OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Internet Wide DOS Attack using IRC

Re: Internet Wide DOS Attack using IRC

[deicide] (deicideGAMEAHOLIC.COM)
Fri, 2 Oct 1998 19:06:21 -0400 

On Fri, 2 Oct 1998, Kameron Gasso wrote:

> This might be an unreleased Back Orifice plugin from an internet user who
> dislikes GeoCities (only speculation).  Odds are, it was distributed
> widely over IRC in a Warez package or something similar.

I have a feeling this is some kind of plugin that has dynamic loading of
trojan code:

 - It is trying to download a .zip file from geocities. Presence of
   "winrar" in the registry keys hints that it will uncompress the file.
   (WinRAR is a .rar archive program that also supports .zip, .arj, etc.
   Sortof like WinZip).

 - The reason it has turned into a flood attack is because it's probably
   set to retry on failure, OR it was coded to re-get the file once in a
   while so that the author can "upgrade" the trojan code by placing a
   new .zip file on geocities server.  This "once in a while" was set to
   30 seconds by mistake.

 - I don't think this was meant as an attack on GeoCities.  Even
   at current frequency it's very little percentage of total traffic
   handled by their servers.  I'm sure they noticed this not because their
   servers were DoSed, but rather because they don't any member sites
   that receive millions of visitors daily.


I don't see any way to fight this except of trying to spread the knowledge
about BO and possible a BO-remover/detecter along with it.



--Vitaliy.