Three new versions, called Fapi, Shaft and Trank, are disclosed in a paper published today by the programmer known as "Mixter" at Packet Storm, a site that publishes malicious software so security professionals can scrutinize it. Mixter is the purported author of a similar attack tool, Tribe Flood Network, and its sequel, TFN2K.
The software, of a breed called "distributed denial of service" (DDoS), is used to harness the collective abilities of a host of computers to swamp a target computer by inundating it with packets of information sent over the Internet. Some varieties are known, but apparently there are other versions of the software in circulation.
Another DDoS package, called Blitznet, also has been publicly available for at least two months at the Packet Storm site. Mixter said it was written by someone called "phreeon." Trinoo was written by "phifli," he said. As previously reported, Mixter said Stacheldraht was written by "randomizer."
The newly disclosed DDoS software might sneak under the radar, but security companies are turning up some instances of the known versions.
Network Associates and its subsidiary MyCIO.com has discovered seven cases of computers infected with DDoS attack software, MyCIO chief executive Zach Nelson said.
His company provides an online detection tool that has been in high demand since the 100-person company unveiled it Feb. 10. Of more than 10,000 who have used it to scan their systems, the MyCIO software has found five cases of Stacheldraht, one of TFN and one of Trinoo, Nelson said.
Six of the seven instances were at educational institutions. The affiliation of the seventh couldn't be determined, Nelson said. In addition, six of the seven were in the United States, with the seventh in Germany. All seven systems have been taken offline, he added.
Nelson said MyCIO leaves it to the sites themselves to contact the FBI, which has launched an investigation into last week's attacks.
Gerhard Eschelbeck, vice president for MyCIO's security software, said his company's software detects the DDoS attack software by attempting to communicate with it. In addition, the software looks for blocks of text characteristic of the software.
Eschelbeck acknowledged that changes to the software or other versions won't necessarily be detected by MyCIO, but he said some fingerprints likely will remain.