Slashdot Mirror
Massive DDoS Attack Brewing?
Quite a number of people wrote in with the news that CNN is reporting that a Back Orifice-like program masquerading as a movie clip is infecting thousands of computers worldwide. The prediction is that it's being setup for a DDos - but the technical details, are shall we say, "sketchy".
The link to the advisory on www.netsec.net is here, has more technical info than the cnn article.
--- Boox
It was a huge project, took me around 8 hours to do, and was a huge pain in the ass. Subseven is a damn scary trojan, only has limited flooding abilities, but it can gather a lot of information and can redirect most anything. this would allow a cracker to gather personal information, bounce a web request off of it to use a stolen credit card, or ping flood some ip.
I hope to god they manage to catch these guys and that they don't pay much attention to the news.. heh.. i'm betting they are just using subseven to bounce off a client anyway, so their ip might be diguised. all I know is that 250 of these clients are no longer around because of me, and that makes me feel a little safer.
If anyone is involved in the clean up of these clients, please get in contact with me. I might be able to provide you with operational knowledge.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
To prevent this DDoS from happening I think that everyone should start turning off their computers. Anyone that works at an ISP should go to the server room's and shut everything off. Not only will this stop *this* DDoS right in its tracks, it will save power.
shutdown -h now damnit
Geoff
Why on earth do these sources always talk about 'computers' without being more specific ? As if computer == 'a PC running DOS'. I smell a rat here (even though I'm sure CNN doesn't run their web servers under Mega$lob software, be that operating system-wise or application-wise)
Imagine the following press release:
REUTERS -- Somewhere.
A major car company has decide to issue a callback on one of their models. Under certain conditions a particular safe-critical part of the car might fail. Although the total cost of the recall is purported to be high, officials at the company were confident that it would not influence their quarterly results, due at some point.
A quick check of the Network Security Technologies website has a bit more info than the CNN article. Read their advisory here. Apparently, the Serbian Badman Trojan (as they're calling it) is using an IRC channel to report the compromised IP address, and then starts listening on a port -- this is why they think it could presumably be used for a DDoS attack.
---
---
"Go Metallica. Die RIAA." -- Linus Torvalds
You should recommend to anyone (particularly not geeks) you hear is getting a DSL/Cable or any "always on" connection to go to www.zonelabs.com and get ZoneAlarm. It's free (beer) and it's really easy to use and it will alert you anytime any program tries to get out to the internet (in very easy to understand terms: "Program XXX is trying to contact the internet, do you want to let it?" -- along with a check box not to be bugged by that program again. Plus it does the blocking job of incoming probes too. Not and industrial strength firewall, but fine for home use. Plus, the new version has a nice "mailsafe" feature for vbscript trojans.
---
DO NOT DISTURB THE SE
Actually MSNBC has a better story, including the reply from Network Associates that they think it's pretty much low risk.
Also names the file which goes under two names
QuickFlick.mpg.exe or MySissy.mpg.exe
They're finally getting their terminology right
Pete C
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein