Wired mag article on spammers playing traceroute games with trojaned boxes

Richard D G Cox Richard at mandarin.com
Thu Oct 9 17:07:19 UTC 2003


On Thu, 9 Oct 2003 12:01:35 -0400
"McBurnett, Jim" <jmcburnett at msmgmt.com> wrote:

| I think even if we get all the ones for this domain name today,
| assuming we can muster even man hours to get it today, another
| 5000 will be added tomorrow.  And looking at my list We have US
| (a very small ISP and a large ISP) RIPE, and LACNIC.

This malware is not new, but is only just becoming widely visible.
It succeeds solely because of the "Dynamic-DYS" (real-time updating)
functionality built into the dot-biz registry.

Certainly it can be killed, but the techniques to achieve that are
better discussed OFF this list - for both AUP and other valid reasons.
As soon as this exploit is killed, no doubt another, similar, exploit
would follow.  We therefore need a more generic solution to the issue.

| This not only affects this instance but global security as a whole.
| Just a few days ago, Cisco was taken offline by a large # of Zombies,
| I am willing to say that those are potentially some of the same
| compromised systems.

Empirical evidence would seem to support your view.  Even where they are
not the same zombies, networks that allow this type of zombie to remain
in place are just as likely to allow DDoS zombies to continue undisturbed.

The problem is that many ISPs filter all issues of this nature through
their abuse teams, rather than sending them directly to their security
specialists.  Most abuse teams have neither the time nor experience to
investigate, and this particular trojan has been written to make it too
easy for abuse teams to dismiss reports of its activity, and then to
justify taking no action - that is exactly what the writers of the
malware intended to happen.

A step change in attitude from providers who offer 24/7-on connectivity
is what is needed now, and agreement to separate all network security
issues from their abuse desk procedures should be number one priority.

-- 
Richard Cox




More information about the NANOG mailing list