Experts Keep Eye On New Trojan Horse

[William Knowles <wk () C4I ORG>]

http://www.techweb.com/wire/story/TWB20001011S0013

(10/11/00, 5:49 p.m. ET)
By Kim Renay Anderson
TechWeb News

Network security experts are closely monitoring the latest Trojan
horse, the SubSeven DEFCON8 2.1 backdoor.

Internet Security Systems Inc., Atlanta, recently discovered that the
computers of more than 800 consumers were infected with the SubSeven
DEFCON8 2.1 backdoor, said Chris Rouland, director of X-Force, the
research team of ISS.

The consumers affected were mostly DSL cable modem users and very few
e-commerce businesses, he said.

"We found out about the SubSeven DEFCON8 2.1 by communicating over the
chat system," Rouland said. "Then we cracked the password to the virus
to look at it and evaluate the scope of this infection. It originated
from several hackers who were setting up DDoS (distributed denial of
service) attacks."

X-Force focuses on intrusion detection software, not on details of
viruses, Rouland said.

Other security experts said the threat is minor, or at least not
enough to cause immediate alarm.

Ian Hameroff, business manager for security solutions at Computer
Associates International Inc. (stock: CA), said his labs are tracking
the Trojan horse, but CA is not worried about it so far.

"We're not saying it's major or minor, but we want to keep this under
investigation," he said.

But ISS rates this threat a 4, with a 5 being the most dangerous.
LogiKeep Network Security Intelligence Service ranks this virus as a
level 3, said Dan Burke, vice president of marketing at LogicKeep in
Dublin, Ohio.

"This DEFCON8 2.1 is a derivative of what we reported on June 14, when
we first became aware of it," he said. "To date the number of reported
cases of SubSeven DEFCON2.1 8 are not very large and is minor compared
to the LoveBug virus."

However, the latest version of Trinity v3 poses more of a threat, said
Michael J. Assante, co-founder of LogiKeep.

In September, LogiKeep issued an advisory about Trinity v3 that allows
a hacker to launch a DDoS by using IRC channels, which can result in a
server becoming flooded and crashing.

"Trinity v3 can be obtained from the underground hacker community or
downloaded," said Assante.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".