Computer prank slips past security experts

A Trojan horse posing as a security tool did just that Wednesday night, when experts at SecurityFocus.com--which moderates the popular Bugtraq security list--sent the mildly malicious code to the list's 37,000 users.

"It seemed like legitimate code," said Elias Levy, chief technology officer for SecurityFocus. "It was given to us late last night. We sent a copy to (security software maker) Network Associates, and they said it looked OK."

The code posed as a so-called exploit--a program that identifies security flaws in a computer system--in this case, four flaws recently discovered in the common domain-name-service software known as the Berkeley Internet Name Domain, or BIND.

In reality, the exploit code attempts to use any computer on which it runs to send a simple form of Internet data to a single domain name server in an attempt to overwhelm the computer with information. That server, it turns out, belongs to the company that found many of the BIND flaws: Network Associates.

"We definitely did" see an increase in traffic, said Jim Magdych, manager of security research for PGP Security, a Network Associates company. The resulting data storm flooded the company's name servers, and in a replay of what happened to Microsoft last week, many of its Web sites became inaccessible.

"Many of our Web sites had problems for a short time last night," he said.

Internet vandals use the tactic, called a denial-of-service attack, to drown a company's network in a flood of data.

While Microsoft's outage lasted for hours at a time, Network Associates said its attack was immediately detected and its network operations restored in less than 90 minutes.

In addition, Magdych noted the traffic could have been a different, simultaneous attack, using the Bugtraq Trojan horse as camouflage. "It is possible that whoever sent the thing to Bugtraq used the incident to launch his own attack," he said.

Magdych also denied that the company had time to analyze the code before it was posted.

Post-attack analysis by both PGP Security and Bugtraq revealed that the exploit code does not actually detect any of the BIND flaws. The only part that seems to work is the assembly code--commands written in a language particular to a certain processor--that performs the attack. The fact that the program was written in assembly code added to the difficulty in detecting its malicious nature.

SecurityFocus' Levy defended the list's posting procedure and said that despite the incident, the way the list is moderated won't change.

"The Bugtraq moderation has never been in place to verify every single piece of information or exploits that go through the list," he said. "There is no way we could have a lab or staff to do that. As always, we tell people to wait for other people to test the exploits before installing them themselves."

The original exploit code had been submitted to SecurityFocus anonymously, but Network Associates is attempting to trace the denial-of-service attacks to the source.