Security Mavens Invaded by Trojan

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,41563,00.html

by Michelle Delio
10:35 a.m. Feb. 1, 2001 PST

A popular Web discussion board in which the subject is computer
security became the unwitting host of an attack program directed at
security consultant firm Network Associates Wednesday night.

A cracker posted to the Bugtraq board what he said was a script --
computer code that would allow people to take advantage of a recently
discovered hole in BIND, the software that pushes information across
the Internet.

But if someone downloaded and ran the posted script, it instead
launched a denial of service attack against Network Associates (NAI)
by sending packets of garbage information in the hopes of overwhelming
the firm's servers.

But since Network Associates had already patched the hole, its
website's performance wasn't adversely affected.

"We have determined that a distributed denial of attack was directed
at NAI last night," an NAI spokeswoman said, "but no penetration to
the corporate network took place. We are continuing to investigate the
origin of this attack."  NAI was the first to raise the alarm over the
BIND exploit, and Bugtraq spokesperson Elias Levy said he assumes that
the attack was intended to see if NAI had practiced what they preached
and patched the hole.

Levy said he has been in contact with NAI since the Trojan horse was
discovered and said the company hasn't reported any attacks or
problems to him.

"That script came in pretty late last night," Levy said. "And actually
we took a good look at it, because it appeared to be a pretty complete
exploit and it was posted from an anonymous remailer. But due to the
lateness of the hour, we didn't decompile the code contained in the
message, which would have revealed it was a Trojan."

Instead, Levy said, Bugtraq forwarded the message to Network
Associates for its opinion and input.

"NAI confirmed it was a valid exploit, and we went ahead and posted
the information to Bugtraq," said Levy. "They obviously didn't
decompile the code either, or they would have realized it was a Trojan
that was aimed at them."

"The supposed script was actually a Trojan, and I'd bet a bunch of
people grabbed it. Some would have known what it was and figured they
could play with it and alter it to their own needs, and others would
have just innocently ran it," said "Taltos," who identifies himself as
a computer cracker, but added he had nothing to do with "this
particular Trojan."

Trojans are computer programs that purport to do one thing while
concealing their true and nasty nature under layers of code.

Levy said there was no way of telling how many people may have
downloaded the Trojan, although he said the Trojan was revealed by
Bugtraq users "fairly early on."

He also noted that Bugtraq has no intention of removing the message
from its archives.

"The archives are the history of Bugtrak. We don't like to pull things
out," Levy said. "And it's important to note that we make no claims
for any of the information that is posted on our boards; we assume
that people will read the rest of the message thread, and use their
common sense."

Bugtraq users quickly discovered the problem with the script, posted
by "nobody () replay com" and posted messages alerting others that
"nobody's" script carried a hidden threat.

Matt Lewis, the first to discover the Trojan, noted that it "attacks
dns1.nai.com.... it forks off many copies of itself and violently
attacks NAI's name server."

Lewis also said "there's quite possibly other things going on as well,
locally," pointing to the possibility that the Trojan wasn't solely
aimed at NAI.

Although no one has yet reported any problems with their own machines,
some said the script does have the potential to launch distributed
denial of service attacks against the computer that hosts it.

"Looks like there's some potential for more nastiness there," Taltos
said.

There is no way to know how many people may have downloaded the
Trojan. But since interest in information about BIND exploits is high,
it can be assumed that "more than a handful of people had a peek,"
Taltos said.

BIND is a program that translates the domain names of Internet URLs
into numbers so that servers can understand where Net surfers wish to
go.

BIND is used by the vast majority of servers on the Internet, and the
holes discovered in BIND allow an attacker to remotely control any
machine running an unpatched version of BIND.

Therefore, any information on how to exploit the hole would be very
interesting to both crackers and security experts, who Taltos said
have combed discussion boards and websites looking for information on
the hole.

The BIND hole is considered a crucial problem.

"These vulnerabilities have the potential to take out big chunks of
the Internet," NAI's Jim Magdych said in the firm's announcement
originally detailing BIND's vulnerability.

A patch was released last weekend, just prior to the public
announcement that a hole had been found by Network Associates in
December. NAI had alerted the Internet Software Consortium, which
maintains BIND.

The Internet Software Consortium in turn alerted the administrators of
large networks, and kept them posted on the progress of the patch.

By the time the announcement was made to the general public on Monday,
the patch was available.

"This is standard practice with serious holes," Taltos said. "There's
no sense in telling people that they can do evil things until you at
least have a fighting chance to stop them from doing them."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".