Forwarded From: hackerelite@deathsdoor.com
From: http://www.andovernews.com/cgi-bin/news_story.pl?90350
Shadow Group Sees Patterns With Network Hackers
WASHINGTON, D.C., U.S.A., 1998 OCT 23 (Newsbytes) -- Shawn P McCarthy,
Government Computer News. Most people picture a network hacker as a
furtive, isolated operator who breaks in, looks around and gets out fast,
perhaps doing some damage along the way.
But recent break-ins at unclassified Defense Department networks have
altered that image. Some hackers have been moving at snail-like speeds,
sending just a few packets per hour so they don't trip sensors set to pick
up unusual traffic patterns.
To make up for the slowness, several hackers may band together in teams,
channeling information through multiple IP addresses.
That's the discovery made recently by the Shadow group, an anti-hacker
coalition made up of members from several Defense sites, civilian agencies
and industry.
Shadow, which works closely on network security issues with the Sans
Institute Inc. of Bethesda, Md., at http://www.sans.org/ , publicizes what
it has learned about hacker penetration of government and private networks
and analyzes break-in attempts.
Steven Northcutt, director of the Shadow project at the Naval Surface
Warfare Center in Dahlgren, Va., said Shadow members have identified five
patterns:
1. Attacks from up to five different sources that all contain the same
signature, or mode of attack;
2. Simultaneous reset scans that help a hacker tell where machines are
located on a network;
3. Probes against a firewall at a very low rate from several addresses,
revealed only by TCP flags and malformed packets;
4. Scans that search specifically for domain name servers, often via
identical scans coming from different addresses; such probes generally
arrive from Internet service providers, indicating that hackers were
hiding elsewhere and using the provider as a springboard for the attack;
and
5. Coordinated exploits in which hackers search for copies of Back Orifice
that may have made their way into a system.
A hacker group known as the Cult of the Dead Cow came up with Back
Orifice, a play on the name of Microsoft Corp.'s BackOffice transactional
suite.
Back Orifice is relatively small at 120K and can be disseminated as an
e-mail attachment or embedded in a downloaded file. Once launched, Back
Orifice literally opens a back door that gives hackers partial control of
the computer.
These new types of probes mark a watershed in the way hackers operate,
said Northcutt and Shadow analyst Tim Aldrich.
The DOD analysts previously believed single attackers were targeting
multiple sites. Now they see multiple attackers working together to target
either single or multiple sites.
Are they sure this isn't still a bunch of lone attackers working from
multiple IP addresses? No. But Northcutt and Aldrich believe multiple
hackers must be involved because of the variety of machines used and other
subtle differences.
What this means is that government networks aren't necessarily safe even
if they have intrusion detection software in place. Most current software
isn't designed to look for such subtle traffic patterns.
For details about the coordinated attacks, visit
http://www.nswc.navy.mil/ISSEC/CID/ . Look for the narrative about a
coordinated attack against Langley Air Force Base, Va. You can also
download Unix Shadow software that probes system logs to look for the
patterns.
If you dare to download and experiment with Back Orifice, find a copy at
http://www.schippers.net/welcome.html , along with a cleaner that
supposedly removes it from a system.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Oct 27 09:58:13 1998