Fwd: [cfgeeks] TOOLS FOR VANDALS
I told you guys, but only some of you listened. It is not only possible to launch an attack like this from home user's PCs, "rewted" by amateurs, but it looks like a part of this was indeed done that way. This mess is gonna suck to clean up. Thanks, Microsoft, for all your help. Too bad you were helping the wrong effing side...
From: "Kevin P. Inscoe" <kevin@inscoe.org> Reply-To: cfgeeks@onelist.com Subject: [cfgeeks] TOOLS FOR VANDALS
From: "Kevin P. Inscoe" <kevin@inscoe.org>
TOOLS FOR VANDALS San Jose, California-based Finjan software says that new hacker software called Trinoo "zombie" can be run from ordinary PCs running Microsoft Windows and will not require high-end Unix workstations of the sort that have been involved in previous vandal attacks made through the Internet against corporate and government computers. Vandals would be able to launch distributed denial-of-service attacks much more easily, preventing people from visiting the targeted sites. (Bloomberg News/New York Times 25 Feb 2000) http://www.nytimes.com/library/tech/00/02/biztech/articles/25hack-pc.html
~kevin -- Kevin P. Inscoe Unix System Engineer & Specialist Deltona, FL Itinerary at http://www.inscoe.org/where e-mail: kevin [at] inscoe [dot] org http://www.inscoe.org 28.9492N 81.1955W http://www.inscoe.org/comp http://www.inscoe.org/radio
Where the Central Florida geeks hang out... http://www.onelist.com/community/cfgeeks Kevin Inscoe (kevin@inscoe.org) - Listmom
Shawn McMahon wrote:
It is not only possible to launch an attack like this from home user's PCs, "rewted" by amateurs, but it looks like a part of this was indeed done that way.
This was run past us at GIAC a few weeks back. AFAIK, these are the "facts" that are known so far: This has only been found at one site in the wild (James Madison University) All systems are Windows 95 and 98 There have been 16 confirmed infections, with a potential for 149 total (port scanned but not yet checked) All systems checked so far are running BackOrifice It is assumed that BO was used to load & config the DoS tool The method of infection with BO is unknown, but is guessed to be an e-mail attachment All infected systems had no/outdated virus checking software (thus nothing caught BO) The DoS tool is named "service.exe" and is 23145 bytes in length It is launched via HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run The DoS tool listens on udp port 34555 Simple Nomad is about to make a post to Bugtraq that contains a complete analysis of the tool including detection using netcat, how to clean, password used, etc. Rather than steal his thunder I'll refer people there for more info. So while its possible to use cable & DSL Windows systems for this attack, no one has found one as of yet.
This mess is gonna suck to clean up. Thanks, Microsoft, for all your help. Too bad you were helping the wrong effing side...
Hummm. Not about to go down the "MS vs. Unix" road except to say it happened on Linux & Solaris first. Its already a mess that sucks to clean up. ;) Cheers, Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
participants (2)
-
Chris Brenton
-
Shawn McMahon