Trojan Variant Threatens Rash Of DoS Attacks

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Technology News

Trojan Variant Threatens Rash Of DoS Attacks

(10/10/00, 5:01 p.m. ET) By George V. Hulme, InformationWeek Internet Security Systems Inc. says it has discovered more than 800 computers infected with the SubSeven DEFCON8 2.1 back door.

Because the Trojan horse is spreading rapidly and has the potential for widespread damage, the Atlanta security firm rates this threat a 4, with a 5 being the most dangerous.

The Trojan has been distributed on Usenet newsgroups with various file names, including SexxxyMovie.mpeg.exe. According to the ISS research team, X-Force, hackers are using infected systems to test new distributed denial-of-service attack methods and strategies.

This program points to the growing use of back doors and distributed denial-of-service attacks by hackers.

Once a system is infected, DEFCON8 2.1 joins an Internet Relay Chat (IRC) channel on irc.icq.com to notify the attacker that a machine has been infected. According to X-Force, the password for the distributed server is acidphreak.

This version of SubSeven listens on port 16959, which is nonstandard from previous versions of the SubSeven back door.

"Over the past couple of months, we have noticed a dramatic increase in the number of zombies waking on our systems," said a security manager at a large company who wished to remain anonymous. "Based on the activity we've seen here, I'm certain we're on the cusp of seeing another wave of attacks."

Earlier this year, several high-profile sites suffered major service interruptions because of similar attacks.

Chris Rouland, director of X-Force, agreed that more attacks are imminent -- possibly around the holiday season.

"This is a bellwether sign of the state of Internet security," he said, adding that distributed denial-of-service tool developers are becoming more sophisticated. "They've developed this so that it can't be detected by antivirus software. And we are seeing more of these Trojans take advantage of communications through IRC and use encryption to make them more difficult to detect.

http://www.techweb.com/wire/story/TWB20001010S0017

-- Martin Thompson (mthom1927@aol.com), October 10, 2000


Moderation questions? read the FAQ