[iwar] [fc:Beware.the.Pulsing.Zombies]

From: Fred Cohen (fc@all.net)
Date: 2001-09-28 16:09:50

Next message: Fred Cohen: "[iwar] [fc:Nimda.worms.way.into.Colorado]"
Previous message: Fred Cohen: "[iwar] [fc:Global.Routing.Instabilities.during.Code.Red.II.and.Nimda.Worm]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-Id: <200109282309.QAA17373@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Fri, 28 Sep 2001 16:09:50 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Beware.the.Pulsing.Zombies]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Beware the Pulsing Zombies  
By John Leyden, The Register, 9/28/2001
<a href="http://www.theregister.co.uk/content/55/21930.html">http://www.theregister.co.uk/content/55/21930.html>

Distributed denial of service attacks, one of the most difficult
security risks to guard against, could become even harder to detect with
the development of tools that turn agents on and off during an attack. 
So called 'pulsing zombies' (which sounds like something from the Night
of the Living Dead) will be difficult to detect as they will not be
always active, making the isolation and removal of malware from infected
machines even harder. 

Als, users may not even notice they are subject to such an attack,
because it would result in service degradation, not outright failure. 
Pulsing Zombies Alexander Czarnowski, chief executive of Polish security
firm Avnet, told the Virus Bulletin Conference in Prague today that
viruses that drop pulsing zombies on vulnerable boxes can be expected as
DDoS tools evolve. 

He singled out Doser, a Windows virus, that carries a ping flood as its
payload, and the Sadmind worm, which affects Unix boxes, as examples of
the direction that virus writers are taking.  Email-borne worms could
become used in DDoS attacks too. 

Intrusion detection systems (IDS), and egress filtering (to drop
outgoing packets with a false IP address) at the router level can help,
but are not a complete solution to the problem.  For one thing IDS tools
can themselves become subject to DDoS attacks via tools such as Stick. 
Czarnowski's presentation re-emphasised the importance of detecting DDoS
components on hosts because just a few compromised boxes, carrying
agents that bounce attacks off reflector servers to disguise their
origin, can have a disproportionately large effect. 

The possible emergence of 'pulsing zombies' make disinfection more
important than ever, especially since there's little sign (or hope) of a
complete solution to DDoS attacks.  Ž

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: Fred Cohen: "[iwar] [fc:Nimda.worms.way.into.Colorado]"
Previous message: Fred Cohen: "[iwar] [fc:Global.Routing.Instabilities.during.Code.Red.II.and.Nimda.Worm]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT