Posted at 7:00 p.m. PST Friday, Jan. 26, 2001

`Zombie' attacks blamed in new online outages

BY KRISTI HEIM AND ELISE ACKERMAN Mercury News

SAN JOSE, Calif. -- As hackers struck Microsoft Corp.'s popular Web sites again Friday, security experts said the Internet is increasingly vulnerable to attacks that affect millions of people and disrupt business. What's more, your own home computer might be launching the attacks.

The attack for a second straight day Friday is assumed to have been caused by multiple computers bombarding Microsoft's system with electronic requests. ``We've had intermittent delays throughout the day,'' said Rick Miller, a Microsoft spokesman. ``The attack was a similar nature to Thursday's and we're investigating it.''

Although such attacks have been around for years, they gained widespread notoriety last February when a slew of high-profile Web sites such as Yahoo, Amazon, eBay and CNN.com were hacked, causing an estimated $1.7 billion in damages.

No major attacks were reported the rest of the year, but security experts began discovering large networks of so-called ``zombie'' computers loaded with attack programs late last summer.

The networks included hundreds of machines scattered all over the world that had been infected with malicious code designed to launch an attack when their ``master,'' usually a michief-making hacker, gave the signal.

``Basically, anyplace that they can install these zombie kits or relay kits they will,'' said John Pescatore, director of network security research at the Gartner Group Inc. The most vulnerable computers are ``typically university or government sites, and increasingly, in this world of cable modems and DSL modems, people's home computers that are left on all the time.''

Another common source of attacks are business Web servers, which are typically located outside a firewall. In September, the CERT coordination center at Carnegie Mellon University came across a network of more than 500 machines that had been linked in preparation of launching an attack.

``We bump into networks of a couple hundred here and a couple there all the time,'' said Chris Rouland, director of the X-Force vulnerability research team for Internet Security Systems Inc. ``I would extrapolate well over 10,000 machines are infected with back doors,'' or software code that gives an intruder control over a computer. ``Most of the machines infected are home machines.''

``The fact is all these zombies on consumer machines can be parlayed together to launch an attack that can affect the economy,'' Rouland warned.

Richard Power, editorial director of the Computer Security Institute in San Francisco, an association of computer security experts from major corporations and government agencies, said the percentage of Fortune 500 companies that reported their Internet sites had been a ``frequent point of attack'' jumped from 37 percent in 1996 to 59 percent last year, according to a study by CSI and the FBI.

From March 1999 to March of 2000, 27 percent of 640 companies and government agencies surveyed said they experienced denial of service attacks. Of the 46 companies that tallied their financial losses, the total came to $8 million.

Dave Dittrich, a senior security engineer and an expert on denial of service attacks at the University of Washington, said there are many kinds of denial of service attacks, but the ``bandwidth consumption'' attack, like the one that is believed to have damaged Microsoft, is among the hardest to defend against.

``There really isn't a solution for it,'' Dittrich said.

Although it's difficult for Microsoft to combat such attacks, the software giant said Friday it is taking steps to increase security.

Microsoft said as part of its response to the problem, it will begin outsourcing some of its domain name service to Akamai Technologies. Microsoft previously operated its four DNS servers internally, which some experts said increased its security risk.

Home users can also take steps to increase security. They can find out if their machines have been turned into zombies by scanning them with antivirus software, like Symantec's Norton Internet Security or Network Associates' McAfee Antivirus.

Doug Cavit, chief information officer for McAfee.com also urged home users to get a personal firewall.

``Hackers and virus writers have gotten together so now you need a combination of firewall software and antivirus software to be fully protected,'' he said.

For Microsoft, there may be no way to avoid the problem, said Steve Fallin, director of the rapid response team at Watchguard Technologies, a Seattle-based company that provides Internet security products to small and medium-sized businesses.

`Rightly or wrongly, Microsoft generated a lot of animosity among parts of our society that have the tools to carry it out,'' he said. `They're a target. That's what's happening now.''

http://www0.mercurycenter.com/svtech/news/top/docs/zombie012701.htm

-- Martin Thompson (mthom1927@aol.com), January 28, 2001