines,
which according to CERT has "...resulted in the successful compromise
of thousands of systems, with home broadband users' systems being a
prime target". A plethora of these are becoming infected and
pre-loaded with DDoS tools, they say.

McGlashan said that malicious hackers building networks of DDoS agents
have become much better at taking aim on 'soft' targets, such as home
users, because network shares are invariably firewalled at corporate
network boundaries.

According to the CERT advisory, the "...problem is exacerbated by...  
intruders specifically targeting Internet address ranges known to
contain a high density of weakly protected systems".

McGlashan said that although those infecting hosts with IRC bots are
doing so with fairly new techniques, the number of hosts loaded up
with them is on the rise.

"They haven't been able to distribute them this efficiently before,"  
he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.