Universities are proving to be a juicy target for hackers trolling for dupes.
Computer technicians at James Madison University in the US have discovered that 16 student-owned Windows 98-based PCs were infected with a possible variant of the hacker tools used in recent highly publicized DDoS (distributed denial-of-service) attacks.
Gary Flynn, a security engineer at James Madison said that during the week of 13 February he noticed an unusual slowdown in the university's student residence network.
The problem: 16 student-owned PCs had been infected with the "zombie code" that allows a hacker to secretly take over a computer and launch a DDoS attack against another site.
The software appears to be a variant of the Trin00 hacking tool, one of three that can be used to launch the sort of attacks that brought down sites like Yahoo and eBay two weeks ago.
What's unusual, say security experts, is that it was found on Windows 98 desktops. Most zombie code, up to this point, had been discovered on Solaris- and Linux-based servers.
Computer security companies such as Internet Security Systems and Finjan Software issued warnings today about new DDoS tools that can exploit Windows vulnerabilities.
"This makes it a whole new ballgame," said Flynn.
How many more are out there?
The discovery leads some to question just how many zombie clients have been created since DDoS tools became available last summer. At the moment, it's impossible to say. Such discoveries are likely to trickle out over the next months. Institutions such as the University of California at Santa Barbara, notorious for lax computer security, have proven fertile ground for the zombie clients.
The latest development also points to the importance of managed security, not just at servers and Internet gate-ways, but all the way down to PCs.
All of the infected James Madison computers were compromised using the Back Orifice remote-control "trojan," which allows a hacker to secretly plant code on a Windows PC.
It is unclear at present who the intended victim of the DDoS zombies was, and it is unlikely the James Madison machines were used in the attacks two weeks ago. If the target was outside the university, James Madison technicians have installed filters on their routers to make it impossible to spoof an identity. So, if a site came under attack from machines in their network, it would be easy for the victim to trace the attack.
School an ideal setting
Like many universities, James Madison is an ideal dupe for DDoS attacks. All James Madison students can take advantage of an Ethernet connection to a university-owned network. In essence, they can be permanently connected to the Internet, making them a perfect zombie for a DDoS attack. Only the router filters, called egress filters, make it difficult for a hacker to hide his or her identity.
While it's true that PCs lack the horsepower of a server, they are certainly more plentiful, Flynn said.
"Don't forget that there's some pretty powerful PCs out there these days," he said.
Flynn has published a full report on the incident at www.jmu.edu/info-security/engineering/issues/wintrino.htm.
