Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Massive DDoS Attack Brewing? 252

Quite a number of people wrote in with the news that CNN is reporting that a Back Orifice-like program masquerading as a movie clip is infecting thousands of computers worldwide. The prediction is that it's being setup for a DDos - but the technical details, are shall we say, "sketchy".
This discussion has been archived. No new comments can be posted.

Massive DDoS Attack Brewing?

Comments Filter:
  • Now that is an interesting point. And a very good way to set up a DDOS, by creating such a file, would be to send it to all your friends and yourself, then when the attack commences you all say "oh, but someone sent it to me and it started itself". And, of course, send it to a few Government agencies (they're bound to download it) so they can all join in. Heh heh.

  • Just by the stats of guns vs gun violence I would say a pretty small percentage. Especially if we are just talking handguns.

    Finkployd
  • Actually, this sounds more like a "Download this hot pr0n movie now!" type of thing. In theory it's damn simple, take one small pr0n movie, add a player with a BO trojan, stick it on a server(s) or Usenet somewhere, and you're set.

    Most people who are gonna download this thing are gonna be looking for porn, so they won't care if "it needs a special file player", they'll download it and run it so then can see the action.

    At least, that's my theory.
  • Just start scanning the rr.com domain
  • Since I posted this, other people have posted explanations of how the file gets executed while appearing to be a movie. But you gotta love how Windows by default hides the actual extensions of your files...
  • What a load of crap. I pay my ISP for straight juice, no filtering, no caching, nothing but juice. If they started forcing me to use a filtered service, I'd be gone in a flash. Now, as an option - that might be nice for some users, but you can't just go around filtering ports at the ISP because they might be used by a trojan. All that'd do is make the authors use more common ports for their apps...
  • If we wanna be anal compulsive about this:

    it's means "it is", its is the possesive. Its a shame that you can't use it right. In this case, it also is unclear, but I don't give a damn.

    THE GROUP OF COMPUTERS combines into an unclear pronoun. Whatever that is.

    And your last sentence is a fragment.

    To hell with it though, cause I'm be a hick and I ain't here to speak english, and I'm be a tired of reading along and finding this crap.
  • keep reading comments and you'll soon learn that its an .exe file made to look like a movie to the untrained I. e.g. pornmovie.mpg.exe
  • If you have a door that is insecure, this IS your fault. But what if someone goes in your appartment and turns on the gas at the stove to bomb the house? Is it your neighbours fault too?

    Same thing is it with insecure OS. If you have security holes in your OS and someone installs a trojan to destroy your data or so, this IS your fault.
    But let's say someone uses the security flaws of your OS to install a trojan that launches a DDoS-Attack against MY host, is it my fault too?

    I doubt that.
  • "the Register story you referenced"

    I didn't reference a Register story, I referenced a Linux Today story and the comments on it.

    I accept your correction on the ASF script files.

    I don't spread "rabid pro-Linux FUD". I simply reported on information I saw elsewhere.
  • I'm not entirely sure that tobacco is "freely chosen." The tobacco companies do their damnedest to get children addicted. I'm not confident that many of these kids are mentally/emotionally mature enough to make free choices about a lot of their actions.

    Which isn't to say that it absolves them of the consequences of their actions. Not in the least.

    But to say that it's "free choice" and dismissing the causative role of the tobacco companies in creating a situation in which children wish to smoke is disingenuous at best.

    The tobacco companies manufacture a product that is harmfully addictive, and go out of their way to promote that product to populations that are poorly informed regarding the consequences of their peer- and self-worth influenced choices.

    They should not be let off the hook by the casual statement of "hey, free choice, man!" any more than any other company that creates hazardous situations for their workers, the general public or their specific consumers.

    --
  • well... my linux distro didn't come with solataire, and rebooting is kina a pane....
  • I don't know, and chances are very few people know, but does the backdoor "phone home" to say it's ready and waiting?

    Apparently it puts the IP address of the machine it's running on in an IRC channel somewhere, where i'm sure there's a bot gathering the info. Pretty smart way of avoiding being traced :-)
    --
  • OK, so it's a trojan that opens a port to listen for arbitrary instructions, and broadcasts the port it's listening on on an IRC channel. Does it authenticate the instructions it receives with public key crypto?

    If not, what's to stop us listening on the channel as well, and connecting to each advertised IP address, sending instructions which deactivate the trojan? Raises interesting technical and ethical issues, but it seems to me like the ultimate in "white hat cracking"...
    --
  • Both of them.
  • I'm going to have to say that Symantec may be playing this thing down, but they certainly aren't providing a wealth of detail why. It looks to me like the typical "if we didn't find it first, then it must not be a real threat" attitude that most anti-virus vendors take.
  • by Booxbaum ( 105193 ) on Friday June 09, 2000 @04:34AM (#1014335)
    The link to the advisory on www.netsec.net [netsec.net] is here [netsec.net], has more technical info than the cnn article.
  • I recently killed around 250 nodes of a subseven network. Apparently, they thought my irc server would be a good harbor. They all used the same username, and they all used similar names. After I found the bots, I put a sniffer on the bot master, grabbed his password, and then used that to gather the ports and passwords of the bots. Then, I used the 'remove server' option of the server to remove the bots from the people's machines.

    It was a huge project, took me around 8 hours to do, and was a huge pain in the ass. Subseven is a damn scary trojan, only has limited flooding abilities, but it can gather a lot of information and can redirect most anything. this would allow a cracker to gather personal information, bounce a web request off of it to use a stolen credit card, or ping flood some ip.

    I hope to god they manage to catch these guys and that they don't pay much attention to the news.. heh.. i'm betting they are just using subseven to bounce off a client anyway, so their ip might be diguised. all I know is that 250 of these clients are no longer around because of me, and that makes me feel a little safer.

    If anyone is involved in the clean up of these clients, please get in contact with me. I might be able to provide you with operational knowledge.

    --
    Gonzo Granzeau

  • You can get things like that (ie: Netopia), but it's much cheaper for the provider to use a bridge instead of an intelligent routing device. I got a 3Com "No Customer Maintence" DSL bridge, but I use a BSD box for NAT and IPF.
  • Ah, sarcasm.

    I like sarcasm. But raw text, devoid of subtle body language and foreknowledge of the author, has probability 1 of being misinterpreted. So if you care what people might say, one must be very careful with sarcasm on the internet.

    The polite thing to do seems to be to add a smiley for the humor-disabled, so as to aid their faulty recognition. That, or use HTML like tags to indicate <SARCASM> and </SARCASM>. Except both of those seem to dumb down everything for the lowest common denominator, and generally ruin the joke.

    More illustrations of the dangers of sarcasm can be found in this article [uexpress.com].
  • Duhh! They're not even MPEGs. Problem is, there are so many dumb people out there mindlessly clicking on any old .exe file that flies into their mailboxes.
    Pete C
  • I dunno, Solitaire can be pretty damn adictive. Why do you think Microsoft included it in Windows?...
  • No, it's possible to embed an icon in a file, that's how windows displays icons for different exe's with the logo of said game or whatever. This is a common tactic for BO trojans.
  • The problem, detected by a security firm that works for the Justice Department

    NETSEC, founded by two alumni of the National Security Agency and Department of Defense, provides computer emergency services to the Justice Department.

    This is simply nothing more than a soft form of the word Echelon

    No but seriously. What we're seeing here is Department of Defense working closely with the Justice Department. While you and some other people might think something along the lines of "big deal", I'd like to conjure up a few memories of each of these department's history.

    First of all, in the United States, the military is not to be used in the policing of Americans. Their resources are off limits to police agencies, and their personnel are prohibited from engaging in law enforcement activity outside the bounds of their property (ie Military Police on Military bases).

    And for very good reason is this division. First of all, look at the Branch Davidian incident in Waco, Texas. This was a USDOJ/USDOD joint activity. We're just now beginning to realize to what extent the DoD was involved.

    I honestly think this is the beginning of a new policy where America's military will continue a mission of American policing. That is unacceptable, as the consequences are staggering.

    I mean, is it just me, or is Janet Reno REALLY going against what America has stood for in the past two hundred years?

  • Everyone says they knew it was coming, heres my tale of why i thought something was a foot.. About 2-3 weeks ago, a friend of mine sends me a file called "blahblah.exe" and says "I found this running in the background? No idea where I got it". Running strings on it yielded it was a combo irc client/program launcher. For example, it connected for a certain "large popular irc network" (yah.. that one). Once connected it checked if some other .exe(s) were available, then msg'd someone indicating one way or the other. i think it joined a channel and did some other nonsense once on irc. It also used an .ini file containing 25-30 lines of encrypted text. You couldnt even tell which irc server it was going to connect to. After nullrouting myself and running, it attempted to connect to that "big irc network" on multiple servers, thus shutting down its route outbound to modify itself is fairly tough because it isnt fixed on one point of download, its got quite a few. Of course none of my win32s virus scanners cared about this "blahblah.exe" file either. It attempts multiple ports for irc as well, so those that filter 6660-7 are still vulnerable. Antivirus companies routinely take credit for discovering virus even though it was reported to them by someone like ourselves, that is why i saw no need to assist them in pointing out this new creature. This is also why I did not list the actual .exe or .ini file names and have been rather vague about all this, let them earn their supper like the rest of us. To make a long story short.. "I had a feeling this would happen".
  • HOW a movie clip can contain a trojan horse.

    If the clip is repackaged as a .exe. Most Lusers have no clue about the difference between an .mpg, jpg, exe, doc, ...

    I work with profs who still don't ken the difference after working with these file extension associations for the past decade.

  • That said, given that it's cable companies doing this, the login for administration would probably be: Login: admin

    Password: admin

    Oh yeah? Well, the password for @Home's support mode on their netdiag tool is:

    login: athome password: athome

    Just create a shortcut to the tool with the entry "netdiag.exe mode=support" at the end of the directory address.

    Have Fun!

  • Maybe somebody can help me with this. I have been hearing it a lot from the media, but can find no technical basis for this. How does having Cable or DSL make you more volnurable? I mean there is always users shareing their hard drives, but that is just the same on the modems.

    And a little note of caution ... the article mentions 'special software' that needs to be used to make your Cable modem secure. I am wondering if somebody is going to paddle something like Cybersister or some other senserware that (now possible that will filter out napster as well) under this excuse.

    And one more thing ... how cold they possible know the 'handles' of the the people who probed them ?! This is CNN trying to get better rateings. "Hackers gathering their armies" to strike when you sleep. UGH ...
  • My girlfriend and I watched a movie clip about a massive back orifice once. She denied me her services for a week and a half. which half? the top half.

    grunties, leave your inner ear alone.

    ow my eye.

  • I guess, then, the question would be - for an "average" gun, how many people is it used to injure (either on purpose or accidentally) during the course of its lifetime?

    Rounded to the nearest tenth of a percent?

    Zero.

    Even if you count military-owned weapons. Even if you just count handguns, or just count miltitary-appearing semi-automatic weapons, or pretty much whatever anybody feels like banning this week.

    Hell, even if you just count handguns used by citizens in the actual prevention of an actual attempted crime, it is less than .1%.

    America's supposed gun violence problem is a myth, manufactured by the media for the purpose of scaring people; because scared people watch the news.

    Tobacco kills over 400,000 people a year. Guns kill about 35,000 Americans a year, and over 2/3 of those are drug traffickers killing each other.

    And as for accidental gun deaths; there are about 200 per year. That's less than three times as many as caused by lightning, and it's been going DOWN steadily (as a percentage) for decades.

    Hell, more people (302) die of falling down in the state of Colorado than die from gun accidents in the entire country!

    There are something like 2,500 deaths by drowning in the US every year. If you want to save lives, outlaw swimming pools.

    More people under 24 die in traffic accidents every year than the TOTAL of all ages who are killed by firearms, accidentally or on purpose. Make the legal driving age 24 and you'll save more lives than by outlawing guns, even if you could make all the guns disappear!

    If you take out drug-related murders, guns are used to kill about 11,550 people a year, plus another 200 that die by accident.

    11,750 people seems like a lot, but it's less than die from falling down in their homes! It's twice the number who die in workplace accidents, and we don't hear about an epidemic in that!

    And when you factor that against the number of times guns are used to prevent a crime, whether you accept 500,000 or 2 million for that number, one starts to wonder where exactly the hysteria is coming from?

    It's certainly not coming from the tens of thousands of women who protect themselves from rape each year with a handgun.

    A media facing declining ratings made the whole thing up.
    --
  • The Conspiracy Theorist inside me that hasn't had
    his tea yet today says, "The Feds have implanted
    a controlling computer virus in Symantec's software, which will then be distributed world-wide in the mad rush to update virus checkers by every vulnerable user in the world."

    Must have tea. Mmmm. Tea.
  • If the user was mailed a *real* movie called foo.mov, isn't the extension hidden on them so the name they see is "foo"?

    If this is true, why aren't the files named "foo.exe" rather than "foo.mov.exe" so they look more like movies.

    (I think I know the answer, which a lot of people are not going to like: the answer is that "icons" are bunk, the letters ".mov" despite their cryptic nature, are far more compelling than any image to even novice users)

    But if anybody has any better answers please tell me.

    Also, are they able to make the icon an exact copy of the .mov icon by changing the icon embedded in the .exe? I recommend that MSoft at least show a generic .exe icon if this is the case.

  • right, sure, we believe you!
  • The part about people jumping up a shooting a family member is right on the money.

    One thing that bothers me is when people here stories about this kind of thing (however uncommon) they assume it is an indication of the dangers of guns, when it's simply a case of a misused tool by someone not trained properly. I can misuse plently of common household tools and kill someone accidently. That doesn't mean they are bad or that everyone misuses them.

    Finkployd
  • This is more corporate and government sponsored hysteria. This NETSEC company wants attention, so they issue a big press release at a time when all the major media outlets just eat up virus and DDOS stories. And the government wants to exploit this hysteria to pass stupid anti-encryption laws and gain broad wiretapping powers. Two great tastes that taste great together...

    I dunno, maybe I'm too cynical but don't the names "Serbian" and "Badman" sound just a little corny? Almost like they were made up by someone who read a few glossy articles about the computer underground and then decided to write some FUD that would get people's dander up? Can anyone not involved in the promotion of this exciting story confirm that these guys really exist and that they're not more than a couple of kids being l33t on an irc channel?

    It just seems so convenient...
  • I don't think a manufacturer of widgets that resulted in 1 out of 3 people being injured (or say, hypnotized against their will) would be allowed to be sell their products for very long. Exceptions include: tobacco, guns, software... Why?

    Uhm, sorry; exceptions just include tobacco.

    Guns and software don't injure 1 out of 3 of their customers.

    Guns injure something like 1 out of 278,000 of their customers. For software, even Microsoft's crap, it's even lower.

    Bicycles have a worse "injures their owner" percentage than guns.

    --
  • But I fail to understand the problem here. If the user is a moron and wants to run unsafe programs on their computer, why not let [him/her]?

    Don't let your elitism show quite so much. Most computer users probably fall into your "moron" class, and they really aren't "morons" if they don't know any better. Lots of people drive without knowing the fine details of their cars, and doing a good job of computer security requires a knowledge of computers at the same detailed level. What kind of computing education would you like to require?

    In the case of having mostly relatively uneducated users, it's not unreasonable to ask why the infrastructure doesn't do a better job of preventing unwanted security exposure. No, I won't accept a MSBob view of computing either, but we should be able to develop an approach that gives us security without comprimising convenience. That includes not letting mail programs blindly execute programs that can directly modify the computing environment (both the mail program and the operating system are at fault here).


    ...phil

  • To prevent this DDoS from happening I think that everyone should start turning off their computers. Anyone that works at an ISP should go to the server room's and shut everything off. Not only will this stop *this* DDoS right in its tracks, it will save power.

    shutdown -h now damnit
    Geoff
  • What technical reasons do they have for feeling that its purpose is going to be a DDoS? If it's a BackOrifice type program it's probably just for some script kiddies enjoyment...


    Refrag
  • If their so sure that the movie file is a trojan horse, why didn't they name the file?
  • They don't say how these guys got access to the computers, per se (not up to date firewall protection... ooo, that's informative). They don't say what the trojan is called so we can go looking for it. They don't say how 'xanim trojan-file' will cause anything other than an error to occur...:)

    I find all of this somewhat hard to swallow, given the lack of details given. Does anyone know of another article with cold, hard facts?

    Eric

  • by MrDelSarto ( 95771 ) on Friday June 09, 2000 @03:31AM (#1014374) Homepage
    don't worry ; i've written a small vbs file that will send everyone in your address book a message informing them they may unwittingly be part of a DDoS attack ...
  • Actually, Windows in a bid to look a little more like a Mac now actually HIDES the file extensions on a default setup. You then have to go into the view options and change it not to hide extensions on "recognized file types."

    With the extensions turned off, you're forced to rely on the icon to tell you what the file is...

  • by Megasphaera Elsdenii ( 54465 ) on Friday June 09, 2000 @03:32AM (#1014376)
    Why on earth do these sources always talk about 'computers' without being more specific ? As if computer == 'a PC running DOS'. I smell a rat here (even though I'm sure CNN doesn't run their web servers under Mega$lob software, be that operating system-wise or application-wise)

    Imagine the following press release:

    REUTERS -- Somewhere.

    A major car company has decide to issue a callback on one of their models. Under certain conditions a particular safe-critical part of the car might fail. Although the total cost of the recall is purported to be high, officials at the company were confident that it would not influence their quarterly results, due at some point.
  • The problem is that, when Windows hands out icons, it only looks at the first extension and hides the rest of the filename (unless you specifically try to change it). I agree that the problem is people mindlessly clicking on whatever they get sent, but in this case, it looks like it's a movie. There's no harm in watching a movie clip, right ;o}

    Eric
  • Your statistics sound like you pasted them from some NRA info pamphlet. I notice that you didn't include statistics of suicide-by-firearms, which by the statistics @ http://www.suicidology.org/suicide_statistics.htm, account for 43,240 deaths in 1997 alone.

    I will grant that a big chunk of those people committing suicide by firearm would most likely have found another way of killing themselves if the firearm had not been available, however the fact that you did not include their deaths in your "statistics" makes your argument considerably less persuasive.

    BTW, I'm hardly an activist either way - I regard widespread gun use as the result of a "prisoner's dilemma"-type situation: I think the world would be better off if NO ONE had the ability to kill each other easily, but the moment at least one entity gains that ability, then the other members of the society will have to figure out how to nullify that power, either by defense (try to get back to no one having ability to kill each other easily) or offense (mutual assured destruction), in order to prevent that 1st entity from dominating the society. Unfortunately, game theory indicates that trends will tend toward the MAD scenario - and if everyone else has a gun, I certainly don't want to be the only person w/o one.

    I definitely know that I don't like BS, and your post smells of well-polished BS.
  • http://download.cnet.com/downloads/0-10040-100-886 616.html?tag=st.dl.10040_106_16.ls t.td [cnet.com]

    "Professional Minesweeper is the BEST product ever. really."

    Gonzo... please... say it ain't so!
  • by Steepe ( 114037 ) on Friday June 09, 2000 @05:03AM (#1014399) Homepage
    Sure..
    do a find for
    ???????.exe
    and
    ????????.exe
  • by shippo ( 166521 ) on Friday June 09, 2000 @03:35AM (#1014405)
    Two months ago or so I saw on usenet a Windows .EXE of dubious content masquerading as both .AVI and .MPG files.

    They used the usual trick of nameing the .EXE somthing like foo.AVI.EXE, and made sure that the embedded icon colour matched that of the associated fake file type.

    I dumped the file using 'strings', and it appeared to generate a fake error message regarding a missing codec, as well as a registry key to autorun a program at boot. I presume this trojan contained this code.

  • > Actually, Windows in a bid to look a little more like a Mac now actually HIDES the file extensions on a default setup.

    Man. And I always thought mere hidden files were an insult to my intelligence.

    --
  • by akey ( 29718 ) on Friday June 09, 2000 @03:36AM (#1014408)
    A quick check of the Network Security Technologies [netsec.net] website has a bit more info than the CNN article. Read their advisory here [netsec.net]. Apparently, the Serbian Badman Trojan (as they're calling it) is using an IRC channel to report the compromised IP address, and then starts listening on a port -- this is why they think it could presumably be used for a DDoS attack.

    ---
  • We're finally reaching a point in technology where the line between techno-savvy administrator and computer end-user is being blurred - not in terms of their knowledge (that's wider than ever) - but in terms of what they are setting up and runnning.

    With tools like MS internet connection sharing and cheap networking cable, clueless users are now capable of setting up (almost setting up?) ethernet networks from the comfort of their recliners. Of course, this added ability does nothing to impart new information to the users.

    It is possible to set up secure MS networks (this is what I do...) but its not easy, especially when the default settings for so many things are open access to everyone. Unless MS changes the settings (not very likely from what I've seen) or someone comes up with an easy and well publicized way for users to set up at least moderate security, these things will only continue to grow.

    Actually, one other thing that could help is for the ISP's to use short lease DNS and keep everyones IP address changing. That would at least make things a little more difficult for crackers.

    I've helped check and set up connections for my friends and found that more than a few of them had permitted open file sharing with their computers when all they wanted to do was share a printer.

    Oh, and for people who think this is just a MS problem so linux users don't have to worry, if they get enough computers, they can start attacking backbone segments. Then everyone gets shut out.

  • Great. Somebody is getting set to collect massive amounts of information from a gazillion PCs and install remote-control software, letting them do essentially anything.

    And the only threat that folks see is DDOS? Get real. Denial of service is about as exciting and useful as a traffic jam.

    Some crackers with a bit of subtlety could clean up. Lets's see, we could:

    • Steal everybody's Quicken/TurboTax files and start cleaning out bank accounts
    • Scan for interesting trade secrets/blackmail info
    • Plant kiddie porn on people we don't like
    • Get in interactively and make some subtle changes in documents/spreadsheets/databases
    • Periodically ping a website to jack up the hit counters.

    I'm sure just about any /. poster could come up with enough "interesting" ideas to keep the nice people at the Justice Department awake for a long time.


  • The Diable2 preview movie "trailer" that came out about a year ago was an .exe file, had the movie and a "internal viewer" all rolled up in one so the user didn't have to download a video player...

    they double clicked on it, it load the internal viewer and then load the internal movie

    then again, I got the file from http://www.blizzard.com and trusted it, if someone named "Bob" just emailed it to me in a chain letter I won't be so quick to run it. That and I would flame "Bob" for sending large data/programs over email...
  • What technical reasons do they have for feeling that its purpose is going to be a DDoS?Did you read the article? It says the crackers have already given it a test run.


    ========
  • Make a DOOM patch that lets you watch for excessive ICMP packets (in the form of those annoying yellow flying fireballs), and get your little brother in the server room 24/7! He'll have a ball!
  • Remember that in Windows, you can select an icon for an EXE file when you build one. So you can select the standard Windows Media Player MPG icon (or something similar) and Joe User won't know the difference.
  • It would seem that the wonderful (patented) file format MS ASF can contain script/executables of some kind. See this [linuxtoday.com] article in Linux Today.
  • Two step attack:

    1) Get modem and NIC manufacturers to modify the ports on their products so that they can eject a connecting wire under program control.

    2) Write a virus that does one thing and one thing only: Triggers the wire eject on the NIC and/or modem.

    This automatically removes virus-running morons from the 'net.

    ...you know, I wrote that in a (probably vain) attempt to be funny. But then I thought: you could actually do this. How about a virus that disabled Dialup Networking (yeah, yeah "it's called AOL 5.0")? Sure, they could just reinstall Windows, but maybe they'll learn something in the process.
    --
    Wanna hook MAPI clients to your Tru64/AIX/Linux server?
  • I don't think a manufacturer of widgets that resulted in 1 out of 3 people being injured (or say, hypnotized against their will)...

    ...Exceptions include: tobacco, guns, software... Why?


    Tobacco: It's not against their will. People freely choose to kill themselves with tobacco. If a critical mass of people decided to drink paint thinner, should it also be banned?

    Guns: I'm not going into a whole gun argument. The reason for gun ownership have been presented before and if you don't believe in gun ownership then I'm not going to preach to you. However, remember that those who want to keep guns, have them. Those who want to ban guns don't. Who do you think is going to get their way?

    Software: Like guns, can be used for good or evil. However, I doubt that 1 on in three suffer any kind of injury (including financial) from their OS.

    Finkployd
  • This is the same thing as a couple of months ago where a company warned that keys could be found on a disk full of data. It made a Slashdot story somewhere, but since I have to go I won't look it up. NETSEC seems to want to get some high level attention. If you look at the data on this trojan on the Symantec site [symantec.com]you can see that it is not a big threat.

    Quite simple these guys want your money and they created a media hype to get it. No reason to flip. And now I am off.

  • by Black Parrot ( 19622 ) on Friday June 09, 2000 @03:55AM (#1014445)
    The next one won't set up any DDoS clients. It will just wait until Monday, and then send all your cow-orkers a message saying "I sat around and watched porno movies on my computer all weekend!"

    Then, when the news reports that the new exploit does in fact send that message, and is in fact borne by a porno flick, everyone in your address book will know that it realy is true.

    Heh heh heh. Maybe it will even count and report which scenes you replayed, and how many times.

    --
  • Of course, the first Trinoo and TFN clients ran on what OS? The insecure consumer OS from Redmond ... or the free-beer hacker OS from Finland?

    Just giving them Linux isn't going to solve the problem. You actually have to teach them how to implement security. Have you ever tried to teach your non-techie friends how to implement ... their e-mail program? "Click there ... no, no, THERE, no, you just shut the program down." Don't fool yourself. Not everybody is cut out to be a computer security expert.
    ----
  • I notice that you didn't include statistics of suicide-by-firearms, which by the statistics @ http://www.suicidology.org/suicide_statistics.htm, account for 43,240 deaths in 1997 alone.

    I discount that statistic for the simple reason that the CDC says there were only 30,535 total suicides that year, so how could 43,240 of them have been by firearm?

    Also, statistics on places that have outlawed firearms shows that the effect is nearly zero; better than 99% of those who want to commit suicide will find a way, whether they have a gun or not.

    But I see it as a freedom thing; if you want to commit suicide, who am I to say you aren't allowed to? And how is society worse off if you use a gun to do it than if you use pills or jump off a bridge?

    Actually, society is probably better off if we don't have to fish you out of a river or repair the damage you cause to the bus when it hits you.

    however the fact that you did not include their deaths in your "statistics" makes your argument considerably less persuasive.

    Then what does the fact that the statistics you quote are nonsensical mean for your argument?

    This is in fact typical of the anti-gun arguments; they quote easily-disproven numbers that are completely out of whack with reality, and conglomerate them into official-sounding foundations like Suicideology.org so that nobody will look too closely at where they come from. I got most of my numbers from the Centers for Disease Control and the National Safety Council. Some come from the Justice Department. Not only did I not go anywhere near the NRA's web page, but I'm not even a member. (Although I certainly appreciate the central role they've taken in reducing childhood gun accidents this century, and will undoubtedly join soon.)

    All of the places I got my numbers from are run by an anti-gun Democrat Executive Branch, so if the numbers are off they're probably off in your favor, and they *STILL* support my argument.

    My favorite tactic of the anti-gun folks is that whenever they quote numbers regarding children, they include everyone under 25!

    And they count everybody killed in World War I, World War II, Korea, Vietnam, etc. in their "total American deaths by firearms" numbers. That one's priceless, because it means that even if civilians couldn't own firearms and criminals didn't own them, the numbers would hardly change.

    And that brings us to the bottom line; gun laws only affect people who follow laws. Criminals by definition don't follow laws.

    That's why *EVERY* state that has passed "shall-issue" concealed carry laws has seen an immediate drop in violent crime, greater than the national average drop. All of them.

    Those statistics are from the Justice Department; check them out yourself.

    --
  • IT IS A HOAX

    The Register [theregister.co.uk] is reporting that this is a hoax.

    Yes, the video is a trojan -- but it is a known trojan and is not a DDoS threat.

    To summarize:
    ===========
    "NETSEC alerted the Internet community about BackDoor-G2 by calling it 'Serbian Badman Trojan (TSB Trojan)'. News stories suggest that the controlling Trojan which is downloaded is a new threat -- it is not. Although the Trojan known as "Downloader" is new, the file downloaded is a known Trojan."

    In other words, NETSEC's discovery amounts to nothing more than a publicity stunt by an opportunistic security firm in quest of free advertising in the form of media attention."

    --
  • Two issues here, the time frame and the ability to script it.

    I was unable to script this setup because subseven uses a windows based gui. I was unable to find a command line version that did what I needed it to do. Basically, a command line version that would log in, remove the server, and log out would be great, but right now no such tool exists. in theory, I should have then been able to pass it to a for list with all my ip's i knew. Yes, it would have been nice, but cut and paste into the GUI was all I had the time. I've spoken with people at Cert and NetSec and was told that something like this in the works.

    The long time was because not all hosts are on at the same time. The bot net seemed mostly international. so at the time that people in Japan are turning their computers on, people in the UK are turning their's off, etc. Hence, there was a constant flow of bots in and out of the channel. By grabbing the ip when they joined, I cut and pasted it to the subseven client program, and then removed the server. It was a REAL pain in the ass because the subseven server only allows ip's, not hostnames. Anyway, after around 8 hours of doing this, I felt that the botnet was permenantly crippled, and left the rest. The guy is getting followed by several people, removing the rest of the clients.

    no, it wasn't the most elegant solution, and yes, it sucked. I should have packet sniffed the connections and recorded the output, so i could script the whole thing to automate it for this current botnet.

    --
    Gonzo Granzeau

  • In the CNN interview
    But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless?
    So lets continue the analogie. What if the builder of your house left a spare key to your house under the mat without telling you, but has been known by people in the industry to this at every house he builds? Who would you be mad at? The person who got in without a challenge, or the person that gave him the opportunity.
  • With the extensions turned off, you're forced to rely on the icon to tell you what the file is...

    Hmmm... Doesn't Windows use icons in .exe files? (It's been a while since I was near a Windows box) If so, even looking at the icon is no guarantee that the file is actually what it claims to be.

  • It's funny, every time I use sarcasm, there is always one person who takes it seriously.

    Maybe I should include some kind of disclaimer in the sig from now on :)

    Finkployd

  • by jht ( 5006 ) on Friday June 09, 2000 @03:58AM (#1014478) Homepage Journal
    Good point. Though Windows has no security whatsoever, it'd be trivial for the cable companies and DSL providers to provide basic, network-level security for their users that could at least block most of these DDOS script kiddie tools from getting "go" signals.

    Ultimately, the responsibility falls on the user, but given the cluelessness of most home (and many office) users, and the inherent vulnerability of Windows, the network providers really need to step up and fill this gap soon.

    There's no reason why filtering couldn't be built into the cable modem (the same way many of them now block NetBIOS), and updated by central control at the head end to block new threats.

    That said, given that it's cable companies doing this, the login for administration would probably be:

    Login: admin
    Password: admin

    Scary, huh?

    - -Josh Turiel
  • by panda ( 10044 ) on Friday June 09, 2000 @03:58AM (#1014480) Homepage Journal
    According to previous reports, the trojan was posted in an adult chat room. You had to download it from a web site. It was called something like MySissy.mpg.exe. It is an executable file.

    If, like most Windoze users, you don't change the default settings on your file viewer and you open most files by double clicking on document files, then once you had downloaded this file it would appear to be an ordinary file with the name MySissy. When you double-clicked on it, it would executre. I've not actually seen it in operation, but if the hackers were smart, they would have made it look like an MPG movie viewer and actually had it play a few minutes of a porn flick while it also did its dirty work.

    Something like this is trivial to implement.
  • CNN also has a later version of the story [cnn.com] which reports Network Associates and Symantec assessing this as "low risk". CNN still don't name the files, but Symantec have some details under the name Serbian.Trojan [symantec.com], but not really clear on how to remove it. They say it is also known as "downloader" and Network Associates (McAfee) have more details [nai.com].
  • I discount that statistic for the simple reason that the CDC says there were only 30,535 total suicides that year, so how could 43,240 of them have been by firearm?

    I label myself idiot - I summed the entries in the suicide-by-firearm table @ http://www.suicidology.org w/o checking to see if they covered overlapping categories (which they do). Proper summation yields 30,535 number you mentioned above.

    This is, of course, still ~30.5k more deaths due to firearms than you listed in your original message, a statistical modification which you conveniently dismiss as "their choice". You show a severe lack of understanding (or sympathy) on how depression can suppress critical thinking abilities & cause irrational behavior.

    Not only did I not go anywhere near the NRA's web page, but I'm not even a member. (Although I certainly appreciate the central role they've taken in reducing childhood gun accidents this century, and will undoubtedly join soon.)

    I certainly hope that, if there is no way to remove ALL guns from a society, then all gun-owners are thoroughly indoctrinated in safety. Unfortunately, that still doesn't remove the source of MY basic worry - as long as someone else has a gun, I have to worry about whether or not they're going to decide to shoot me (note that I don't distinguish between individuals or the "authorities" here). If they don't have a gun, then I don't have to worry about them shooting me - even if they're insane or really pissed off at me. All your statistics don't mean squat to me if you can't address that basic fear.

    My favorite tactic of the anti-gun folks is that whenever they quote numbers regarding children, they include everyone under 25!

    Children die when they get shot - why only include statistics for adults?

    And they count everybody killed in World War I, World War II, Korea, Vietnam, etc. in their "total American deaths by firearms" numbers. That one's priceless, because it means that even if civilians couldn't own firearms and criminals didn't own them, the numbers would hardly change.

    I don't think this was an issue with the statistics we were attempting to use (once I got my number right).

    And that brings us to the bottom line; gun laws only affect people who follow laws. Criminals by definition don't follow laws.

    Bullshit - if weapons were scarce, then even criminals wouldn't use them (since the criminals wouldn't have to worry about being shot, and since they would be damn expensive.) Since they aren't scarce (through the very diligent efforts of US arms manufacturers), to maintain a MAD (Mutual Assured Destruction)-type balance of power, suddenly EVERYONE needs to get a gun - and I no longer feel safe.

    That's why *EVERY* state that has passed "shall-issue" concealed carry laws has seen an immediate drop in violent crime, greater than the national average drop. All of them.

    Ah yes, the infamous correlation==causality argument - which is, of course, a classic logical fallacy.

    I doubt anything I can say is going to change your mind, and I don't think anyone is listening to us anymore, so I'm going to get back to work now.

  • Isn't that somewhat akin to leaving anthrax-filled candy on the street, and teaching people a lesson about eating food from untrusted sources? Hurting innocent users is not the best way to bring them out of their ignorance.
  • Is it considered a criminal act under current law to deliberatelym run this program on your computer?

  • by iturbide ( 39881 ) on Friday June 09, 2000 @03:18AM (#1014505) Homepage
    Looks like the DOS attack was just dragged in for publicity's sake: "Once opened, the file infiltrates the computer, turns it into a "zombie" machine controlled by hackers.
    It can then be used to launch a denial-of-service assault."

    Yes of course. But then, it can also be used to launch solitaire. Sounds pretty upsetting to me.

    René

  • This obviously is yet another example of taking advantage of that little check box that says "Hide MS-DOS file extension for types that are registered", which can be found on a windows explorer menu under View --> Options and clicking on the View tab. Once that is checked, the .exe extensions are "hidden" from the user and the only way they have of knowing what kind of file they see is by the icon they see, which can be changed to be whatever the originator of the file wants. Naturally, they see an icon typically associated with an AVI file and think "cool, a movie...I wonder what it is..." and click on it to watch without ever suspecting that it is in fact not a video clip, but an EXE file. Most windows users don't even know about that checkbox and that it's usually checked for them by default. They just assume that the icon is true and run with it. Oh well...
  • People only see the convenience factor, not the dangers. It's the same reason that Win95/98 doesn't have a security model to speak of - that means increased complexity, and increased complexity means decreased convenience.

    The solution will involve multiple layers: improved security on the part of the operating system (no more immediate execution of mail attachments), improved configurations on the part of network providers (how to do this without strangling the two-way nature of the net is hard - I'd like to see people still be able to run servers from their bedroom), and improved education all around. I'm not hopeful.


    ...phil

  • I know I've wasted countless hours watching forwarded e-mails. Does this count as a DoS? And if is send it to all my techie buddies am I causing a DDoS?

    Look out Superfriends-"Wassup"-Guy! The DOJ will be coming after YOU!

  • I guess, then, the question would be - for an "average" gun, how many people is it used to injure (either on purpose or accidentally) during the course of its lifetime?
  • The service providers really need to take some responsibility for these types of situations. The average user doesn't grok the concept that if they hook their computer directly up to a cable modem or DSL connection that they are inviting their computers to be messed with. There are ways to deal with this problem relatively inexpensively, but if people don't understand that there is a problem why would they look for a solution.

    I have a nice little cable router that does I.P. packet filtering and also doubles as a 4 port switch. It is made by Linksys and costs about $180. Hawking makes one that is just a router that costs in the $150 range. If the cable companies just told people they needed the hardware up front, people would buy or rent it and not complain...and be safer for it.
  • Home users are especially susceptible because they do not have up-to-date antivirus software

    That's the same kind of BS Micro$oft has been spewing about the ILOVEYOU virus. It doesn't matter at all if the antivirus software is up to date, although that is a great idea, it doesn't protect against any of the newest worms, virii or trojans. That's the problem with all the major companies, they feel like instead of taking the blame for stuff like this, they have to blame it on the user for "not having virus software up to date". What they need to do is find the security hole and patch it, not blame the clueless user.

  • by Pfhreakaz0id ( 82141 ) on Friday June 09, 2000 @04:09AM (#1014528)
    You should recommend to anyone (particularly not geeks) you hear is getting a DSL/Cable or any "always on" connection to go to www.zonelabs.com [zonelabs.com] and get ZoneAlarm. It's free (beer) and it's really easy to use and it will alert you anytime any program tries to get out to the internet (in very easy to understand terms: "Program XXX is trying to contact the internet, do you want to let it?" -- along with a check box not to be bugged by that program again. Plus it does the blocking job of incoming probes too. Not and industrial strength firewall, but fine for home use. Plus, the new version has a nice "mailsafe" feature for vbscript trojans.
    ---
  • Trojans are among the hardest things for a firewall to defend against. Is it a trojan, or just a normal Internet application?

    Even personal firewalls that do intrusion detection has problems with trojan programs. Plus, you're at the mercy at the frequency of signature updates. Or run BO on port 5000, that throws some policy files off.

    I saw a neat firewall made by ZoneLabs that does application control (pops up a dialog when a program attempts to connect to the Internet), but that is much more user intrusive.

    Blocking all outgoing ports is an interesting idea but still problematic. A fun test I do on firewalls I test is playing with UDP port 53 (thats DNS). You can also send a DOS attack over port TCP 80, and even use valid http syntax too. The only other choice is bandwidth controlling, but even that won't help tremendously in a DDOS attack.

    Anyone have any good ideas of how to defend against DOS and trojans, incoming and outgoing? The current firewall model is flawed with it's implementation. However, I can't think of any solutions, if there even is one.
  • Bullshit - if weapons were scarce, then even criminals wouldn't use them (since the criminals wouldn't have to worry about being shot, and since they would be damn expensive.)

    Then why is gun crime increasing in the UK, and decreasing in the US?

    --
  • This kind of problem is bound to become more and more common place as DSL and cable (or more generaly speaking, permanent and high speed connections) get democratized.
    I live in France and I am of of the first thousands of users who have had DSL and my linux firewall has been attacked several times by script kiddies, but the strong seetup hasnt allowed anyone in.
    I remember of a internet cable provider setting up it's own firewall to protect its customers from nuke and stuff like that (and prevent them from sending any too) so that they don't have problems with their 24/7 connection.
    I guess the only solution would be that everyhome had its linux / freebsd box to act as a router, proxy (protecting kids from porn), and anti hack system.
    Hope everyone could be as lucky as I am...

    D.
  • by Tei'ehm Teuw ( 191740 ) on Friday June 09, 2000 @03:20AM (#1014537)
    Where's the beef? This sounds rather hoax'sih to me. I would beleive that this could be done, but for all the press on radio and tv, someone would have come out with a real filename, or more information on what to look for if this was real. I have my doubts.
  • if the builder of your house left a spare key to your house under the mat without telling you, but has been known by people in the industry to this at every house he builds? Who would you be mad at? The person who got in without a challenge, or the person that gave him the opportunity.
    I don't know about being mad but I'd file a criminal complaint against the person who broke entry.

    And, I'd sue the pants off the builder for negligence (and whatever else a lawyer could throw at him).

    Oh, I almost forgot, since this post touched something related to the legal system I am required, as a good /. nerd, to add:

    IANAL
    Boy, do I hate I-A-N-A-L, as if we thought you were! (Sorry)
  • by finkployd ( 12902 ) on Friday June 09, 2000 @03:21AM (#1014541) Homepage
    This should be a wake up call for government intervention into the Internet. It's no longer a place of students and computer enthusiasts, it's a place of business. It needs protected from hackers, and there needs to be accountability. It's time to implemant changes so that people can be traced and logged, encryption all has back doors that can be used against cyber terrorists, and we'll need to levy a tax on it to pay for this law enforcement.

    Or perhaps that is the point to this story.

    Finkployd
  • by cancerboy ( 121492 ) on Friday June 09, 2000 @03:21AM (#1014542)

    Actually MSNBC has a better story, including the reply from Network Associates that they think it's pretty much low risk.

    Also names the file which goes under two names

    QuickFlick.mpg.exe or MySissy.mpg.exe

  • Given the two possibilities:
    • The hacked machine will be used for remote solitare.
    • The hacked machine will be used for a DDoS attack
    Which do you honestly think will be more likely?


    ...phil
  • Hey, i've got ZoneAlarm 2. You do have to allow each application to access the internet, but after all you apps have been added, it's not much trouble. I get a few alerts, but i never understand the logfile. You can lock internet access while allowing selected applications to get through, and you can stop all internet access. Is there any movie/exe name i should watch for?
  • For those of you running Windows9x, you'll find that ZoneAlarm is a good firewall. Access Zone Labs [zonelabs.com] here.

    Also protects against .vbs worms, it claims. That, I'm not so sure about. But it does appear to be effective against a number of attacks, holes, etcetera.

    Absolutely essential for anyone with a 24/7 connect.

    --
  • by Garpenlov ( 34711 ) on Friday June 09, 2000 @04:20AM (#1014556) Homepage
    No, at least for me, it looks at the last one, and assigns an icon accrdingly. Then, if the particular extension is not set to "Always Show Extension", then the extension is not displayed

    That is true, for explorer. However, in Outlook the icon displayed for a file is NOT dependant on the extension -- it's set by the person sending you the e-mail. (I get documents created in Word 2000 that have the Word 2000 icon depicting them -- despite the fact that I don't even have Office 2000 installed). Here's one way to do this:

    Open up Wordpad.

    Drag whatever file you want to send in there.

    Click on Edit ->Package Object ->Edit Package.

    Change the icon to whatever you want.

    Click Update, then close that window.

    Drag your new object into an email and send it.

    It's never as simple as it seems...
  • by Anonymous Coward
    If you wrote (or modified) yourself a video Codec, and then ditributed a VARY FUNNY video clip encoded using that Codec, you could in theory lure people into downloading the codec and viewing the video clip with it...

    Question to those people who know this sort of thing...

    does Video 4 Windows allow you to embed Codec download information into your video clip?

    If it does, that may explain how a video clip (or any other streaming media requiring a codec) may be used as a virus transmission vector.

    Just a thought......

  • ABCNEWS.com did. They mentioned quickflick.mpg.exe and mysissy.mpg.exe. So if you are dumb enough to run a .exe like that....
  • by Draoi ( 99421 ) <draiochtNO@SPAMmac.com> on Friday June 09, 2000 @03:23AM (#1014566)
    Interesting quote from the NETSEC guy:

    "We're all hackers, in the traditional sense of the word," Waskelis said. "If we find something like this, we want to pick it apart and see what it's doing."
    They're finally getting their terminology right ...

    Pete C
  • People, like me, want to regulate gun ownership so we can know where they are sold, and to whom, and to bust those people who sell illegally, or unsafely/irresponsibly store their guns.

    I do as well, which is why I support ENFORCEMENT of the current laws. By following them, we will know every gun that is sold. More laws are not the answer, since criminals have no problem breaking the current ones.

    The few cases of disreputable gun dealers alone is enough to regulate this trade a little further

    It is currently one of the most regulated industries in the country. Since vehicular homicide is meny times more likely than gun homicide, why do we not push for stricter vehicle laws first? Seems that would affect more people.

    The NRA uses more money to fight gun control laws than to offer free gun safety classes, something that I feel to be a requirement before owning any type of gun (the NRA's class is very good by the way).

    First up, I'm glad they do. I disagree with the NRA constantly, but I'm glad there is is a "radical" group on the right to bring balance to the "radical" on the left who advocate making it illegal to own any kind of firearm.
    I also support manditory "gun control" classes (I just like calling them that :)

    I don't have any kind of irrational fear that the Dog Pound is going to come knocking on my door to take away my dog.

    AS stated earlier, there plenty of people speaking out to have guns made illegal. Rosie O'Donell being one of the more recent ones. She publicly claimed that all gun owners should be sent to jail. Then she had her bodyguard apply for a carry permit.

    As to the guns being bought in other states and brought into DC, if the guns are purchased without checking ID, that is currently illegal. Again, enforcement of EXISTING laws comes into play.

    Not to mention, protection is hardly a valid argement.

    You arguements are valid. However I'd point out that anyone with proper training (which I support) would know that they need 5 minutes from waking to effectivly deal with that kind of situation. They would also know to check all family members before investigating. The facts remain the accidental shooting (while unfortunate) are very rare, certinly not common enough to disarm a public. Cars should be banned before guns, they do much more damage and killing.

    All this said, I agree with you position on most of what you wrote. However, the polls I've seen state that some 65% want current laws better enforced before adding new laws.

    Finkployd

  • And yet this is the info found on symantec concerning the so-called Serbian.trojan.

    This trojan horse attempts to download a program file from the Internet and execute it. The intended program file is no longer available on the Internet, thus it currently poses no threat to users.

    This, in the context of the cnn report, I find to be a little bit creepy. And how the fsck do they know that the file is no longer available on the Internet? And then they go on,

    This trojan horse was originally posted to an adult Internet newsgroup on June 7, 2000. It was described as an adult movie file. However, it actually attempts to download the file http://www.lomag.net/~ryan1918/MySissy.mpg.exe from the Internet and launch it after it has been downloaded. It performs no other actions. The program file no longer exists at this Internet address, thus this trojan horse essentially does nothing and poses no threat to users.

  • Who's missing the sarcasm now?

    Nygard. He's the one who suggested that you missed mine. However, it seemed that you were reacting to my sarcasm as though you believed I was serious and were countering with sarcasm of your own.

    Now my head hurts. :)

    Finkployd

God may be subtle, but he isn't plain mean. -- Albert Einstein

Working...