Internet Security Systems (ISS), which monitors networks around the world 24x7 from seven points of presence, including a -war room" in Atlanta, has seen an increase in IRC (Internet Relay Chat) traffic in the last month, according to Grant Slender ISS principal consultant Australasia. The traffic surge relates to an increase in the use of IRC bots by the file-sharing community to transfer files and pirated software across the Internet.
"If you're a malicious person and have pirated software held on your computer and people are downloading it, you'll be the target for prosecution, Slender explained. Alternatively, what we are starting to see happen, he said, is networks being compromised and automated systems for file transfer being installed on them.
This is possible due to robot pieces of code, which were originally developed and used as a method to help online IRC users to maintain rules such as being sent an e-mail alert when a -chat" on a particular topic had commenced, evolving into sophisticated pieces of software.
-People have now thought of a smarter way to use them to automatically transfer files around the Net," Slender said.
File sharing hackers will target the networks of companies that have high bandwidth and lots of storage, particularly Web hosting companies -- often known as -Web farms" -- that house hundreds of servers in one room.
Slender likens the process to a stolen car scam, which breaks into an empty warehouse to house looted vehicles, and says though there have been no direct reports of Australian corporate networks being compromised in this manner, organisations need to be on alert.
"There are companies in Australia that meet that criteria," Slender said, pointing to the nation's telcos that use huge bandwidth and many of which are in the Web hosting business. -I can say that's what they [hackers] would be aiming for, organisations of that calibre."
Following reports of networks being compromised by the file sharing community in parts of Asia and the US, organisations should check if there has been an increase in IRC traffic on their networks, Slender advised.
Also of concern to ISS is the exploit released May 4 to take advantage of numerous Microsoft IIS Web server vulnerabilities, announced April 10.
According to Slender, this is exactly how Code Red and Nimda kicked off. A vulnerability was detected, someone proved the exploit and the next thing Code Red was unleashed.
-Code Red, we believe was a testing tool, it didn't do a lot of destructive damage," Slender said. Of the subsequent Code Red variants, he added: -quite obviously they were testing the right way to spread".
It's only a matter of time, according to Slender, before someone compiles a malicious program based on the new MS IIS exploit. -All the right things are in the right place for that to happen."
According to ISS, the likelihood is that the Microsoft IIS exploit code will be enhanced sometime soon to include a more destructive payload and worm-like propagation capabilities, fuelled by increased peer-to-peer chat programs, increased access to more warez products, and hackers increasingly looking for ways to distribute their goods.
"Traditional organisations think 'I'm nobody, I'm insignificant' and that the biggest threat is being defaced," Slender explained. He uses the analogy of having a shed on your property..."if you leave it unlocked you should expect to go in there one day and find a lot of stuff stored in there" he said. "The same concept is happening on the Net."
