posted on May 31, 2001 07:05:34 PM new
Steve Gibson's GRC site was totally inaccessible for 17 hours on May 4th due to a DDOS attack (Distributed Denial of Service) by IRC Zombie/Bots which was organized by a 13 year old hacker who goes by the handle of "wicked". Eight days went by with no more attacks so he thought that would be the end of it but starting on May12 he was hit with 5 more attacks. He's set up a page that gives the details of these attacks and his observations from studying them including the dangers for individual computer owners who don't take adequate precautions to secure their machines. These attacks consisted of 474 Windows PC's, most of which were being highjacked without the owner's knowledge, and involved BOTH cable and dialup connections.
I think you'll find Steve's Anatomy of DOS attacks to be a very interesting read and I highly recommend it. It's written in an entertaining way, very much like a detective novel and my eyes were glued to the page until I finished reading the very last sentence. I also think many of you will be shocked to discover how easy it is for someone to take over your computer and do anything they want with it WITHOUT your knowledge.
He put up this page yesterday and it's receiving so many hits that his server is running a bit slow. If you have trouble accessing the site now just try back in a little while.
BTW, if you currently own a copy of BlackICE Defender you may want to throw it in the garbage and get a firewall that actually works.
Steve added a follow-up today which I'm going to enclose below because his site is becoming difficult to access due to the increased traffic generated by folks wanting to read his DDOS report. At least that's what I hope is causing the problem and NOT the return of "wicked" and his IRC Bots. LOL I copied this from my newsreader so the sentence structure may look a bit odd.
QUOTE
"Everyone,
I really don't know HOW it happened, but overnight -- literally -- the entire world seems to have learned about my last night release
of "The Strange Tale".
I have no doubt that many of you forwarded the link on to your friends and others, who must have done the same.
I have NEVER -- and I mean NEVER NEVER -- seen the server and our T1's so busy -- *this*time* with 100% valid traffic! > It's like TechTV's Leo Laporte is just standing there and chanting
"GRC.COM" ... "GRC.COM" ... "GRC.COM" ... over and over again.
Incredibly, articles have ALREADY been written about the threat of Windows XP, and Microsoft has been put squarely on the defensive.
It's unbelievable.
Thank you."
END QUOTE
Fasten your seat belt, read the article and have a GREAT ride.
posted on May 31, 2001 07:41:38 PM new
BTW, Steve has had to take his news server offline in order to determine the cause of the frequent system-wide server outages he's been experiencing today. He wants to find out if the problem is related to the increased traffic due to the huge interest in his DDOS report OR if "wicked" and his IRC Zombie/Bots are back.
However, I'm not having any problem accessing the URL I gave you in my first post now that he's temporarily removed the news server.
Blanche
[ edited by bhearsch on May 31, 2001 07:43 PM ]
posted on May 31, 2001 09:19:44 PM newBlanche ....... Thanks so much for posting that URL, all I can say is WoW.
I had no idea that Steve's site had been compromised, and what a story indeed!
FYI - One of the ISP's listed - shawcable.net is actually @home as well. Shaw is the local cable provider here in AB, as well as across Canada.
posted on May 31, 2001 11:45:55 PM new
Blanche ....... An eBayer I know read the article [I posted it on another board] and discovered he's dirty x 2. He emailed Steve to ask for advice. Without you posting this info he would have never known, thanks again!
posted on May 31, 2001 11:58:26 PM new
Hiya Neil. I'm glad you enjoyed reading the article. It does deal in a bit of tech stuff (also known as muck) Hi packer but Steve is such a great writer and story teller that I think most folks will enjoy reading it.
I was quite amazed that the larger ISP's, particularly @home and Earthlink, wouldn't offer their help and one of the smaller ones ended up sending him the Zombie/Bot. This isn't the first time that Earthlink has had a Trojan infecting their users and it's not the first time they didn't do anything about it. I came across this message dated Feb. 27, 1999 while I was researching something else: http://k3v1n.com/elnhacked.htm Also, February 14 of this year Earthlink's network was broken into by crackers and they weren't very quick to admit it or to warn their subscribers.
http://www.wired.com/news/business/0,1367,41934,00.html I'm glad I have a very small ISP.
I think the article will enlighten many of the computer owners out there about the real threats to their security and privacy when browsing the internet and emphasize the need to practice safe computing which includes arming yourself with a GOOD firewall whether you have a cable OR a dial-up connection. I also think we're going to find a LOT of copies of BlackICE Defender in the garbage cans. LOL
I still can't access Steve's newsgroup so, since I can't get my GRC news fix tonight, I may as well go to bed.
posted on June 1, 2001 12:04:44 AM new
WOW, I'm sure glad he found out about it. You're very welcome and I hope he gets rid of the sucker. The Sub Seven is a real nasty one and I'm sure if he posts to one of the GRC newsgroups they'll tell him what needs to be done. The only problem is that the news groups are down right now. If he can't get a response please email me and I'll do what I can to help. Give me a minute and I'll post a few anti-trojan links.
posted on June 1, 2001 12:12:21 AM new
Here's a link to some anti-trojan sites. Scroll down to Mal-ware info and then to anti-trojan info.
http://www.staff.uiuc.edu/~ehowes/main.htm
posted on June 1, 2001 12:41:30 AM new
Thanks for posting that info. I ran the checks and found I had an open port, which I closed by following his instructions.
Count my copy of Black Ice in the trash. I immediately went and dl'd Zone Alarm last night after reading that article. I hadn't been compromised, thankfully!
Edited to add, if any one of you reading this aren't running a firewall now, you best go and git you one ASAP! Even with Black Ice, I was logging about 20 - 40 attacks / pings a week, at all different hours of the day, any given day of the week, and from all over the world! It is a very real threat and a certainty that you will be hit upon sooner or later.
posted on June 1, 2001 09:19:41 AM new
Hi guys. You are all very welcome. I'm glad some of you took the time to read the article and found the info helpful. There are some nasty things out there.
I had no idea this kind of stuff existed when I first bought a computer. I was lucky though because I happened to run across Steve's site the first month I was surfing the internet. I just know there are a ton of "newbies" out there that don't have a clue and aren't adequately protected.
If anyone is looking for a good deal on an inadequate firewall I know Steve has a slightly used copy of BlackIce Defender that you can buy real cheap. However, something tells me that the price for a NEW copy of BID just went down. LOL
reddeer, if your friend has the Sub Seven Trojan on his computer he's going to have to change all of his personal info and passwords since they've been compromised. I'm afraid it's going to be a real mess to clean up. I sure hope he was mistaken and it's just a false alarm.
posted on June 1, 2001 10:57:03 AM new
Hey, twinsoft, I forgot to ask if your open port was 139? This is the most common port left open as a result of the flaw in the default settings of Microsoft's networking client.
BTW, I'm beginning to think that the GRC is under attack again by "wicked" because I can't even access the article or ANY page on his site. I can't open his site at all to even read the "server down" messages. This is exactly what happened during his DDOS attacks and I'm becoming quite annoyed with this little brat. At this rate I'm never going to get caught up with the messages in my news groups.
IMO, he needs a good spanking!!
Blanche
I have to edit this because I was just now able to reach the GRC site but the news server is still offline. Maybe it isn't "wicked" afterall but he still needs a good smack upside the head. LOL
posted on June 1, 2001 01:49:38 PM newBlanche, thanks for posting about the GRC article. I read it all, it was fascinating!
I took the GRC test and port 139 was open. I've just installed a fire wall for the first time, and it works because I tested my computer again at the GRC site - AOK. I was going to attempt what Twinsoft did with the bindings/unbinding [as grc recommended] but chickened out!
posted on June 1, 2001 01:57:27 PM new
I kept noticing my icon down on the task bar running when I should not be pushing anything over the modem so I installed zonealarm and found a whole family of programs installed without my knowlege that were like ET - calling home. Stopped that crap.
posted on June 1, 2001 04:05:55 PM new
Hi, Blanche. Yes, it was 139. I've used ZoneAlarm when I was on cable, but I don't need it so much now. My system tested clean at GRC (after the fix). Thanks again, you are a wonder!
_ www.gratefuldad.com
Online Auction Sellers Cooperative
posted on June 1, 2001 06:33:14 PM new
Hi Blanche,
I managed to read through the "muck" and I found it WAAAAAAAAAY over my head.
However I did make it to the SHIELDS-UP page and ran the test.
I'm happy to say I'm CLEAN & STEALTH on all fronts.
I am going to cable modem Monday so I will run the test again. It may prove interesting how that one will turn out.
However his message to me was that I must have a very good Firewall, I wouldn't think it would change just because I'm going to cable. Heck, I don't even know what a Firewall is.
Thanks Blanche for bring this to the attention of some of us that don't have a clue about computers
posted on June 1, 2001 06:59:28 PM new
Thank you so much for that information ! I d/l that zone alarm program and when I got back online I had 139 "alerts" within 2 hours. I don't even have DSL or Cable since it's not here yet. Do virus detection programs also detect these trojans?
posted on June 1, 2001 10:00:37 PM new
Hi packer. I'm glad you made it to the Shields-Up page. You didn't mention if you are currently using a firewall. You will definitely need a good one when you switch to a cable connection because your computer will be "on" all of the time as opposed to a dial-up where most folks turn it on and off each time they use their computer. When a computer is on all of the time it usually has the same IP address and is much easier to track down.
A firewall basically creates a barrier or security door to prevent unauthorized access to your computer or network. It acts as a gateway between your computer and all of the other computers which compose the internet. It analyzes all inbound and outbound traffic and decides what to let pass through according to predetermined rules or instructions. All the traffic going through a firewall is part of a connection and a connection consists of a pair of IP addresses that are talking to each other, as well as a pair of port numbers. The destination port numbers usually refer to the type of service that's being connected to and each service uses known port numbers. For instance, port 25 is used for most SMPT email clients to SEND mail. Port 139 is used for Windows file and print sharing. A firewall will block any unauthorized attempt to use certain ports because this usually signifies a hostile intruder. So, it's important to keep ports that you aren't using closed at all times.
posted on June 1, 2001 10:28:00 PM new
Hello tsunamii. Unfortunately, there isn't an anti-virus product that can effectively protect you from most Trojan infections. That's the reason you need a firewall which will stop the Trojans from infiltrating your system. You should also use a good anti-virus program along with the firewall and everyone should try to learn the basics involved in safe computing.
There are anti-Trojan programs that can determine if you've already been infected by Mal-ware or a Trojan and there are programs which will remove them. Here's a good reference site:
http://www.staff.uiuc.edu/~ehowes/main.htm
Blanche
[ edited by bhearsch on Jun 1, 2001 10:32 PM ]
posted on June 2, 2001 09:05:20 AM new
Hi Blanche,
Thanks for the info.
I just got this computer, brand new, bought it from a local computer store that builds and maintains them.
All I know for sure is that I have the latest and newest Norton Anti-virus protector installed.
I don't know about the Firewall, I will be getting in touch with him on Monday and finding out. He knew I was going to be connecting to cabel modem so maybe he took care of it for me(I hope). Thats why I stayed local this time. I wanted to find someone that could take care of my needs, as I haven't a clue
posted on June 2, 2001 09:15:23 AM new
Norton software can nail the sub7, but it is not a firewall and is only as good as the script it is aware of and has upgraded to.
The bottom line is that these hackers can gain entry into your system regardless of virus software if you don't have a good firewall.
You'll be shocked when you view the log of all the attempts to gain access to your machine when you install the firewall, especially if you are on a cable modem. I average 20 attempts a day on my PC.
My guess is that if you don't know if you have a firewall or not, then you probably don't. Go to the GRC site and test your system. That should give you a pretty good idea of your system's status. (Then skip over to Zone Alarm and download theirs if you need one.)
posted on June 2, 2001 12:29:38 PM new
Hmmmm ... now here's something strange. My new ZoneAlarm firewall just stopped some outgoing communication from my computer to another computer: "pics.ebay.com." Now I don't have any pictures hosted with Ebay. None. Nada. Zilch. I host pictures off my own website, or with Rancho Web. Why is my computer communicating with Ebay's picture hosting service? Does Ebay have some spyware??
posted on June 2, 2001 12:36:58 PM newgk4495, yes they do. It's called web bugs, cookies and Java script. You probably viewed an auction that had a picture that was hosted by eBay's pic host and it set a Java script cookie or a web bug graphic on your computer. Paypal and most of the other third party services do the same thing. They SPY on the users. Now, isn't that SPECIAL??
posted on June 2, 2001 12:39:23 PM new
Hmmm... now that you mention it, I did check out a couple of auctions this morning and I do believe one of them had picture hosting by Ebay. You're right. That is *real* special.
posted on June 2, 2001 01:27:42 PM new
eBay has been placing cookies on your machine for some time now.
Whenever you "sign in" a cookie is placed on your machine.
I use adsubtract to stop cookies. It stops cookies from responding that are already on my machine too, but some things such as password protected pages will not function without cookies.
I can come onto AW with adsubtract on, but I can't post without shutting it off.
I can go to eBay with it on and it doesn't recognize my machine.
Many sites use cookies to see where you have been, where you are going to, and to identify you when you arrive.
posted on June 2, 2001 03:43:03 PM new
The GRC site did receive some more pounding on Friday night by DDOS attacks. Steve Gibson added An Open Letter to the Internet's Hackers to his site some time that evening which is basically a SURRENDER notice. The following news article has a copy of this SURRENDER notice if you wish to read it. http://www.securitynewsportal.com/article.php?sid=690&mode=thread&order=0
Steve's site is still intermittently unstable but you can also find the letter on the same page as the Strange Tale: http://grc.com/dos/grcdos.htm
Also, I was able to get into his site earlier and I copied his latest announcement which I've pasted below:
QUOTE
"We *did* receive our first identified UNIX-based spoofed Source
IP attack on grc.com/TCP/Port80 in the late morning today. I can
not give details for fear of helping the attackers, but some
characteristics of the flooding traffic allowed me to again apply
filters with Verio and to pop back onto the Net.
Also, I have received calls from attorneys with the Justice
Department in Washington. Apparently "the saga" doesn't sit too well
with some highly-placed politicians who are not happy with the idea
of letting "Wicked" run free. So Justice wants to prosecute. The
attorney left a message which I'll return Monday.
My inclination is to tell them that I would rather not pursue this,
but "Wicked" has now threatened me with the total destruction of GRC
due to my negative characterization of him on the page ... so my
forgiveness is wearing a bit thin."
--
_________________________________________________________________
Steve Gibson, at work on: < a million loose ends >
END QUOTE
I personally find it frightening that any company on the web could be forced off line in this manner and I think some laws are going to have to be made in order to deal with this type of situation.
Although Steve originally didn't want to turn over a 13 year old to the FBI, I think he should do so now because of "wicked's" past history. He was in trouble with the FBI before when he was 8 years old because he hacked into some government servers and had his computer taken away for 2 years. Well, here he is, back at it again. IMO, it's dangerous to allow this sort of disruption by anyone, whether he's 13 or not, to continue on the internet without expecting to pay a penalty. So, I'm quite happy that the FBI has now expressed an interest in "wicked".
but Steve is such a great writer and story teller that I think most folks will enjoy reading it.
