[iwar] [fc:How.hack.attacks.are.getting.smarter--and.harder.to.stop]

From: Fred Cohen (fc@all.net)
Date: 2001-11-26 15:18:17

Next message: Fred Cohen: "[iwar] [NewsBits] NewsBits - 11/26/01 (fwd)"
Previous message: Fred Cohen: "[iwar] [fc:Internet.Explorer.allows.reading.of.local.files.by.remote.webpages]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-Id: <200111262318.fAQNIH506652@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 26 Nov 2001 15:18:17 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:How.hack.attacks.are.getting.smarter--and.harder.to.stop]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

How hack attacks are getting smarter--and harder to stop

By Robert Vamosi, AnchorDesk, 11/26/2001
<a href="http://dailynews.yahoo.com/h/zd/20011121/tc/how_hack_attacks_are_getting_smarter--and_harder_to_stop_1.html">http://dailynews.yahoo.com/h/zd/20011121/tc/how_hack_attacks_are_getting_smarter--and_harder_to_stop_1.html>

Last month, without much fanfare, Carnegie Mellon University's CERT
Coordination Center (news - web sites) released a white paper on current
trends in denial-of-service (DoS) attacks. While much of the report
merely chronicles the alerts and warnings the organization has published
over the last two years, a few pages toward the end--where the authors
point out new tactics taken by malicious users--are downright troubling.

For those of you who don't know, a DoS attack is an event that prevents
users from accessing a Web site. It is often the result of hundreds of
computers overwhelming that site with bogus traffic.

THE WHITE PAPER, written by CERT's Kevin J. Houle and George M. Weaver,
as well as Neil Long and Rob Thomas, found that the means necessary to
enlist computers (commonly known as "zombies") in this sort of attack
has changed. Whereas DoS attacks used to result from the manual
insertion of code via a Trojan horse into the targeted computer, now
they are the result of autonomous network worms.

The authors found that central source-based network worms like Lion,
which transfer hostile code via http, ftp, or rpc directly to the
infected computer from a central source, are on the decline. Meanwhile,
two other types of worms are on the rise: back-chaining worms like
Ramen, which infect computers by connecting to a central source, and
then transferring the DoS tools to the target systems; and the more
sinister autonomous worms like Code Red, which pass the DoS code
directly from victim to victim, allowing much faster infection and less
opportunity for detection.

The authors also noted that the zombies involved in recent attacks were
less likely to be Unix (news - web sites) or Linux (news - web sites)
machines. Malicious users now favor Windows-based machines, which are
co-opted via blind targeting, when malicious users randomly attack all
systems running an OS such as Windows, or selective targeting, when
malicious users choose to attack a specific block of IP addresses .

MALICIOUS USERS ARE also starting to target network routers--devices
that transfer data between local area networks. Unlike personal
computers, routers do not benefit from security policies or monitoring
technology. Routers also do not care what data they handle, only where
it is going. Because routers are the linchpins of larger networks, there
is real concern that future, targeted DoS attacks on such routers could
disrupt the Internet by isolating whole sections. The effect of shutting
down a network router would be like closing a vital freeway between two
large cities during rush hour.

I found the authors' "time-to-exploit is shrinking" argument compelling.
The reason attacks are happening more quickly has to do with the fact
that intruder exploit tools--software that helps malicious users take
advantage of computer vulnerabilities--are not as widely available on
the Web as they once were. It used to be that you could find them on
hacker sites without too much trouble. Also, the tools are now equipped
with anti-forensics features that make reverse engineering much harder.
This means it takes longer for a software vendor to create a workaround
or fix when a new vulnerability is discovered.

The authors also found that malicious users are now turning to Internet
Relay Chat (IRC) to help plan their DoS attacks and set up networks to
carry them out. Because there are so many messages being sent over IRC,
communications sent by malicious users and the machines they have
infected go unnoticed. Better yet, IRC servers keep logs, so the
malicious user can easily keep track of all the compromised machines in
the DoS network he is creating.

I FOUND ONE OBSERVATION missing from the report: that the original
targets of the Code Red worm didn't always suffer an outage. Rather, it
was the intense Web traffic produced by these worms that caused local
DoS attacks on random sites. Given the success of this scattershot
approach, I think in the future malicious users might settle for
widespread local DoS attacks, as opposed to targeting high-profile sites
such as www.whitehouse.gov.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Universal Inkjet Refill Kit $29.95
Refill any ink cartridge for less!
Includes black and color ink.
http://us.click.yahoo.com/ltH6zA/MkNDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: Fred Cohen: "[iwar] [NewsBits] NewsBits - 11/26/01 (fwd)"
Previous message: Fred Cohen: "[iwar] [fc:Internet.Explorer.allows.reading.of.local.files.by.remote.webpages]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST