Massive DDoS Attack Brewing?

Quite a number of people wrote in with the news that CNN is reporting that a Back Orifice-like program masquerading as a movie clip is infecting thousands of computers worldwide. The prediction is that it's being setup for a DDos - but the technical details, are shall we say, "sketchy".

Re:DOS attack. Or solitaire, for that matter.

I don't know, and chances are very few people know, but does the backdoor "phone home" to say it's ready and waiting?

Apparently it puts the IP address of the machine it's running on in an IRC channel somewhere, where i'm sure there's a bot gathering the info. Pretty smart way of avoiding being traced :-)
--

Re:CNN ?

The link to the advisory on www.netsec.net [netsec.net] is here [netsec.net], has more technical info than the cnn article.

Killing of a subseven network...

I recently killed around 250 nodes of a subseven network. Apparently, they thought my irc server would be a good harbor. They all used the same username, and they all used similar names. After I found the bots, I put a sniffer on the bot master, grabbed his password, and then used that to gather the ports and passwords of the bots. Then, I used the 'remove server' option of the server to remove the bots from the people's machines.

It was a huge project, took me around 8 hours to do, and was a huge pain in the ass. Subseven is a damn scary trojan, only has limited flooding abilities, but it can gather a lot of information and can redirect most anything. this would allow a cracker to gather personal information, bounce a web request off of it to use a stolen credit card, or ping flood some ip.

I hope to god they manage to catch these guys and that they don't pay much attention to the news.. heh.. i'm betting they are just using subseven to bounce off a client anyway, so their ip might be diguised. all I know is that 250 of these clients are no longer around because of me, and that makes me feel a little safer.

If anyone is involved in the clean up of these clients, please get in contact with me. I might be able to provide you with operational knowledge.

--
Gonzo Granzeau

Stop it before it spreads

To prevent this DDoS from happening I think that everyone should start turning off their computers. Anyone that works at an ISP should go to the server room's and shut everything off. Not only will this stop *this* DDoS right in its tracks, it will save power.

shutdown -h now damnit
Geoff

Re:Stop it before it spreads

don't worry ; i've written a small vbs file that will send everyone in your address book a message informing them they may unwittingly be part of a DDoS attack ...

Massive automobile recall

Why on earth do these sources always talk about 'computers' without being more specific ? As if computer == 'a PC running DOS'. I smell a rat here (even though I'm sure CNN doesn't run their web servers under Mega$lob software, be that operating system-wise or application-wise)

Imagine the following press release:

REUTERS -- Somewhere.

A major car company has decide to issue a callback on one of their models. Under certain conditions a particular safe-critical part of the car might fail. Although the total cost of the recall is purported to be high, officials at the company were confident that it would not influence their quarterly results, due at some point.

Re: Here's the mad cow

Sure..
do a find for
???????.exe
and
????????.exe

I think I've seen it.

Two months ago or so I saw on usenet a Windows .EXE of dubious content masquerading as both .AVI and .MPG files.

They used the usual trick of nameing the .EXE somthing like foo.AVI.EXE, and made sure that the embedded icon colour matched that of the associated fake file type.

I dumped the file using 'strings', and it appeared to generate a fake error message regarding a missing codec, as well as a registry key to autorun a program at boot. I presume this trojan contained this code.

Here's the beef

A quick check of the Network Security Technologies [netsec.net] website has a bit more info than the CNN article. Read their advisory here [netsec.net]. Apparently, the Serbian Badman Trojan (as they're calling it) is using an IRC channel to report the compromised IP address, and then starts listening on a port -- this is why they think it could presumably be used for a DDoS attack.

---

Next...

The next one won't set up any DDoS clients. It will just wait until Monday, and then send all your cow-orkers a message saying "I sat around and watched porno movies on my computer all weekend!"

Then, when the news reports that the new exploit does in fact send that message, and is in fact borne by a porno flick, everyone in your address book will know that it realy is true.

Heh heh heh. Maybe it will even count and report which scenes you replayed, and how many times.

--

Re:Killing of a subseven network...

Two issues here, the time frame and the ability to script it.

I was unable to script this setup because subseven uses a windows based gui. I was unable to find a command line version that did what I needed it to do. Basically, a command line version that would log in, remove the server, and log out would be great, but right now no such tool exists. in theory, I should have then been able to pass it to a for list with all my ip's i knew. Yes, it would have been nice, but cut and paste into the GUI was all I had the time. I've spoken with people at Cert and NetSec and was told that something like this in the works.

The long time was because not all hosts are on at the same time. The bot net seemed mostly international. so at the time that people in Japan are turning their computers on, people in the UK are turning their's off, etc. Hence, there was a constant flow of bots in and out of the channel. By grabbing the ip when they joined, I cut and pasted it to the subseven client program, and then removed the server. It was a REAL pain in the ass because the subseven server only allows ip's, not hostnames. Anyway, after around 8 hours of doing this, I felt that the botnet was permenantly crippled, and left the rest. The guy is getting followed by several people, removing the rest of the clients.

no, it wasn't the most elegant solution, and yes, it sucked. I should have packet sniffed the connections and recorded the output, so i could script the whole thing to automate it for this current botnet.

--
Gonzo Granzeau

Re:Lack of security in the 'net

Good point. Though Windows has no security whatsoever, it'd be trivial for the cable companies and DSL providers to provide basic, network-level security for their users that could at least block most of these DDOS script kiddie tools from getting "go" signals.

Ultimately, the responsibility falls on the user, but given the cluelessness of most home (and many office) users, and the inherent vulnerability of Windows, the network providers really need to step up and fill this gap soon.

There's no reason why filtering couldn't be built into the cable modem (the same way many of them now block NetBIOS), and updated by central control at the head end to block new threats.

That said, given that it's cable companies doing this, the login for administration would probably be:

Login: admin
Password: admin

Scary, huh?

- -Josh Turiel

Re:Could there be less details?

According to previous reports, the trojan was posted in an adult chat room. You had to download it from a web site. It was called something like MySissy.mpg.exe. It is an executable file.

If, like most Windoze users, you don't change the default settings on your file viewer and you open most files by double clicking on document files, then once you had downloaded this file it would appear to be an ordinary file with the name MySissy. When you double-clicked on it, it would executre. I've not actually seen it in operation, but if the hackers were smart, they would have made it look like an MPG movie viewer and actually had it play a few minutes of a porn flick while it also did its dirty work.

Something like this is trivial to implement.

DOS attack. Or solitaire, for that matter.

Looks like the DOS attack was just dragged in for publicity's sake: "Once opened, the file infiltrates the computer, turns it into a "zombie" machine controlled by hackers.
It can then be used to launch a denial-of-service assault."

Yes of course. But then, it can also be used to launch solitaire. Sounds pretty upsetting to me.

René

tell 'em to run ZoneAlarm

You should recommend to anyone (particularly not geeks) you hear is getting a DSL/Cable or any "always on" connection to go to www.zonelabs.com [zonelabs.com] and get ZoneAlarm. It's free (beer) and it's really easy to use and it will alert you anytime any program tries to get out to the internet (in very easy to understand terms: "Program XXX is trying to contact the internet, do you want to let it?" -- along with a check box not to be bugged by that program again. Plus it does the blocking job of incoming probes too. Not and industrial strength firewall, but fine for home use. Plus, the new version has a nice "mailsafe" feature for vbscript trojans.
---

HOAX ?

Where's the beef? This sounds rather hoax'sih to me. I would beleive that this could be done, but for all the press on radio and tv, someone would have come out with a real filename, or more information on what to look for if this was real. I have my doubts.

I knew this would happen

This should be a wake up call for government intervention into the Internet. It's no longer a place of students and computer enthusiasts, it's a place of business. It needs protected from hackers, and there needs to be accountability. It's time to implemant changes so that people can be traced and logged, encryption all has back doors that can be used against cyber terrorists, and we'll need to levy a tax on it to pay for this law enforcement.

Or perhaps that is the point to this story.

Finkployd

Re:WTF?

Actually MSNBC has a better story, including the reply from Network Associates that they think it's pretty much low risk.

Also names the file which goes under two names

QuickFlick.mpg.exe or MySissy.mpg.exe

Re:DOS attack. Or solitaire, for that matter.

Given the two possibilities:

• The hacked machine will be used for remote solitare.
• The hacked machine will be used for a DDoS attack

Which do you honestly think will be more likely?


...phil

Re:WTF?

No, at least for me, it looks at the last one, and assigns an icon accrdingly. Then, if the particular extension is not set to "Always Show Extension", then the extension is not displayed

That is true, for explorer. However, in Outlook the icon displayed for a file is NOT dependant on the extension -- it's set by the person sending you the e-mail. (I get documents created in Word 2000 that have the Word 2000 icon depicting them -- despite the fact that I don't even have Office 2000 installed). Here's one way to do this:

Open up Wordpad.

Drag whatever file you want to send in there.

Click on Edit ->Package Object ->Edit Package.

Change the icon to whatever you want.

Click Update, then close that window.

Drag your new object into an email and send it.

It's never as simple as it seems...

Interesting quote ...

Interesting quote from the NETSEC guy:

"We're all hackers, in the traditional sense of the word," Waskelis said. "If we find something like this, we want to pick it apart and see what it's doing."

They're finally getting their terminology right ...

Pete C

Creepy?

And yet this is the info found on symantec concerning the so-called Serbian.trojan.

This trojan horse attempts to download a program file from the Internet and execute it. The intended program file is no longer available on the Internet, thus it currently poses no threat to users.

This, in the context of the cnn report, I find to be a little bit creepy. And how the fsck do they know that the file is no longer available on the Internet? And then they go on,

This trojan horse was originally posted to an adult Internet newsgroup on June 7, 2000. It was described as an adult movie file. However, it actually attempts to download the file http://www.lomag.net/~ryan1918/MySissy.mpg.exe from the Internet and launch it after it has been downloaded. It performs no other actions. The program file no longer exists at this Internet address, thus this trojan horse essentially does nothing and poses no threat to users.