New hacker software could spread by email

The tools, a new version of a software package dubbed "Trinoo," could allow attackers to infiltrate ordinary desktop computers though an innocent-looking email attachment. These computers--particularly those connected to high-speed Internet services--could then be used as unwitting accomplices in assaults on other Web sites, security analysts say.

"(The previous attacks) took someone who knew what they were doing," Trend Micro spokesman David Perry said. "This turns it into a kid-on-the-street problem."

The release of these tools follows some of the highest-profile computer attacks in the Web's history. Using a method dubbed "distributed denial of service attacks," computer vandals successfully rendered Yahoo, Amazon, eBay and a handful of other big Web sites paralyzed for hours at a time by swamping them with a multitude of simultaneous requests.

The attacks have spurred law enforcement investigations around the globe, but the FBI has not reported any major breakthroughs in the case.

Some speculation has centered on several individuals with hacker nicknames like "mafiaboy." Canadian authorities investigated an Internet service provider last week that once hosted a "mafiaboy" hacker-related site. But Canadian police said today that they had no progress to report in their investigation.

Although no conclusive evidence has been released on exactly what tools were used in the denial of service attacks, recent speculation has focused on tools with names like Trinoo, Tribe Flood Network and Stacheldracht (German for "barbed wire").

These tools allow an attacker to place agents on "zombie" computers around the world and then wake them up simultaneously to launch a crippling stream of Web traffic at a target site. Security officials at the FBI and other computer security agencies have been warning of the danger these tools pose for several months and have provided software to help guard against their use.

But the new version of Trinoo heightens the danger because it makes attacks easier to launch. Because the new version can infiltrate Windows NT-, Windows 95- and Windows 98-based machines, far more computers are at risk of becoming hosts.

The Windows version also allows the tools to be spread as apparently innocuous email attachments, much like ordinary viruses. Computer security experts say they haven't seen this happen yet, but that the Windows platform makes it relatively easy to do.

"This does make (denial of service attacks) easier," said Elias Levy, chief technical officer for SecurityFocus.com, a computer security Web site. "Not that it required a lot of intelligence or skill before. But this does bring it down another notch."

The new tools are largely a threat to users with always-on DSL (digital subscriber line) or cable modem connections, analysts said.

This kind of threat has been seen before with the Back Orifice software, Levy noted. That package, once surreptitiously installed on a system, allows an outside person to control the computer remotely. The Trinoo package is geared more specifically for launching denial of service attacks, however.

Most of the major antivirus firms have already developed or are developing tools to scan for and remove the new Trinoo software.