FBI posts software to combat hacker attacks

The FBI and security site Packet Storm have posted software that can detect whether a site is being attacked. Once an attack is identified, Web site managers can implement plans to deflect the crippling amount of traffic generated by the assault.

Several distributed denial of service (DDoS) attacks this week left Web surfers unable to access sites including Yahoo, eBay, E*Trade, Buy.com, Amazon.com and others. The FBI has pledged to track down the parties who have been performing the attacks.

DDoS programs such as Trinoo, Tribe Flood Network (TFN) and Stacheldraht enable an attacker to use other people's computers to overwhelm a target with packets of information sent over the Internet. The packets typically are constructed to take up an inordinate amount of the target computer's attention.

Though the attack doesn't typically result in the loss of private information, it can halt e-commerce operations such as stock trading, because the Web sites get overwhelmed with the Internet equivalent of junk mail.

The FBI's tool examines programs on a computer for "signatures" that indicate the presence of the attack software, much like the way antivirus software looks for telltale signs. So far, several computer experts have said that the recent attacks appear to be based around TFN or a close relative.

A programmer living in Germany named Mixter created TFN. Mixter said he wrote it last year as a way to dissect how attack programs like Trinoo work and adamantly denies any involvement in the recent invasions.

Those who download the FBI's software "are asked to report significant or suspected criminal activity to their local FBI office or the NIPC Watch/Warning Unit, and to computer emergency response support and other law enforcement agencies," the FBI said.

Naturally, the FBI's National Infrastructure Protection Center (NIPC) wants to know when agents and other software that is part of the attack are found. Computer forensics--the electronic equivalent of dusting for fingerprints--can help identify who launched an attack and how.

Despite the free help, some people are nervous about running software supplied by the federal government. The software being distributed by the FBI is not being distributed as an open-source program. Therefore, users can't tell exactly what is going on under the hood.

"Unfortunately, they are only distributing executables and not source," wrote an author at the Hacker News Network site. "With all the recent cases of the FBI and NSA (National Security Administration) trying to pass legislation that will allow them to backdoor various communications systems, computer networks and everything else, how could anyone trust these?"

Like viruses, however, the attack software is expected to change to evade detection.

"Because of the rapid and continual evolving nature of DDoS tools, there is no warranty that all occurrences of different mutations of these tools will be identified," the FBI said. Security experts also add that these programs are relatively simple to create, increasing the ease of making mutations.

The FBI wrote the program so that it has to rely as little as possible on system programs that can be corrupted by "root kits," software used by computer intruders to hide their activity on computers they've broken into.