Worm paves way for crippling DDoS attack

Patrick Gray,

10 March 2003 06:10 PM

Tags: worm, flaw, attack, ddos, vulnerability, gray, patrick, infect

A new worm that leaves behind two Trojan horse programs has begun spreading over the Internet, and may be paving the way for a crippling distributed denial of service (DDoS) attack.

Although the experts are not yet rating this worm as a high-risk to users, the technical make-up of the Trojans it leaves behind is of concern. They consist of a commonly used piece of network administration software called Virtual Network Computing (VNC), and an Internet Relay Chat (IRC) "bot".

The VNC component allows an attacker to connect to an infected system and control it as if they were in front of it. They have full access through a graphical user interface.

The IRC bot, when activated, connects to a remote server and waits for commands, which could mean that infected systems are going to be used for a massive DDoS attack.

This worm, unlike others such as Klez, requires no user interaction to spread - it exploits common passwords, such as "password" and "computer", in share directories in Windows NT/2000/XP machines and hence spreads automatically.

However because the virus attacks through weak share directory passwords, the effect on corporations has been minimal because share directories are typically firewalled.

Daniel Zatz, a security spokesman from Computer Associates, says that they haven't received any reports of their customers being infected yet.

"Very little has been reported to the [anti-virus] vendors themselves... I haven't spoken to any customers that have been impacted yet," he said.

Aside from potential DDoS implications, Zatz says that end users may be stung through identity theft - even a novice malicious hacker can access an infected system with ease.

"This is one of the ways that identity theft occurs," he said.

Despite this, Melbourne based security consultant Adam Pointon says that the worm is hitting home users hard.

"It's been increasing threefold over the last few days," he said.

The SANS Institute's Internet Storm Centre, a research group that monitors the Internet for attacks, have lifted their alert status from green to yellow.

Advertisement

Talkback 1 comments

  1. Thank you for the information. It would be very helpful if you also published HOW a user can KNOW if he has been compromised. Or that he CANT know. Whatever. Anonymous -- 21/03/03

    Thank you for the information. It would be very helpful if you also published HOW a user can KNOW if he has been compromised. Or that he CANT know. Whatever.


Latest Videos

ZDNet's CIO Vision Series

Department of Defence | Greg Farr, CIO (part two)

In the second part of his interview, Defence CIO Greg Farr talks about outsourcing, the skills crisis and reveals his most urgent IT priority.

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Angus Kidman I'm a celebrity, don't back me up
    Celebrity comes with its perks — free alcohol, better-looking partners, lots of holiday time — and disadvantages — constant media intrusions, being forced to appear in films with Eddie Murphy for the long-term good of your career, and having to do mindless radio interviews with angry men who've been awake since 4am.
  • Array Lies, damned lies and telco stupidity
    Earlier this month, Telstra put out a press release trumpeting that it's come up with a new phone coaching service to help people who are "bamboozled" by their mobiles. Another excellent example of wrongheaded thinking from the mobile industry.
  • Array Dear carriers: More walking, less talking
    Sometimes, a well-placed and well-timed letter can make all the difference. Other times, it can make no difference at all — and even hurt your case. This week's missive by the Competitive Carriers' Coalition, I would suggest, falls into the latter category.
  • More blogs »

Tags

Back to top

Featured