February 14, 2000 6:30 PM PST

Hacker discloses new Internet attack software

A programmer familiar with attack software has disclosed three new attack programs of the type believed to have taken down major Internet sites last week, complicating the jobs of security experts trying to fight the malicious programs.

Three new versions, called Fapi, Shaft and Trank, are disclosed in a paper published today by the programmer known as "Mixter" at Packet Storm, a site that publishes malicious software so security professionals can scrutinize it. Mixter is the purported author of a similar attack tool, Tribe Flood Network, and its sequel, TFN2K.

The software, of a breed called "distributed Shutdown
special report denial of service" (DDoS), is used to harness the collective abilities of a host of computers to swamp a target computer by inundating it with packets of information sent over the Internet. Some varieties are known, but apparently there are other versions of the software in circulation.

The newly disclosed versions likely evade programs posted by the FBI and others to detect TFN and two other publicly known versions, Stacheldraht and Trinoo.

Another DDoS package, called Blitznet, also has been publicly available for at least two months at the Packet Storm site. Mixter said it was written by someone called "phreeon." Trinoo was written by "phifli," he said. As previously reported, Mixter said Stacheldraht was written by "randomizer."

The newly disclosed DDoS software might sneak under the radar, but security companies are turning up some instances of the known versions.

Network Associates and its subsidiary MyCIO.com has discovered seven cases of computers infected with DDoS attack software, MyCIO chief executive Zach Nelson said.

His company provides an online detection tool that has been in high demand since the 100-person company unveiled it Feb. 10. Of more than 10,000 who have used it to scan their systems, the MyCIO software has found five cases of Stacheldraht, one of TFN and one of Trinoo, Nelson said.

Six of the seven instances were at How a denial of service attack works educational institutions. The affiliation of the seventh couldn't be determined, Nelson said. In addition, six of the seven were in the United States, with the seventh in Germany. All seven systems have been taken offline, he added.

Nelson said MyCIO leaves it to the sites themselves to contact the FBI, which has launched an investigation into last week's attacks.

Gerhard Eschelbeck, vice president for MyCIO's security software, said his company's software detects the DDoS attack software by attempting to communicate with it. In addition, the software looks for blocks of text characteristic of the software.

Eschelbeck acknowledged that changes to the software or other versions won't necessarily be detected by MyCIO, but he said some fingerprints likely will remain.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.