Mass Xmas hack plan exposed

Internet security researchers have warned that hackers are planning to launch internet-based denial of service (DoS) attacks on web retailers over the Christmas period.

Internet Security Systems (ISS) said that many hundreds of computers are infected with so-called zombie agents, which would allow hackers to commandeer the machines and cripple the servers by flooding sites with a huge number of spurious requests.

However, the company warned that only 10 per cent of online retailers are prepared to deal with attacks of this type, which were responsible for bringing down high-profile sites such as Yahoo and eBay in February this year.

Chris Rouland, director of X-force, a counter-hacker group at ISS, warned that the current spread of Trojans parallels the events that occurred prior to the attacks.

X-Force, whose members infiltrate hacker gangs to get intelligence on the digital underground, has discovered over 800 computers infected with the SubSeven DEFCON8 2.1 backdoor, a variation of the SubSeven Trojan.

This has been distributed on Usenet newsgroups with file names such as 'SexxxyMovie.mpeg.exe'. The group has determined that individuals are using this network of compromised hosts to test new distributed DoS (DDoS) methods and strategies.

Alarmingly, fresh versions of the Stacheldraht and Trinity DDoS attack tools, earlier versions of which were the chief weapons deployed during the attack on eBay and other sites, are also spreading.

Versions of Stacheldraht include 'Stacheldraht 1.666+antigl+yps' and 'Stacheldraht 1.666+smurf+yps'. A variant of the Trinity tool called 'entitee' has also been reported.

The tools were detected in corporate networks, as well as in personal computers with high-speed network connections which would magnify their potential effectiveness.

"These tools are likely to be used over the Christmas period against online retailers who are not prepared to deal with them," said Rouland. "If you said 10 per cent were prepared, it would be a liberal estimate."

A number of techniques have been suggested to defend against DoS attacks since they first occurred, some involving configuring internet routers to block such attacks. However, the effectiveness of these remains unproven.

Users should put security policies in place and deploy technologies such as intrusion detection to prevent becoming unwitting agents in attacks, Rouland advised.

He added that in the last three years, the number of fresh exploits identified by X-Force has grown from five per month in 1997 to 125 per month this year.