Shadow members see patterns developing with network hackers

Most people picture a network hacker as a furtive, isolated operator who breaks in,
looks around and gets out fast, perhaps doing some damage along the way.

But recent break-ins at unclassified Defense Department networks have altered that
image. Some hackers have been moving at snail-like speeds, sending just a few packets per
hour so they don’t trip sensors set to pick up unusual traffic patterns.

To make up for the slowness, several hackers may band together in teams, channeling
information through multiple IP addresses.

That’s the discovery made recently by an anti-hacker group known as Shadow.

This column has previously mentioned the Shadow group, made up of members from several
Defense sites, civilian agencies and industry.

Shadow, which works closely on network security issues with the Sans Institute Inc. of
Bethesda, Md., at, publicizes what
it has learned about hacker penetration of government and private networks and analyzes
break-in attempts.

Shadow talk

Steven Northcutt, director of the Shadow project at the Naval Surface Warfare Center in
Dahlgren, Va., said Shadow members have identified five patterns:

A hacker group known as the Cult of the Dead Cow came up with Back Orifice, a play on
the name of Microsoft Corp.’s BackOffice transactional suite.

Back Orifice is relatively small at 120K and can be disseminated as an e-mail
attachment or embedded in a downloaded file. Once launched, Back Orifice literally opens a
back door that gives hackers partial control of the computer.

These new types of probes mark a watershed in the way hackers operate, said Northcutt
and Shadow analyst Tim Aldrich.

The DOD analysts previously believed single attackers were targeting multiple sites.
Now they see multiple attackers working together to target either single or multiple

Are they sure this isn’t still a bunch of lone attackers working from multiple IP
addresses? No. But Northcutt and Aldrich believe multiple hackers must be involved because
of the variety of machines used and other subtle differences.

What this means is that government networks aren’t necessarily safe even if they
have intrusion detection software in place. Most current software isn’t designed to
look for such subtle traffic patterns.

For details about the coordinated attacks, visit Look
for the narrative about a coordinated attack against Langley Air Force Base, Va. You can
also download Unix Shadow software that probes system logs to look for the patterns.

If you dare to download and experiment with Back Orifice, find a copy at,
along with a cleaner that supposedly removes it from a system. I can’t say how
trustworthy this resource is. A Back Orifice user manual of sorts appears at

For a list of online hacker hangouts, visit
For manuals that detail hacker techniques, visit Spectre Press at   

Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for
Cahners Business Information Inc. E-mail him at [email protected].


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected