CNET | News | Hardware | Downloads | Trends | Games | Jobs | Auctions | Prices | Tech Help Free Email  
Enterprise Computing
Search   
Advanced • Tips 
For Network Management Tools - www.clicknet.com
For Network Management Tools - www.clicknet.com
  CNET : News : Enterprise Computing : Story
ADVERTISEMENT

 
Latest Headlines
display on desktop
 

Enterprise Computing 
Investors yawn at Microsoft CFO resignation
 
Holidays proving to be an insecure time online
 
As New Year nears, threat of Net attack program mounts
 
Stock markets reach record highs
 

Communications 
The year the Net sped up--sort of
 
ISPs look to kill viruses before they strike
 
Novell shares ride caching wave
 

The Net 
Register.com files for IPO
 
Snowball.com files for IPO
 
Mozilla releases preview of Web browser
 

Personal Technology 
Gemstar surges on Nasdaq 100 placement
 
Microsoft posts fix to browser security glitch
 

E-commerce 
Consumer e-commerce enters the mainstream
 
1999: The year in technology
 
Starbucks puts money on Net bets
 
Fed Ex, UPS e-commerce winners
 

Services & Consulting 
Niku files for an IPO of up to $115 million
 

Year 2000 
Patent Office won't have Y2K fix answer by year's end
 
Argentine airlines keep to the ground New Year's Eve
 

Did you miss a day?
One Week View

 Holiday Gifts
 at Computers4Sure.com
 Netgear Fast ENET card
 Language Force Spanish
 IBM Thinkpad 1560

 

 
  • Related news
  • Message Boards
  •  
  • See Story in Context
  • Search


  • As New Year nears, threat of Net attack program mounts
    By Stephen Shankland
    Staff Writer, CNET News.com
    December 23, 1999, 11:25 a.m. PT

    update A new and potentially more dangerous version of an Internet attack program has been posted just in time for the holidays, and another is on the way.

    A new version of a malicious program called the Tribe Flood Network (TFN) is more powerful and harder to detect than an earlier version, according to experts. And an updated sister program called Trinoo is due to be released next week.

    Few incidences of their use have been publicly acknowledged, but experts are warning sites to prepare against attacks that may coincide with New Year's. Widely anticipated problems owing to the Y2K computer glitch may provide cover for other mischief.

    The program works like this: A TFN attacker secretly embeds software into hundreds of computers. Then, at a selected time, a command is issued that prompts the infected computers to swamp a target Web site or server with messages in a method of attack called "denial of service." The program doesn't damage the "infected" computers or the target, but the sudden flood of messages typically knocks out the target system.

    Although it's possible for target computers to protect themselves by ignoring messages from attacking computers, it's hard to identify which computers are attacking--especially when there are hundreds. This fundamental vulnerability of networked computers makes protecting against denial-of-service attacks extremely difficult.

    It can be a vexing problem, as one victim reported.

    "I was hit for three solid days with over 1 megabyte per second of junk data from an attack like this," said Scott Thomas, an independent computer consultant whose network was hit. "There is nothing you can do but sit and take it."

    It's hard to find who the attackers really are and then discard or "filter" their messages, he said. "Sure, you can try to filter some of it, but it comes from so many places you spend hours just deciding what you should filter," Thomas said. He suspects he was targeted because a person on his network "annoyed a hacker in a chat room," he added.

    eToys, which has become embroiled in a legal dispute with a European art group called Etoy, was hit by a type of denial-of-service attack by people opposed to eToys' lawsuit. Organizations such as Rtmark helped to organize an attack that let people run software that inundate eToys' site with bogus Web page requests. The existence of TFN Tribal warfare was reported earlier this week. The new variant, called TFN2K, is potentially more dangerous in that it can enlist machines based on both the Windows NT and Unix operating systems to deliver the flood of messages, according to Gia Threatte of the Packet Storm Web site, which publishes security-related software so system administrators can protect against attacks and intrusions.

    TFN2K also adds the ability to act on a single command, a stealthier mode of operation than the previous version (which required the controller to send a password), and encrypts communications, making the infecting messages harder to detect, Threatte said.

    Further, TFN2K sends decoy information to throw hunters looking for the source off the scent.

    The purported author of the TFN family, who goes by the name "Mixter," sent a version of TFN2K to Packet Storm. Packet Storm said it also expects a new version of Trinoo from Mixter.

    With the new software being released now and the "2K" allusion to the new year in the name of the program, it appears that a computer attack could occur during the holidays.

    "I don't really think you're going to see any serious attacks using this until New Year's," Threatte said. On Jan. 1, though, people likely will try to "cause a little mischief," she said.

    Other security watchers concur. The consensus of a Year 2000 bug workshop at Carnegie Mellon University's Computer Emergency Response Team was that "it is possible that intrusion attempts, viruses and other attacks will be focused on the time around 01 January 2000 under cover of Y2K incidents," CERT said.

    CERT has warned, "We are receiving reports of intruders compromising machines and installing distributed systems used for launching packet-flooding denial-of-service attacks." CERT said that attackers generally gained unauthorized access to these computers through well-known weaknesses, reinforcing the message that system administrators must stay up-to-date on keeping their systems secure.

    Detection of attacks and their ultimate source isn't easy. Trinoo and the TFN family obscure the address of the actual attacker by hiding the person in control behind two layers of computers. The attacker lays the groundwork by breaking in to several computers, installing master software on some and attack software on others. When it's time for the attack, a message is sent to the master computers, which in turn is relayed to the drone computers that do the attacking by flooding the target with "packets" of information.

    Compromised computers that can be infected with the attack software have become a kind of currency, with attackers trading names and information about them over Internet Relay Chat (IRC) discussions, Threatte said.

    Threatte defended Packet Storm's philosophy of publishing attack software for all to see. "If we don't make it available, there's no way you can protect against these things," Threatte said. Sprint, for example, recently called upon Packet Storm's information to more quickly fend off an intruder.

    Other, more dangerous versions of distributed attack software are circulating, but Packet Storm doesn't have them, so they're harder to detect, Threatte said.

    Packet Storm, a five-person group based in Palo Alto, Calif., is no stranger to controversy. It's now owned by security consultants Kroll-O'Gara after being embroiled in a debate with its former home at Harvard University and hacker chronicle site AntiOnline.

    Threatte foresees a time when coordinated denial-of-service is more serious. "Distributed attack tools right now are kind of in their infancy," she said.

    New improvements could involve a self-replicating "worm" version that would automatically spread the attack software to new computers. After several generations of spreading, the worm could erase itself from the original computers used to launch the worm, severing ties with the true origin. The worms could monitor several sites on the Internet for a sign that triggers the time and target to attack.

    Related news stories
    • 
    Former hacker site changes course, gets hacked August 9, 1999
    • Computer security teams brace for attacks December 20, 1999

     Free Newsletters


    All Newsletters


    News Options: One Week View | Send us your news tips | Desktop News | Advanced Search

    For Network Management Tools - www.clicknet.com
    For Network Management Tools - www.clicknet.com
    Contact us

    CNET Services: Stock Quotes Tech Auctions Tech News Free Downloads Search Games Latest PCs Business Solutions Hardware Buying Advice Find a Web Host Find an ISP Compare Prices Cool Toys Web Building Help & How-Tos Publish Your Opinion Build a Tech Store Tech Jobs Get a Job at CNET Join CNET's Affiliate Program Free Newsletters Free Email
      

    Free Newsletter!
       
       Subscribe | How to advertise | Corrections | CNET Jobs | CNET Support | Message Boards    About CNET  
    Back to TopJoin CNET, we're hiring

    Copyright ©1995-1999 CNET, Inc. All rights reserved. Privacy policy.