Shadow members see patterns developing with network hackers
Most people picture a network hacker as a furtive, isolated operator who breaks in,
looks around and gets out fast, perhaps doing some damage along the way.
But recent break-ins at unclassified Defense Department networks have altered that
image. Some hackers have been moving at snail-like speeds, sending just a few packets per
hour so they dont trip sensors set to pick up unusual traffic patterns.
To make up for the slowness, several hackers may band together in teams, channeling
information through multiple IP addresses.
Thats the discovery made recently by an anti-hacker group known as Shadow.
This column has previously mentioned the Shadow group, made up of members from several
Defense sites, civilian agencies and industry.
Shadow, which works closely on network security issues with the Sans Institute Inc. of
Bethesda, Md., at http://www.sans.org/, publicizes what
it has learned about hacker penetration of government and private networks and analyzes
Steven Northcutt, director of the Shadow project at the Naval Surface Warfare Center in
Dahlgren, Va., said Shadow members have identified five patterns:
A hacker group known as the Cult of the Dead Cow came up with Back Orifice, a play on
the name of Microsoft Corp.s BackOffice transactional suite.
Back Orifice is relatively small at 120K and can be disseminated as an e-mail
attachment or embedded in a downloaded file. Once launched, Back Orifice literally opens a
back door that gives hackers partial control of the computer.
These new types of probes mark a watershed in the way hackers operate, said Northcutt
and Shadow analyst Tim Aldrich.
The DOD analysts previously believed single attackers were targeting multiple sites.
Now they see multiple attackers working together to target either single or multiple
Are they sure this isnt still a bunch of lone attackers working from multiple IP
addresses? No. But Northcutt and Aldrich believe multiple hackers must be involved because
of the variety of machines used and other subtle differences.
What this means is that government networks arent necessarily safe even if they
have intrusion detection software in place. Most current software isnt designed to
look for such subtle traffic patterns.
For details about the coordinated attacks, visit http://www.nswc.navy.mil/ISSEC/CID/. Look
for the narrative about a coordinated attack against Langley Air Force Base, Va. You can
also download Unix Shadow software that probes system logs to look for the patterns.
If you dare to download and experiment with Back Orifice, find a copy at http://www.schippers.net/welcome.html,
along with a cleaner that supposedly removes it from a system. I cant say how
trustworthy this resource is. A Back Orifice user manual of sorts appears at http://home.planetinternet.be/~honcho/bo/.
For a list of online hacker hangouts, visit http://www.nando.net/newsroom/hacksources.html.
For manuals that detail hacker techniques, visit Spectre Press at http://www.spectre-press.com/.
Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for
Cahners Business Information Inc. E-mail him at firstname.lastname@example.org.