From: InfoSec News (isnC4I.ORG)
Date: Sat Mar 31 2001 - 20:01:09 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.cnet.com/news/0-1003-200-5401112.html

By Robert Lemos
Special to CNET News.com
March 30, 2001, 10:25 a.m. PT

VANCOUVER, B.C.--Worms that can crack into computer systems, take them
over and continue spreading are quickly becoming the rage in
underground circles, said hackers and security experts at the
CanSecWest conference here this week.

The result? "I think we are going to see a lot more of these," said
Greg Shipley, director of consulting services for computer-security
firm Neohapsis.

A week ago, Shipley stayed up all night to analyze the new 1i0n Linux
worm that had been found in the wild. The worm exploits a
vulnerability in widely used domain-name service, or DNS, software
used to direct Internet visitors to the proper site.

While the worm does not seem to have spread widely, it had the
potential to do extensive damage to systems it compromised, concluded
Shipley. His results were a major factor behind advisories released
March 23 by both the System Administration Networking and Security
(SANS) Institute and the National Infrastructure Protection Center.

Worse, less-technical online vandals--also called script
kiddies--could take the scripts, modify them and create a powerful
malicious program, he said.

"The script kiddies are being empowered by the automation," said
Shipley. "These kids aren't profiling systems (to target their
attack). They are playing a numbers game."

David Dittrich, senior security engineer at the University of
Washington and a computer forensics expert, worries that the new worms
will escalate just as distributed denial-of-service (DDoS) tools did
two years ago.

First seen in May 1999, DDoS tools were born as poorly constructed
programs that could flood a single Web site or Internet server with so
much data, and from so many sources, that the computer effectively
would disappear from the Internet.

In August 1999, in one of the first known uses, the University of
Minnesota came under attack. Six months later, the tools came to the
public's attention when Yahoo, ZDNet, CNN and other high-profile Web
sites suffered similar attacks.

Dittrich analyzed both 1i0n and the earlier Ramen worm and found
significant improvements in 1i0n's code. He worried that worms, like
many other hacker tools, are evolving and getting better.

"With these worms, it's fairly similar in that there (is) a lot of
code out there, someone could grab it and mutate it--now, the worm is
out there hacking with a different exploit," he said.

With worms exponentially spreading, the Internet could become a much
less friendly place, said Mixter, the German hacker who created the
Tribe Flood Network, the DDoS tool used in the attacks on Yahoo and
others a year ago.

"These are a general threat," he said, adding that--in setting up his
own domain--he had come to realize how prevalent scanning, by worms
and other automated tools, has become. "Before we had a domain name,
we had 300 probes" from scanners, he said. "We don't analyze them
because there is too much data."

Worms spread by doubling and doubling again. Robert Graham, chief
technology officer with firewall maker Network ICE, thinks that could
clog up the works of the Internet.

"In some ways, I'm surprised that they haven't brought down the
Internet," he said.

And worms are set to get even more prevalent. With about 30 new
vulnerabilities uncovered every week, such automated code for cracking
systems has almost infinite potential, said Neohapsis's Shipley.

"My fear is that (hackers) will turn the worm into a framework," he
said. "Plug in an exploit and let it go."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]