As New Year nears, threat of Net attack program mounts

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: darek.milewski () us pwcglobal com

As New Year nears, threat of Net attack program mounts
By Stephen Shankland
Staff Writer, CNET News.com
December 23, 1999, 4:00 a.m. PT
URL: http://news.cnet.com/category/0-1003-200-1504709.html

A new and potentially more dangerous version of an Internet attack program
has been posted just in time for the holidays, and another is on the way.

A new version of a malicious program called the Tribe Flood Network (TFN)
is more powerful and harder to detect than an earlier version, according
to experts. And an updated sister program called Trinoo is due to be
released next week.

Few incidences of their use have been publicly acknowledged, but experts
are warning sites to prepare against attacks that may coincide with New
Year's.  Widely anticipated problems owing to the Y2K computer glitch may
provide cover for other mischief.

The program works like this: A TFN attacker secretly embeds software into
hundreds of computers. Then, at a selected time, a command is issued that
prompts the infected computers to swamp a target Web site or server with
messages in a method of attack called "denial of service." The program
doesn't damage the "infected" computers or the target, but the sudden
flood of messages typically knocks out the target system.

Although it's possible for target computers to protect themselves by
ignoring messages from attacking computers, it's hard to identify which
computers are attacking--especially when there are hundreds. This
fundamental vulnerability of networked computers makes protecting against
denial-of-service attacks extremely difficult.

The existence of TFN was reported earlier this week. The new variant,
called TFN2K, is potentially more dangerous in that it can enlist machines
based on both the Windows NT and Unix operating systems to deliver the
flood of messages, according to Gia Threatte of the Packet Storm Web site,
which publishes security-related software so system administrators can
protect against attacks and intrusions.

TFN2K also adds the ability to act on a single command, a stealthier mode
of operation than the previous version (which required the controller to
send a password), and encrypts communications, making the infecting
messages harder to detect, Threatte said.

Further, TFN2K sends decoy information to throw hunters looking for the
source off the scent.

The purported author of the TFN family, who goes by the name "Mixter,"
sent a version of TFN2K to Packet Storm. Packet Storm said it also expects
a new version of Trinoo from Mixter.

With the new software being released now and the "2K" allusion to the new
year in the name of the program, it appears that a computer attack could
occur during the holidays.

"I don't really think you're going to see any serious attacks using this
until New Year's," Threatte said. On Jan. 1, though, people likely will
try to "cause a little mischief," she said.

Other security watchers concur. The consensus of a Year 2000 bug workshop
at Carnegie Mellon University's Computer Emergency Response Team was that
"it is possible that intrusion attempts, viruses and other attacks will be
focused on the time around 01 January 2000 under cover of Y2K incidents,"
CERT said.

CERT has warned, "We are receiving reports of intruders compromising
machines and installing distributed systems used for launching
packet-flooding denial-of-service attacks." CERT said that attackers
generally gained unauthorized access to these computers through well-known
weaknesses, reinforcing the message that system administrators must stay
up-to-date on keeping their systems secure.

Detection of attacks and their ultimate source isn't easy. Trinoo and the
TFN family obscure the address of the actual attacker by hiding the person
in control behind two layers of computers. The attacker lays the
groundwork by breaking in to several computers, installing master software
on some and attack software on others. When it's time for the attack, a
message is sent to the master computers, which in turn is relayed to the
drone computers that do the attacking by flooding the target with
"packets" of information.

Compromised computers that can be infected with the attack software have
become a kind of currency, with attackers trading names and information
about them over Internet Relay Chat (IRC) discussions, Threatte said.

Threatte defended Packet Storm's philosophy of publishing attack software
for all to see. "If we don't make it available, there's no way you can
protect against these things," Threatte said. Sprint, for example,
recently called upon Packet Storm's information to more quickly fend off
an intruder.

Other, more dangerous versions of distributed attack software are
circulating, but Packet Storm doesn't have them, so they're harder to
detect, Threatte said.

Packet Storm, a five-person group based in Palo Alto, Calif., is no
stranger to controversy. It's now owned by security consultants
Kroll-O'Gara after being embroiled in a debate with its former home at
Harvard University and hacker chronicle site AntiOnline.

Threatte foresees a time when coordinated denial-of-service is more
serious.  "Distributed attack tools right now are kind of in their
infancy," she said.

New improvements could involve a self-replicating "worm" version that
would automatically spread the attack software to new computers. After
several generations of spreading, the worm could erase itself from the
original computers used to launch the worm, severing ties with the true
origin. The worms could monitor several sites on the Internet for a sign
that triggers the time and target to attack.

ISN is sponsored by Security-Focus.COM