Tuesday May 02 10:00 AM EDT Expert warns of powerful new hacker tool

By Stephen Shankland, CNET News.com A potent new software tool has emerged for launching attacks similar to, but more lethal than, the ones that took down Yahoo and other major Web sites in February.

The new tool, called "Mstream," joins Trinoo, TFN2K, Stacheldraht, Shaft and other programs made to launch "distributed denial of service" (DDoS) attacks.

In a DDoS attack, a programmer secretly embeds software into hundreds or thousands of computers. At a designated command or time, infected host computers send messages to a target computer. The volume of messages arriving over the Internet effectively knocks out the target server, making the Web site inaccessible to other Net surfers.

Although Mstream apparently is still in the early stages of development, the core attack engine is more powerful than the existing attack software tools, said Dave Dittrich, a University of Washington computer administrator who helped in an analysis of Mstream.

One side effect of the new program is that it potentially can complete a successful attack using fewer computers than did earlier tools. The software "will be disruptive to the victim...even with an attack network consisting of only a handful of agents," Dittrich said.

The new software is the latest episode in an ongoing battle between the programmers who continually create more powerful versions of attack tools and the companies and law enforcement officials trying to stay a step ahead.

DDoS attacks have waned since a series of high-profile assaults in February, but they have not ceased. AboveNet was attacked last week, for example.

A Canadian teenager has been arrested in connection with an attack on CNN's Web site, but it's not clear whether he was involved in the similar attacks that brought down the FBI's Web site, Yahoo, Amazon.com, eBay, Buy.com, E*Trade and Datek Online.

Often, the person launching an attack and the programmer who invented the software are not associated. Instead, programmers often develop these tools and then post them on the Web.

Mstream can hurt not only the target computer but also the network of attacking host computers. At root is a protective technique called "egress filtering," in which the computers try to discard the packets sent in the attack. But egress filtering itself can burden the network equipment of the attacking computer's Internet site.

"The lesson here is that there is no 'quick fix' to DDoS in the form of simple technical filtering solutions," Dittrich said.

Dittrich based his analysis on a copy of Mstream found running on a Linux computer at a major university in late April, Dittrich said. The computer was attacking more than 12 Web sites at the time, he said.

Mstream is "in early development stages, with numerous bugs and an incomplete feature set compared with any of the other listed tools," Dittrich said.

Dittrich, the victim of a 1999 DDoS attack, said he discovered Mstream two weeks ago. He was prompted to post his analysis earlier than planned because an anonymous person posted the 987-line program to the Bugtraq computer security mailing list Saturday

http://dailynews.yahoo.com/h/cn/20000502/tc/expert_warns_of_powerful_new_hacker_tool_6.html

-- Martin Thompson (mthom1927@aol.com), May 02, 2000