Beware the Computer Zombies

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,40905,00.html

[More NIPC FUD?  With their closed-source security tool?  -WK]


by Michelle Delio
10:00 a.m. Dec. 29, 2000 PST

Tens of thousands of computer systems may have been secretly invaded
by "zombies" that could suddenly spring to life over the upcoming
holiday weekend, the National Infrastructure Protection Center says.

The zombie computers, controlled remotely by crackers, will then eat
the brains of the Internet.

Based on "FBI investigations and other information," the National
Infrastructure Protection Center (NIPC) has issued a special night of
the living dead warning for the holiday weekend.

The agency says that there is a high potential over the next few days
for distributed denial-of-service (DOS) attacks, the same cyber
attacks that crippled the Internet in February 2000, and is advising
IT personnel to take some extra precautions before they head out of
the office on Friday.

The NIPC advises network supervisors to run the NIPC's free "Find
DDOS" utility to determine if a network harbors any of those nasty DOS
Trojans such as Trin00, Tribal Flood Net, TFN2K, MStream, Stacheldraht
and Trinity v3, that can turn a mild-mannered system into a crazed
zombie computer.

Windows NT administrators should particularly check for the presence
of the SubSeven Trojan, which would indicate that a system harbors a
zombie.

The NIPC also suggests making sure that virus screening programs are
up to date and ready to handle the anticipated glut of e-mail on
Tuesday.

And, in case the worst does happen and users are confronted with a
crowd of computer cadavers, the NIPC suggests that companies should
also consider having a contingency plan, including a way to contact
their Internet service provider and a security response team in case
of attack.

Andrew Antipass, a Manhattan-based corporate security consultant, says
he thinks the Internet will see some "sensational" DOS attacks in
2001.

"Could it happen over the holiday weekend?" Antipass said. "Sure,
because when so many business and university machines are left
unattended for a few days, you always have to consider that someone
will realize it's an optimum time to muck about in systems."

The NIPC and other security experts also suggest a "lights out" check
to ensure that all users have logged out of the system before they
leave the office.

People tend to want to escape fast over the holidays, and they may
leave without closing down their connections. That leaves the network
open to anyone who happens to be in the vicinity, either virtually, or
-- more likely - people who are physically in your office.

"That's not to say office cleaning crews are actually frustrated
crackers, but in some circles corporate espionage isn't unheard of,"
Antipass added.

The NIPC also advises running a full data and system backup before
stopping work for the holiday weekend. And if systems will be left
running unattended, they also suggest applying all current security
patches as well.

Antipass suggests that security supervisors should plan to start off
the new millennium right by reminding users "once again" that they
should "never" open any e-mailed attachments, such as documents,
screen savers or pictures that have been sent to them.

"I'm stressing to people that they shouldn't open anything from anyone
unless they are specifically expecting to get a document via e-mail.
It's important to tell people, and then tell them again, that nasty
viruses and worms can be sent from someone you know.

"It doesn't mean they are out to get you, (it) just means you have
some lame friends or co-workers who clicked on something they
shouldn't have."

MonKeeBiz, a self-described "freelance systems and security
investigator", said that the NIPC warning is "somewhat justified" in
its warnings and fears.

But he added that the "real story" behind the furor over DoS attacks
is that there is a patch readily available for the hole that is being
exploited.

"If the zombies are gathering on the front lines, then why are so many
people aiding and abetting them by not applying security patches?"
MonKeeBiz said.

"Didn't you folks see the Night of the Living Dead? When the zombies
started lurching around and lunching on people, the first thing those
people did was board up the windows and the doors. Same thing here -
apply the patches and then go out and party."



ADVISORY 00-063
New Year's DDOS Advisory
December 28, 2000

http://www.nipc.gov/warnings/advisories/2000/00-063.htm

Based on FBI investigations and other information, the NIPC advises
taking some extra precautions in computer security over the holiday
period to reduce the possibility of, or damage from, Distributed
Denial-of-Service (DDOS) and other cyber attacks which could occur.

The NIPC believes DDOS attacks could occur over the holiday. Several
security companies have cited the threat of DDOS attacks, and some
have taken place already. Double checking your network's firewall
configuration is one method of preventing or reducing the effects of a
DDOS attack. NIPC recommends the use of our "Find DDOS" utility to
determine if your network has been victimized by implanting of DDOS
Trojans including Trin00, Tribal Flood Net, TFN2K, MStream,
Stacheldraht and Trinity v3. (The tool can be downloaded from
http://www.nipc.gov/warnings/advisories/2000/00-44.htm ).

[...]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".