More Net Attacks Loom, CERT Says

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,933590,00.asp

By Dennis Fisher
March 17, 2003 

The recent rash of Internet worms has produced an army of hundreds of
thousands of compromised machines that could ultimately be used to
launch a massive distributed-denial-of-service attack at any time,
according to security officials.

Officials at the CERT Coordination Center said the organization is
monitoring at least five large networks of compromised machines
installed with so-called bots. The bots connect compromised PCs or
servers to Internet Relay Chat servers, which attackers commonly use
to execute commands on the remote systems. At least one of these
networks has more than 140,000 machines, officials said.

"We have seen indications that these networks are being used [for
attacks]," said Marty Lindner, team leader for incident handling at
the CERT center at Carnegie Mellon University, in Pittsburgh. "The
potential is there for them to cause serious long-term damage."

Unfortunately, CERT officials said, there is little they can do about
a potential attack, other than sound the warning and hope users
identify and patch infected machines. Officials of the FBI's National
Infrastructure Protection Center, in Washington, did not respond to
calls seeking comment.

CERT's dire warning is underscored by last week's emergence of the
Deloder and Code Red.F worms. While neither worm does any immediate
damage to infected machines, both install back doors that enable
attackers to use compromised machines for future, much more damaging
operations, such as DDoS attacks.

At the heart of this new trend, according to security experts, are
poor security practices. But more important is the mistaken belief by
corporate IT that once crises such as those caused by Code Red or SQL
Slammer die down, the trouble's over. In fact, after an initial flurry
of advisories, warnings and patches, there are often months or years
of sustained infections and residual DDoS attacks, Lindner said.

For example, Code Red reached its peak in July 2001 when more than
450,000 servers were infected and scanning for new targets. Since
then, there are some 60,000 Code Red-infected machines scanning the
Internet at any given time. Even a novice cracker would need only a
tiny fraction of those machines to launch a devastating DDoS attack.

"This not only shows you that these systems haven't been patched but
that they're not running anything even remotely close to a current
anti-virus product," Lindner said.

Many older worms are still among the most active threats on the
Internet, studies indicate. SQL Spida, Opaserv and Nimda are among the
top five most active worms thus far for this month, according to
statistics compiled by the WormCatcher network, a distributed group of
machines that monitors worm activity and is run by Roger Thompson,
technical director of malicious code research at TruSecure Corp., in
Herndon, Va. Each of these worms is at least 6 months old, with Nimda
first appearing in September 2001.

"All of these worms have done a nice job of populating the world with
PCs that are easily accessible for hackers to bounce things off of,"  
said George Bakos, senior security expert at the Institute for
Security Technology Studies at Dartmouth College, in Hanover, N.H. "In
the past, you needed some skill to do this."

In addition to making it easier for attackers to plan and execute
their attacks, these worms have made it much more difficult for
investigators and administrators to trace attacks to their sources,
experts say.

Contributing to the problem is the poor overall security posture of
many corporations. Lovgate, which appeared several weeks ago, and
Deloder both try to spread by exploiting weak or null passwords used
to protect shared network drives and folders. Networks exhibiting this
lack of security are just ripe for the taking, security experts say.

"Traditionally, we've been looking at viruses and worms exploiting the
application layer. But the biggest crevice you can crack is a weak
user," said Mark Boroditsky, president and CEO of Passlogix Inc., a
security software maker based in New York. "Behavior is a lot harder
to patch than software."

Also problematic are the many affected machines belonging to home
users, few of whom do any logging of the activity on their PCs. As a
result, attackers can easily hide their tracks by using these
anonymous computers, according to the experts.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.