Feds eye systems that could host pesky attack code

Feds eye systems that could host pesky attack code

By William Jackson

GCN Staff

As the FBI seeks the instigators of recent denial-of-service attacks against prominent Web sites, government administrators are busy checking their systems for signs of the Trojan horse agents used to launch such attacks.

'We're making sure all agencies are making sure their systems cannot be used' for such attacks, Commerce Secretary William M. Daley said.

The General Services Administration's Office of Information Security issued the systems-check directive Feb. 9, hours before Attorney General Janet Reno called for an FBI investigation of the concerted attacks on electronic interstate commerce.

Although investigators had not traced any of the computers behind the attacks to government locations by the end of the first week, Trojan horses have shown up on some government computers.

'We have found military computers that are infected,' said Alan Paller, director of research at the SANS Institute of Bethesda, Md.

Y2K find

Ron Dick, chief of computer investigations and operations at the FBI's National Infrastructure Protection Center, said covert programs were discovered last year during year 2000 work.

President Clinton has asked Congress for an additional $37 million in the fiscal 2001 budget to fight computer crime. In testimony during a Senate hearing last week, Reno said the money would be used to hire additional U.S. attorneys and FBI personnel, build 10 computer forensics laboratories, and pay for training state and local law enforcement officials.

The Computer Emergency Response Team Coordination Center at Carnegie Mellon University, created by the Defense Advanced Research Projects Agency, last year called the distributed denial-of-service attack tools one of the most disturbing security threats.

The tools set up clandestine networks of infected systems that later remotely launch service-denial attacks, flooding a target Web server with so many bogus messages that it cannot handle legitimate traffic [GCN, Jan. 10, Page 3].

The original attack tools'dubbed Trin00 and Tribal Flood Network'and the first attacks appeared last year. By year's end, so-called improved versions incorporating encryption began to crop up.

This month's attacks appear to have come from second-generation programs called Tribal Flood Network 2000, or TFN2K, and Stacheldraht, German for barbed wire. They flood the target server with echo reply packets, which usually pass through a firewall without inspection.

According to a recent SANS bulletin, it is difficult if not impossible to block echo reply packets. The only defense, SANS said, 'is to make sure that all systems are kept up to date with security patches, that unnecessary services are turned off, and that competent administrators are monitoring every Unix system.'

Paller said most of the infected computers identified so far are running SunSoft Solaris. He said he expects the next-generation flood programs to spread the infection to Microsoft Windows NT environments.

The vulnerabilities exploited to plant the malicious software are well-known, the most common being a remote procedure call service. Because little can be done in advance to avoid being hit by a service-denial attack, halting the spread requires preventing installation of attack agents on vulnerable machines.

'The bad guys need to infect a lot of machines,' Paller said.

The FBI's NIPC has developed a software tool, downloadable from www.nipc.fbi.gov, that scans for Trojan horses on a single computer device.

Researchers at the University of Washington and Stanford University have developed a similar tool that can scan an entire network. It is downloadable from www.sans.org. SANS also has posted a guide to cleaning up a computer on which a Trojan horse has been found.

SANS has worked with the Army and 12 other federal organizations to develop a hardening script that can close many common Unix vulnerabilities. The hardening script will be available for download once a secure site is set up for it, probably in March, Paller said.

Within a week of launching its investigation, the FBI had traced some of the attack agents to computers at Stanford and the University of California at Santa Barbara.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.