Shawn McMahon wrote:
It is not only possible to launch an attack like this from home user's PCs, "rewted" by amateurs, but it looks like a part of this was indeed done that way.
This was run past us at GIAC a few weeks back. AFAIK, these are the "facts" that are known so far: This has only been found at one site in the wild (James Madison University) All systems are Windows 95 and 98 There have been 16 confirmed infections, with a potential for 149 total (port scanned but not yet checked) All systems checked so far are running BackOrifice It is assumed that BO was used to load & config the DoS tool The method of infection with BO is unknown, but is guessed to be an e-mail attachment All infected systems had no/outdated virus checking software (thus nothing caught BO) The DoS tool is named "service.exe" and is 23145 bytes in length It is launched via HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run The DoS tool listens on udp port 34555 Simple Nomad is about to make a post to Bugtraq that contains a complete analysis of the tool including detection using netcat, how to clean, password used, etc. Rather than steal his thunder I'll refer people there for more info. So while its possible to use cable & DSL Windows systems for this attack, no one has found one as of yet.
This mess is gonna suck to clean up. Thanks, Microsoft, for all your help. Too bad you were helping the wrong effing side...
Hummm. Not about to go down the "MS vs. Unix" road except to say it happened on Linux & Solaris first. Its already a mess that sucks to clean up. ;) Cheers, Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet