A new version of a malicious program called the Tribe Flood Network (TFN) is more powerful and harder to detect than an earlier version, according to experts. And an updated sister program called Trinoo is due to be released next week.
Few incidences of their use have been publicly acknowledged, but experts are warning sites to prepare against attacks that may coincide with New Year's. Widely anticipated problems owing to the Y2K computer glitch may provide cover for other mischief.
The program works like this: A TFN attacker secretly embeds software into hundreds of computers. Then, at a selected time, a command is issued that prompts the infected computers to swamp a target Web site or server with messages in a method of attack called "denial of service." The program doesn't damage the "infected" computers or the target, but the sudden flood of messages typically knocks out the target system.
Although it's possible for target computers to protect themselves by ignoring messages from attacking computers, it's hard to identify which computers are attacking--especially when there are hundreds. This fundamental vulnerability of networked computers makes protecting against denial-of-service attacks extremely difficult.
It can be a vexing problem, as one victim reported.
"I was hit for three solid days with over 1 megabyte per second of junk data from an attack like this," said Scott Thomas, an independent computer consultant whose network was hit. "There is nothing you can do but sit and take it."
It's hard to find who the attackers really are and then discard or "filter" their messages, he said. "Sure, you can try to filter some of it, but it comes from so many places you spend hours just deciding what you should filter," Thomas said. He suspects he was targeted because a person on his network "annoyed a hacker in a chat room," he added.
eToys, which has become embroiled in a legal dispute with a European art group called Etoy, was hit by a type of denial-of-service attack by people opposed to eToys' lawsuit. Organizations such as Rtmark helped to organize an attack that let people run software that inundate eToys' site with bogus Web page requests. The existence of TFN was reported earlier this week. The new variant, called TFN2K, is potentially more dangerous in that it can enlist machines based on both the Windows NT and Unix operating systems to deliver the flood of messages, according to Gia Threatte of the Packet Storm Web site, which publishes security-related software so system administrators can protect against attacks and intrusions.
TFN2K also adds the ability to act on a single command, a stealthier mode of operation than the previous version (which required the controller to send a password), and encrypts communications, making the infecting messages harder to detect, Threatte said.
Further, TFN2K sends decoy information to throw hunters looking for the source off the scent.
The purported author of the TFN family, who goes by the name "Mixter," sent a version of TFN2K to Packet Storm. Packet Storm said it also expects a new version of Trinoo from Mixter.
With the new software being released now and the "2K" allusion to the new year in the name of the program, it appears that a computer attack could occur during the holidays.
"I don't really think you're going to see any serious attacks using this until New Year's," Threatte said. On Jan. 1, though, people likely will try to "cause a little mischief," she said.
Other security watchers concur. The consensus of a Year 2000 bug workshop at Carnegie Mellon University's Computer Emergency Response Team was that "it is possible that intrusion attempts, viruses and other attacks will be focused on the time around 01 January 2000 under cover of Y2K incidents," CERT said.
CERT has warned, "We are receiving reports of intruders compromising machines and installing distributed systems used for launching packet-flooding denial-of-service attacks." CERT said that attackers generally gained unauthorized access to these computers through well-known weaknesses, reinforcing the message that system administrators must stay up-to-date on keeping their systems secure.
Detection of attacks and their ultimate source isn't easy. Trinoo and the TFN family obscure the address of the actual attacker by hiding the person in control behind two layers of computers. The attacker lays the groundwork by breaking in to several computers, installing master software on some and attack software on others. When it's time for the attack, a message is sent to the master computers, which in turn is relayed to the drone computers that do the attacking by flooding the target with "packets" of information.
Compromised computers that can be infected with the attack software have become a kind of currency, with attackers trading names and information about them over Internet Relay Chat (IRC) discussions, Threatte said.
Threatte defended Packet Storm's philosophy of publishing attack software for all to see. "If we don't make it available, there's no way you can protect against these things," Threatte said. Sprint, for example, recently called upon Packet Storm's information to more quickly fend off an intruder.
Other, more dangerous versions of distributed attack software are circulating, but Packet Storm doesn't have them, so they're harder to detect, Threatte said.
Packet Storm, a five-person group based in Palo Alto, Calif., is no stranger to controversy. It's now owned by security consultants Kroll-O'Gara after being embroiled in a debate with its former home at Harvard University and hacker chronicle site AntiOnline.
Threatte foresees a time when coordinated denial-of-service is more serious. "Distributed attack tools right now are kind of in their infancy," she said.
New improvements could involve a self-replicating "worm" version that would automatically spread the attack software to new computers. After several generations of spreading, the worm could erase itself from the original computers used to launch the worm, severing ties with the true origin. The worms could monitor several sites on the Internet for a sign that triggers the time and target to attack.