E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Source: eWeek

Posted on March 18, 2003

      The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive distributed-denial-of-service attack at any time, according to security officials.

      Officials at the CERT Coordination Center said the organization is monitoring at least five large networks of compromised machines installed with so-called bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines, officials said.

      "We have seen indications that these networks are being used [for attacks]," said Marty Lindner, team leader for incident handling at the CERT center at Carnegie Mellon University, in Pittsburgh. "The potential is there for them to cause serious long-term damage."

      Unfortunately, CERT officials said, there is little they can do about a potential attack, other than sound the warning and hope users identify and patch infected machines. Officials of the FBI's National Infrastructure Protection Center, in Washington, did not respond to calls seeking comment.

      CERT's dire warning is underscored by last week's emergence of the Deloder and Code Red.F worms. While neither worm does any immediate damage to infected machines, both install back doors that enable attackers to use compromised machines for future, much more damaging operations, such as DDoS attacks.

      At the heart of this new trend, according to security experts, are poor security practices. But more important is the mistaken belief by corporate IT that once crises such as those caused by Code Red or SQL Slammer die down, the trouble's over. In fact, after an initial flurry of advisories, warnings and patches, there are often months or years of sustained infections and residual DDoS attacks, Lindner said.

      For example, Code Red reached its peak in July 2001 when more than 450,000 servers were infected and scanning for new targets. Since then, there are some 60,000 Code Red-infected machines scanning the Internet at any given time. Even a novice cracker would need only a tiny fraction of those machines to launch a devastating DDoS attack.

      "This not only shows you that these systems haven't been patched but that they're not running anything even remotely close to a current anti-virus product," Lindner said.

      Many older worms are still among the most active threats on the Internet, studies indicate. SQL Spida, Opaserv and Nimda are among the top five most active worms thus far for this month, according to statistics compiled by the WormCatcher network, a distributed group of machines that monitors worm activity and is run by Roger Thompson, technical director of malicious code research at TruSecure Corp., in Herndon, Va. Each of these worms is at least 6 months old, with Nimda first appearing in September 2001.

      All of these worms have done a nice job of populating the world with PCs that are easily accessible for hackers to bounce things off of," said George Bakos, senior security expert at the Institute for Security Technology Studies at Dartmouth College, in Hanover, N.H. "In the past, you needed some skill to do this."

      In addition to making it easier for attackers to plan and execute their attacks, these worms have made it much more difficult for investigators and administrators to trace attacks to their sources, experts say.

      Contributing to the problem is the poor overall security posture of many corporations. Lovgate, which appeared several weeks ago, and Deloder both try to spread by exploiting weak or null passwords used to protect shared network drives and folders. Networks exhibiting this lack of security are just ripe for the taking, security experts say.

      "Traditionally, we've been looking at viruses and worms exploiting the application layer. But the biggest crevice you can crack is a weak user," said Mark Boroditsky, president and CEO of Passlogix Inc., a security software maker based in New York. "Behavior is a lot harder to patch than software."

      Also problematic are the many affected machines belonging to home users, few of whom do any logging of the activity on their PCs. As a result, attackers can easily hide their tracks by using these anonymous computers, according to the experts.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.