Security management Toolkit

Who writes viruses?

Tags:
Attack,
Punishments,
Worm,
Script Kiddy

Scorp Tech Republic

Published: 25 Sep 2003 13:30 BST

A simple denial of service (DoS) attack would be when a few misguided losers get together and all set their machines to "PING -T" a specific host. There are a few problems with this. First, it's hard to make a dent in the capacity of modern firewalls and networks. Second, they all get caught. An improvement is the distributed denial of service (DDoS), in which perhaps thousands of machines target a specific host. A way to do this is to spread a worm Internet-wide and leverage the attack by a huge factor by inserting a Trojan as a payload, set to activate simultaneously at a certain time and at a certain target. Machines so enlisted are called "zombies," and a horde of them can make a dent. With a little IP spoofing, even the unwitting accomplices can be masked. Since the proliferation of broadband service out to home users (who often don't worry about securing their machines much), a lot of packets can be thrown over a short time.

It makes for a great prank, in theory, but it's still just that -- a prank. And, as Microsoft demonstrated against Blaster/LovSan, a simple configuration change can be made (with or without advance warning), removing the target entirely. Improvements are possible, such as not designating the time or the target URL in the code, relying instead upon a message that activates the zombie and passes that information on. Of course, this technique could be used to harass and diminish business competitors' connectivity, but there are serious legal risks attached to that.

And you thought popups were bad...
Oh, the poor spammers. Once upon a time, they were able to sneak unsolicited advertisements out to everyone on the Internet. Then, things got tougher. Not only were tools developed to filter out these ads, but the legal system got involved too. Uncontrolled spamming can now land an outfit in the soup. After all, it's difficult, even undesirable, to remain anonymous when you're trying to ship products and provide services over the wire. You'd like customers to be able to send you money, and your identity/location is then pegged. You have to play by the rules. That's no fun. So, enter the zombie recruits.

By sending off emails that Joe Beercan is almost guaranteed to check out ("Naked Wife!" "Free Movie!" "Jackpot Winner!"), large numbers of Trojans can be placed on random home-user machines and fired off on command to large numbers of random email addresses leeched from files on those millions of home PCs. If the invader isn't too greedy or too whimsical, and doesn't send out so many packets that the machine's performance is degraded (and avoids little tricks like a barrage of dialog boxes saying, "Ha Ha lam0r i 0wnz j00!"), that home machine can quietly and efficiently be co-opted as an advertising device -- one not difficult to find at all, and one that is near-impossible to trace back to the spammer source.

Obviously, that's a tough "happy medium" to hit. One would need to run many field experiments to fine-tune the technique. That's exactly what the "SoBig" strain is suspected of being, a purposeful series of experiments, conducted in the largest computer lab in the world -- the Internet.

The bad news is that this is bad
The worse news is that the cure could wind up being worse. When government regulations get involved, that's usually what happens.