Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Uncovering a world of Zombie trojans

By jbridges in MLP
Thu May 31, 2001 at 01:03:18 PM EST
Tags: Internet (all tags)
Internet

Steve Gibson has written a masterpiece of investigative journalism about DOS attacks and Trojans.

It starts with a DOS attack on his grc.com website, and then goes off into the world of IRC driven Zombie Trojans that are infecting an alarming number of machines.

http://grc.com/dos/grcdos.htm

A fascinating article, that actually scared me a little bit with how pervasive this seems to have become.


Quote from article:

I watched in fascination as many other Zombies -- hundreds of others -- arrived and departed the secret "Zombie meeting grounds" of the IRC server.

Somewhere, Windows users were innocently turning on their PC's. Lacking any effective personal firewall security (we will see later that BlackICE Defender provides no protection), the Zombies running secretly and silently inside those machines were connecting to this IRC server. They maintained persistent connections for the duration of that PC's access to the Internet. The Zombie and its master don't care whether the machine is cable-connected, DSL, or dial-up -- though higher-speed connections are always preferred, as are machines that tend to be "on" most of the time. After all, you just never know when you're going to need to go attack someone.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o http://grc .com/dos/grcdos.htm
o Also by jbridges


Display: Sort:
Uncovering a world of Zombie trojans | 25 comments (19 topical, 6 editorial, 0 hidden)
bold (3.00 / 6) (#3)
by your_desired_username on Thu May 31, 2001 at 09:47:32 AM EST

There something about the phrasing, and the red-bordered blocks of bold text in large font, that make the linked article ring of fear-mongering. It's kind of like reading an article by a journalist who is convinced that terrified readers pay more attention, and tell more of their friends, and thus draw more advertising dollars.

heh (4.33 / 3) (#4)
by Defect on Thu May 31, 2001 at 10:08:45 AM EST

When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.

Is it just me, or did this instill the urge to go out and invest in a bomb shelter in you as well? ;)

I was hesitant in believing at first, but it turns out Microsoft is clearly going to cause the destruction of the entire world. Entire continents will melt off the map, volcanoes will erupt in your living room and bathtubs, and your pets will start eating your children and speaking in latin.

Grab your loved ones, laptops, and mountain dew, people, we don't have much time left, and we may very well be the only ones who know about this.

run away! run away!
defect - jso - joseth || a link
[ Parent ]
There are no ads or products for sale at article (4.50 / 4) (#5)
by jbridges on Thu May 31, 2001 at 10:13:46 AM EST

Steve offers no product to defend this sort of thing. He has no ads on this page (unless you count the links at the bottom of this HUGE article which point to his other pages, some of which do offer commercial products).

Steve has a long history of putting stuff out for free (as in beer), just to get the word out and spread the joy of discovery. Sometimes his work leads to a commercial product he eventually sells, sometimes it doesn't make him a penny.

Ever read his definitive article on the click of death on ZIP drives?

Or how about his free ASPI driver?

Personally, I don't object to his bold formatting, and use of graphics. It makes a sometimes VERY technical article easier to follow, and allows the less technical to jump ahead to the next headline or graphic.

Just his expose on Black Ice makes this article required reading for other journalists still pushing Black Ice.



[ Parent ]
I used the phrase 'kind of like' (3.66 / 3) (#14)
by your_desired_username on Thu May 31, 2001 at 12:13:43 PM EST

because I did not notice any blatant ads or product pushing - had such things been in evidence, I would have made a direct accusation.

I do agree that Steve's articles are quite good - but I really dislike the tone many of them are written in.

[ Parent ]
it's his style. (3.00 / 1) (#17)
by rebelcool on Thu May 31, 2001 at 01:06:12 PM EST

ive perused gibson's site for a long time, he's always writing things like that. But he's a really clever guy so it's forgivable.

I use blackice too. Oops. Guess i'll be changing that now.

COG. Build your own community. Free, easy, powerful. Demo site
[ Parent ]

BlackICE works just fine... (2.00 / 1) (#25)
by nstenz on Sun Jun 03, 2001 at 01:55:25 PM EST

...as long as you know what you're downloading. BlackICE has trojan signatures in its database, but it's just like most crappy virus software- it looks like they have to add new variants to that database before it can find them.

I've had BlackICE Defender catch the SubSeven trojan on my parents' computer upstairs, and it did catch the outgoing packets. I admit I have no idea if it actually blocked them or not, but it did see them...

Of course, I happen to like BlackICE Defender, and Steve maintains that it's complete shit. I just think ZoneAlarm is a tad annoying after asking you if you want the first 40 programs to use your network adapter... and not allowing anyone to ping you... (You'd think this wonderful program would have a better way to block 'ping of death', 'smurf', and other attacks than simply blocking ALL pings.)

But then again, I rarely download executable attachments. For the average user, I'd say ZoneAlarm would probably be a better idea- IF you can convince the user to not click 'allow' every time a damn program tries to use the network (which is the fatal flaw in the program).

On a closing note- I hate the way Steve writes some articles, especially the security ones... There's too much sensationalism. He could write for a tabloid. The facts are there; I just don't like how he presents them. I suppose he's just trying to make them easy for the average Joe to understand, though.

[ Parent ]

Reporting for duty, sir! (3.85 / 7) (#7)
by Wiglaf on Thu May 31, 2001 at 10:30:00 AM EST

Is it just me or seeing that roll call towards then end kinda thrilling. I know in my head the 447 zombies is a lot but seeing a list of them get ready for an attack kinda drives it home.

BTW Yes his writing style goes for the dramatic but like other posters have said the guy puts most of it out there for free. No ads no gimmicks. GOtta give him respect for that. Although anyone who enjoys assembly that much has got to be off kilter.

Paul: I DOMINATE you to throw rock on our next physical challenge.
Trevor: You can't do that! Do you really think Vampires go around playing rock paper sissors to decide who gets to overpower one another?

Steve Gibson rocks (3.62 / 8) (#8)
by slaytanic killer on Thu May 31, 2001 at 10:31:40 AM EST

Probably my favorite programmer, if I ever thought I had one. Just to see through his eyes may give one a joy of computing from an interesting angle:
I Needed My Own Stealth Spy-Bots

Untangling and extracting the meaning from the packet capture dialog of the average attack-neutered mutant Zombie is never fun. Moreover, separating the good stuff from the noise just adds to the burden. So I soon realized that I needed to create my own "Zombie simulators" that would logon to IRC chat channels, hob-nob with the Zombie locals and their masters, while logging everything that transpired and automatically alerting me of anything important.

So I downloaded a copy of the Internet RFC 1459 for Internet Relay Chat (IRC) Protocol and figured out how IRC works.

[...]

I even got quite fancy and built a Markov-chain finite-state statistical dialog modeller.

[...]

I learned an amazing amount about this bizarre world of zombie-running hackers.
The seriousness of a child at play. When he writes about his technologies, it looks a bad infomercial, until one realizes that he truly cares about what he writes. Definitely a +1 FP from me.

To quote "Good Will Hunting" (3.75 / 4) (#11)
by retinaburn on Thu May 31, 2001 at 11:34:52 AM EST

he's "wicked smart".

When I read that he went through RFC and created a glob of utilities I just started laughing. This guy is incredible.

I think that we are a young species that often fucks with things we don't know how to unfuck. -- Tycho


[ Parent ]
ack. (none / 0) (#22)
by Platy on Sat Jun 02, 2001 at 12:25:40 PM EST

I just can agree.
Doesnt he write all his niftly little utils in assembler? nice..
J.

--
Tongue-tied and twisted, just an earthbound misfit, I.
[ Parent ]
A must read. (3.33 / 3) (#12)
by Tezcatlipoca on Thu May 31, 2001 at 11:43:15 AM EST

Please do yourself a favor and read the article, I am impressed and scared.

I will go right now to my PC and begin to look for those bots.

PS: script kiddies are the cutest creatures in the Universe.



Might is right
Freedom? Which freedom?
Kinda Funny (4.00 / 4) (#13)
by slick willie on Thu May 31, 2001 at 11:48:51 AM EST

I'm trying to load the article, and thinking, "Damn for being on a dual T-1, it's awful slow. Almost like he's under attack again."

This makes me stop and think, so I load up /. in another window.

Heh. An article about being DDoS's, being DDoS'd again. Different method. You don't suppose that script kiddie posted to /., do you?

"...there is no limit to what a man can do or where he can go if he doesn't mind who gets the credit."
--Ronald Reagan, First Inaugural Address

Slashdotted (4.00 / 1) (#16)
by MrAcheson on Thu May 31, 2001 at 12:36:22 PM EST

Ok, as at least one person has reported this story is already up on slashdot, hence another sort of DoS is going on. :) However upon looking at slashdot, someone over there has bothered to set up a mirror here. Thanks slashdotters.

These opinions do not represent those of the US Army, DoD, or US Government.


Techniques (none / 0) (#18)
by wiredog on Thu May 31, 2001 at 01:06:43 PM EST

Interesting to note that his techniques are fairly standard for intelligence gathering. Traffic analysis, infiltration, wiretaps (sort of... look at how he monitored IRC), some social engineering. And also to note how little help he got from the FBI and home.com

"Anything that's invented after you're 35 is against the natural order of things", Douglas Adams
GRC writing formats and Zombie solutions. (5.00 / 1) (#19)
by tarsvp04 on Thu May 31, 2001 at 10:35:27 PM EST

For those suggesting that Mr. Gibson did not provide solutions to the problem, he did provide some current solutions and promised his own in the future, which I expect will be quite effective. In the meantime he provided some quick netstat checks you could use and noted that Zone Alarm (free or pro) was effective at preventing the trojans from making connections and he also pointed everyone to moosoft where you can download The Cleaner trojan scanner/remover. He then left a notice that he would be coming up with his own solution. What more are you asking for? And as for the links...they are all in the article available at his site or the mirror provided by the comatose hitmen: http://grc.com/dos/grcdos.htm http://cs.comatosehitmen.com/dos/ As to his "inflammatory" writing style - It is absolutely neccessary imo. The realities of our sales force/profit margin driven software/hardware/firmware markets are that companies see no profit in fixing bugs or even acknowledging problems until a large hue and cry is raised demanding attention. Mr. Gibson knows this and is forced to play to it. I think he is actually more restrained than he needs to be in some cases. As to the rest of his writing ability, he manages to bring himself down to a level that almost everyone can understand without giving off waves of condescension. I appreciate this as much as his other efforts. My hat is off to him. Speaking of hats.....I'm pretty glad he prefers white. Fools come and fools go. It's the urge to thrash them that never goes away.

Steve has posted a followup article... (4.50 / 2) (#20)
by jbridges on Thu May 31, 2001 at 11:41:45 PM EST

http://grc.com/dos/winxp.htm

.... and I might add, why the heck isn't MLP included in "Everything"?

It seems articles get fewer views in the MLP Ghetto than in the moderation queue.

[OT] Everything (5.00 / 1) (#21)
by driph on Sat Jun 02, 2001 at 12:01:02 PM EST

.... and I might add, why the heck isn't MLP included in "Everything"?
Hmm, that's odd, I found my way to this story through the Everything page.

You might have a different number set for your "number of story summaries on front page," and since the Everything page is organized by date posted, enough stories from other sections may have been posted since the last MLP to push any MLP articles off the front page of Everything.. check out the sidebar on the right of the Everything section or click on the Older Stories link, and I'm sure you'll see the MLPs scattered about through there..

Let us know if for some reason you still don't, tho..

--
Vegas isn't a liberal stronghold. It's the place where the rich and powerful gamble away their company's pension fund and strangle call girls in their hotel rooms. - Psycho Dave
[ Parent ]

You are correct, I'm wrong (none / 0) (#23)
by jbridges on Sun Jun 03, 2001 at 07:18:55 AM EST

It's there under everything, I was confused by some stories that I thought were submitted before mine. Does the submission date change on a story when it's been edited?

[ Parent ]
Yet another followup - further attacks (5.00 / 1) (#24)
by jbridges on Sun Jun 03, 2001 at 07:22:45 AM EST


http://grc.com/dos/openletter.htm

Quote:
I was talking to a reporter on the phone a few hours ago, during the first REAL, non-blockable attack we have ever experienced. And I calmly explained that we were under attack and off the Net. In a bit of a panic, he asked what I was going to do about it. So I told him that I was going to take a long walk on the beach -- because you and I both know there's absolutely NOTHING I CAN DO to defend against a real, professional, Internet Denial of Service attack. So I might as well enjoy the day.


Uncovering a world of Zombie trojans | 25 comments (19 topical, 6 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!