Project: Computer Viruses - Distributed Denial Of Service
Created | Updated Jun 15, 2005
Distributed Denial Of Service - the Attack of the Mutant Zombie Trojans
Imagine you are talking with someone, when another person approaches you and says, 'Hey'. Then when you try to respond, they simply.. vanish. As soon as you try to resume your conversation, the same thing happens. And again. And again. This is something like what happens to a network server under a DOS, (Denial Of Service) attack
Normally a 'user' computer sends a message to the server requesting authentication. The server responds by sending an authentication approval. The 'user' accepts this approval, and is allowed access to the server
In the case of a DOS, an attacker repeatedly sends authentication requests to the server, as quickly as possible, using up all the server's 'bandwidth', or 'channels'. All these requests have a forged 'return address', so the server cannot locate the user when it tries to respond with the authentication approval. There is a built in delay cycle, to account for faulty transmission, so the server waits, sometimes for more than a minute, before closing the connection. When the connection closes, the attacker sends a new batch of forged requests, and the process repeats. This 'monopolizing' of the server's resources effectively prevents other legitimate users from accessing it
This type of single computer denial of service attack is now fairly easy to combat. System administrators routinely set up 'sniffer' filters that look for attack signatures such as patterns or identifiers contained within the incoming code. If a certain pattern is repeated, for example, the filter will block any messages containing the pattern
Since early 1998, a new type of attack, the Distributed Denial Of Service, developed on IRC, or 'chat' networks. The first generation DDOS were fairly easy to trace, because the attacker had to maintain a connection through the IRC network. The DDOS technology now available allows the attacker to literally set up a world-wide network of compromised computer systems, programmed to launch a coordinated, targeted attack. The attacker, or 'Zombie master', does not need to stay online once the attack command is given
How DDOS works:
The attacker recruits an unwitting 'zombie' computer army. Initially, this was done by launching a scanning program that searched the Internet for vulnerable machines in which to install IRC Bots, or 'attack zombies'
The new generation of Trojan script viruses, such as the sub7, obviate the scanning requirement
Every copy of the Sub7 Trojan is programmed to contact a secret IRC chat server, and a newsgroup, with complete connection and command details for the particular machine that it has infected, and in which it has installed the Bot
Once a few hundred computers lacking adequate security are compromised, the attacker feeds commands via the IRC secret channel, the Bots then execute, and each machine joins in a coordinated 'packet flood' attack on the targeted domain
With the widespread availability of programmable 'IRC Bot' scripts, all an attacker has to do is send out a few hundred e-mails with the malicious code as an attachment, infect downloadable code such as 'free' software or 'warez', or create similar attachments in USENET newsgroups postings
How to defend yourself against IRC Bots
- Do not 'open' or 'run' e-mail attachments, unless you are absolutely sure the source is 100% reliable.
- Set your e-mail client to its maximum security setting, so that scripts cannot run, or at least will not run without your permission. 1
- Be very careful about downloading 'free' software, especially from 'warez' sites
- Avoid IRC chat rooms2
- Download and install AnalogX free Script Defender3
- Download and install Zone Labs free version of ZoneAlarm4
How to find out if your Windows based machine is compromised or infected by an IRC Bot
Although the Bot technology will undoubtedly change, and become more sophisticated, currently most of the 'zombie' trojans attempt to establish an Internet connection via port 6667
Perform the following test only after closing any IRC chat software, but while you are still connected to the Internet --
Open an MS-DOS window, and type the following command at the prompt:
netstat -an | find ":6667"
Ideally, the result will be.. nothing, just a return to your MS-DOS prompt. But if you see something like:
TCP 123.456.7.890:123456.78.901.23:6667 ESTABLISHED
it might be a good idea to shut down your Internet connection!
What to do if your computer has been infected with an IRC Bot
If you know your computer has been compromised by a Trojan, there is help available from companies such as Symantec, which offers on-line advice and information. Many Trojan infections can be removed by running scripts that seek out and remove the changes made by the Trojan, and system files such as Windows Registry can be (carefully!) manually edited
While IRC Bot infection does not actually cause damage to the host computer, it can slow down or completely take over the connection bandwidth of the infected machine. Also, it is morally repugnant, and may soon be illegal, to take part in a denial of service attack, even if it is done unwittingly
Further Reading
For an in-depth review and analysis of a recent DDOS attack, visit Steve Gibson's website, GRC.com, where you can read the article on line or download it as a PDF for off-line viewing5
For bleeding edge information on security issues and hacker exploits, visit SecurityFocus.com
3 This tiny program quietly intercepts malicious scripts before they can run4This personal firewall is one of few that will stop any unauthorised incoming or outgoing Internet traffic on your computer. Tiny Personal Firewall is also very effective, but it is not as user friendly to set up5If you choose to download the file, make sure you right-click this link and choose. 'Save target as...' in order to bypass the online Acrobat reader if it is present and enabled as a browser plug-in