The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive distributed-denial-of-service attack at any time, according to security officials.
Officials at the CERT Coordination Center said the organization is monitoring at least five large networks of compromised machines installed with so-called bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines, officials said.
"We have seen indications that these networks are being used [for attacks]," said Marty Lindner, team leader for incident handling at the CERT center at Carnegie Mellon University, in Pittsburgh. "The potential is there for them to cause serious long-term damage."
Unfortunately, CERT officials said, there is little they can do about a potential attack, other than sound the warning and hope users identify and patch infected machines. Officials of the FBIs National Infrastructure Protection Center, in Washington, did not respond to calls seeking comment.
CERTs dire warning is underscored by last weeks emergence of the Deloder and Code Red.F worms. While neither worm does any immediate damage to infected machines, both install back doors that enable attackers to use compromised machines for future, much more damaging operations, such as DDoS attacks.
At the heart of this new trend, according to security experts, are poor security practices. But more important is the mistaken belief by corporate IT that once crises such as those caused by Code Red or SQL Slammer die down, the troubles over. In fact, after an initial flurry of advisories, warnings and patches, there are often months or years of sustained infections and residual DDoS attacks, Lindner said.
For example, Code Red reached its peak in July 2001 when more than 450,000 servers were infected and scanning for new targets. Since then, there are some 60,000 Code Red-infected machines scanning the Internet at any given time. Even a novice cracker would need only a tiny fraction of those machines to launch a devastating DDoS attack.
"This not only shows you that these systems havent been patched but that theyre not running anything even remotely close to a current anti-virus product," Lindner said.
Many older worms are still among the most active threats on the Internet, studies indicate. SQL Spida, Opaserv and Nimda are among the top five most active worms thus far for this month, according to statistics compiled by the WormCatcher network, a distributed group of machines that monitors worm activity and is run by Roger Thompson, technical director of malicious code research at TruSecure Corp., in Herndon, Va. Each of these worms is at least 6 months old, with Nimda first appearing in September 2001.
In addition to making it easier for attackers to plan and execute their attacks, these worms have made it much more difficult for investigators and administrators to trace attacks to their sources, experts say.
Contributing to the problem is the poor overall security posture of many corporations. Lovgate, which appeared several weeks ago, and Deloder both try to spread by exploiting weak or null passwords used to protect shared network drives and folders. Networks exhibiting this lack of security are just ripe for the taking, security experts say.
"Traditionally, weve been looking at viruses and worms exploiting the application layer. But the biggest crevice you can crack is a weak user," said Mark Boroditsky, president and CEO of Passlogix Inc., a security software maker based in New York. "Behavior is a lot harder to patch than software."
Also problematic are the many affected machines belonging to home users, few of whom do any logging of the activity on their PCs. As a result, attackers can easily hide their tracks by using these anonymous computers, according to the experts.
Most Recent Security Stories: