Slashdot Mirror
Massive DDoS Attack Brewing?
Quite a number of people wrote in with the news that CNN is reporting that a Back Orifice-like program masquerading as a movie clip is infecting thousands of computers worldwide. The prediction is that it's being setup for a DDos - but the technical details, are shall we say, "sketchy".
I don't know, and chances are very few people know, but does the backdoor "phone home" to say it's ready and waiting?
:-)
Apparently it puts the IP address of the machine it's running on in an IRC channel somewhere, where i'm sure there's a bot gathering the info. Pretty smart way of avoiding being traced
--
The link to the advisory on www.netsec.net is here, has more technical info than the cnn article.
--- Boox
It was a huge project, took me around 8 hours to do, and was a huge pain in the ass. Subseven is a damn scary trojan, only has limited flooding abilities, but it can gather a lot of information and can redirect most anything. this would allow a cracker to gather personal information, bounce a web request off of it to use a stolen credit card, or ping flood some ip.
I hope to god they manage to catch these guys and that they don't pay much attention to the news.. heh.. i'm betting they are just using subseven to bounce off a client anyway, so their ip might be diguised. all I know is that 250 of these clients are no longer around because of me, and that makes me feel a little safer.
If anyone is involved in the clean up of these clients, please get in contact with me. I might be able to provide you with operational knowledge.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
To prevent this DDoS from happening I think that everyone should start turning off their computers. Anyone that works at an ISP should go to the server room's and shut everything off. Not only will this stop *this* DDoS right in its tracks, it will save power.
shutdown -h now damnit
Geoff
Why on earth do these sources always talk about 'computers' without being more specific ? As if computer == 'a PC running DOS'. I smell a rat here (even though I'm sure CNN doesn't run their web servers under Mega$lob software, be that operating system-wise or application-wise)
Imagine the following press release:
REUTERS -- Somewhere.
A major car company has decide to issue a callback on one of their models. Under certain conditions a particular safe-critical part of the car might fail. Although the total cost of the recall is purported to be high, officials at the company were confident that it would not influence their quarterly results, due at some point.
Sure..
do a find for
???????.exe
and
????????.exe
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
They used the usual trick of nameing the .EXE somthing like foo.AVI.EXE, and made sure that the embedded icon colour matched that of the associated fake file type.
I dumped the file using 'strings', and it appeared to generate a fake error message regarding a missing codec, as well as a registry key to autorun a program at boot. I presume this trojan contained this code.
A quick check of the Network Security Technologies website has a bit more info than the CNN article. Read their advisory here. Apparently, the Serbian Badman Trojan (as they're calling it) is using an IRC channel to report the compromised IP address, and then starts listening on a port -- this is why they think it could presumably be used for a DDoS attack.
---
---
"Go Metallica. Die RIAA." -- Linus Torvalds
The next one won't set up any DDoS clients. It will just wait until Monday, and then send all your cow-orkers a message saying "I sat around and watched porno movies on my computer all weekend!"
Then, when the news reports that the new exploit does in fact send that message, and is in fact borne by a porno flick, everyone in your address book will know that it realy is true.
Heh heh heh. Maybe it will even count and report which scenes you replayed, and how many times.
--
Sheesh, evil *and* a jerk. -- Jade
Good point. Though Windows has no security whatsoever, it'd be trivial for the cable companies and DSL providers to provide basic, network-level security for their users that could at least block most of these DDOS script kiddie tools from getting "go" signals.
Ultimately, the responsibility falls on the user, but given the cluelessness of most home (and many office) users, and the inherent vulnerability of Windows, the network providers really need to step up and fill this gap soon.
There's no reason why filtering couldn't be built into the cable modem (the same way many of them now block NetBIOS), and updated by central control at the head end to block new threats.
That said, given that it's cable companies doing this, the login for administration would probably be:
Login: admin
Password: admin
Scary, huh?
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
According to previous reports, the trojan was posted in an adult chat room. You had to download it from a web site. It was called something like MySissy.mpg.exe. It is an executable file.
If, like most Windoze users, you don't change the default settings on your file viewer and you open most files by double clicking on document files, then once you had downloaded this file it would appear to be an ordinary file with the name MySissy. When you double-clicked on it, it would executre. I've not actually seen it in operation, but if the hackers were smart, they would have made it look like an MPG movie viewer and actually had it play a few minutes of a porn flick while it also did its dirty work.
Something like this is trivial to implement.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Looks like the DOS attack was just dragged in for publicity's sake: "Once opened, the file infiltrates the computer, turns it into a "zombie" machine controlled by hackers.
It can then be used to launch a denial-of-service assault."
Yes of course. But then, it can also be used to launch solitaire. Sounds pretty upsetting to me.
René
You should recommend to anyone (particularly not geeks) you hear is getting a DSL/Cable or any "always on" connection to go to www.zonelabs.com and get ZoneAlarm. It's free (beer) and it's really easy to use and it will alert you anytime any program tries to get out to the internet (in very easy to understand terms: "Program XXX is trying to contact the internet, do you want to let it?" -- along with a check box not to be bugged by that program again. Plus it does the blocking job of incoming probes too. Not and industrial strength firewall, but fine for home use. Plus, the new version has a nice "mailsafe" feature for vbscript trojans.
---
DO NOT DISTURB THE SE
Where's the beef? This sounds rather hoax'sih to me. I would beleive that this could be done, but for all the press on radio and tv, someone would have come out with a real filename, or more information on what to look for if this was real. I have my doubts.
This should be a wake up call for government intervention into the Internet. It's no longer a place of students and computer enthusiasts, it's a place of business. It needs protected from hackers, and there needs to be accountability. It's time to implemant changes so that people can be traced and logged, encryption all has back doors that can be used against cyber terrorists, and we'll need to levy a tax on it to pay for this law enforcement.
Or perhaps that is the point to this story.
Finkployd
Actually MSNBC has a better story, including the reply from Network Associates that they think it's pretty much low risk.
Also names the file which goes under two names
QuickFlick.mpg.exe or MySissy.mpg.exe
No, at least for me, it looks at the last one, and assigns an icon accrdingly. Then, if the particular extension is not set to "Always Show Extension", then the extension is not displayed
That is true, for explorer. However, in Outlook the icon displayed for a file is NOT dependant on the extension -- it's set by the person sending you the e-mail. (I get documents created in Word 2000 that have the Word 2000 icon depicting them -- despite the fact that I don't even have Office 2000 installed). Here's one way to do this:
Open up Wordpad.
Drag whatever file you want to send in there.
Click on Edit ->Package Object ->Edit Package.
Change the icon to whatever you want.
Click Update, then close that window.
Drag your new object into an email and send it.
It's never as simple as it seems...
--- Where's my X.400 protocol decoder?
They're finally getting their terminology right
Pete C
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
This trojan horse attempts to download a program file from the Internet and execute it. The intended program file is no longer available on the Internet, thus it currently poses no threat to users.
This, in the context of the cnn report, I find to be a little bit creepy. And how the fsck do they know that the file is no longer available on the Internet? And then they go on,
This trojan horse was originally posted to an adult Internet newsgroup on June 7, 2000. It was described as an adult movie file. However, it actually attempts to download the file http://www.lomag.net/~ryan1918/MySissy.mpg.exe from the Internet and launch it after it has been downloaded. It performs no other actions. The program file no longer exists at this Internet address, thus this trojan horse essentially does nothing and poses no threat to users.
:wq