FreeLists / access-uk / [access-uk] Gang Warfare Taking down the Net

["Colin @ New Vision" <cph.newvision@xxxxxxxxxx>]

Hi to all
I thought this article might be good reading for those that are not sure what's 
happening with regard to computer security. I have noticed people asking a few 
questions on this list about security issues maybe this will help them 
understand a little more.
If you're having trouble viewing your favourite sites on the Internet, you're 
not alone. Within the last two months, we've experienced the return of the 
MyDoom virus as well as attacks--not on popular Web sites themselves, but on 
the secondary sites that power them. These two facts are related. What started 
as local gangs tagging and shutting down rivals has matured into a more 
sophisticated game that's targeting the interdependencies of the Internet 
itself. 

Tag, you're it
Years ago, young hackers aligned themselves into gangs that prided themselves 
in shutting down rival sites. They did so by writing quick-and-dirty viruses 
that compromised as many innocent computers as possible with remote backdoor 
Trojan horses--much like a street gang tagging a site. If the red gang put a 
Trojan on your computer, then your computer was owned by the red gang. The blue 
gang could come along and retag your computer, but that was unlikely. 

The game, back then, was simple: If the red army was bigger, it could cause a 
denial-of-service attack on the blue army's server, shutting down the rival 
gang. Something like that happened in December 2001, when four Israeli youths 
were arrested for creating the Goner virus, which existed mainly to attack a 
rival gang. When you're talking a few hundred PCs, this "war" seems trivial. 

Sobig changed things
But over time, these armies of red and blue grew more sophisticated. Needless 
to say, a person in control of a thousand compromised computers--a collection 
called a botnet --is in a very powerful position. With a single command, those 
thousand machines could launch a new virus, start a distributed 
denial-of-service attack on a single target, or relay spam messages. 

A botnet's spam-sending abilities seem to be the holy grail of criminal 
activity. Starting with the Sobig virus in 2003, someone, somewhere realized 
these botnet networks of compromised computers could be sold to spammers, who 
would then use the machines to relay their spam across the Internet. 

But the original Sobig infected relatively few systems, so criminal hackers 
(crackers ) went about improving it. Roughly every two to four weeks for 
several months, new versions of the Sobig virus continued to strike, then 
expire, each version reaching out to slightly more computers than the version 
before. By the time Sobig.f hit in August 2003, it infected more than a million 
PCs in a first few days. Given its success, other viruses soon followed this 
model; MyDoom and Netsky, in particular, were designed to create larger and 
larger networks of compromised computers. 

Given that the Trojan horses used by these most recent viruses were created in 
Russia, there have been serious suggestions that the Russian mafia may be 
contracting with virus writers to create newer and better viruses solely to 
relay spam. 

MyDoom's return
MyDoom goes even further. Its compromised computer networks sometimes have 
specific targets for denial-of-service attacks. The botnet created by MyDoom.a, 
for example, attacked Microsoft's Windows update site until Microsoft was 
forced to move it. MyDoom.b went after Microsoft and SCO Linux, successfully 
taking the SCO site offline for several days. At the time, many thought it was 
some kind of message about Linux or specifically about the lawsuits that SCO 
was filing against other users of Linux for copyright infringement. I suspect, 
even now, that the targets are arbitrary; I think that MyDoom and the others 
are test viruses released to find out what works and what doesn't. 

The very latest version of MyDoom, MyDoom.m, adds a new trick: it uses popular 
search engines to harvest all the e-mail addresses within a given domain, then 
e-mails itself to those addresses. Although MyDoom.m briefly disabled major 
search engines, I think that its real purpose was to see if it would spread 
further, faster. It did, until Google and other search engines figured out how 
to filter the queries and return to work again. MyDoom.m peaked within a day, 
which is rare for an e-mail virus these days, and is thus not a very important 
virus. 

Higher goals
MyDoom.m and events such as the July 27, 2004, distributed denial-of-service 
attack that targeted DoubleClick and last month's Akamai attack make it clear, 
I think, that crackers are attempting to take down the Internet. Of course, 
they won't. The Internet links too many different types of computers and is far 
too robust to fail entirely. 

Nonetheless, popular sites such as Microsoft, Google, Yahoo, and Apple can go 
dark, and I predict we'll see more attacks like this in the coming months. 

What can you do? The only way to stop these Internet thugs is to make sure your 
own desktop isn't conscripted in their dirty little armies. Make sure your 
antivirus software is up-to-date, and if you haven't already done so, download 
a personal firewall such as ZoneAlarm. Stay on top of the latest Microsoft 
Windows updates as well. Then, once your PC is secure, get your friends and 
neighbors to secure theirs. 

Regards
Colin
** Going on holiday and want to halt messages? Send a message to:-
** access-uk-request@xxxxxxxxxxxxx
** and in the Subject line type
** vacation ## d
** where ## is the number of days followed by d for days.
** For other things like digest mode, send a message, to 
** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq