Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Internet Wide DOS Attack using IRC
From: deicide () GAMEAHOLIC COM ([deicide])
Date: Fri, 2 Oct 1998 19:06:21 -0400


On Fri, 2 Oct 1998, Kameron Gasso wrote:

This might be an unreleased Back Orifice plugin from an internet user who
dislikes GeoCities (only speculation).  Odds are, it was distributed
widely over IRC in a Warez package or something similar.

I have a feeling this is some kind of plugin that has dynamic loading of
trojan code:

 - It is trying to download a .zip file from geocities. Presence of
   "winrar" in the registry keys hints that it will uncompress the file.
   (WinRAR is a .rar archive program that also supports .zip, .arj, etc.
   Sortof like WinZip).

 - The reason it has turned into a flood attack is because it's probably
   set to retry on failure, OR it was coded to re-get the file once in a
   while so that the author can "upgrade" the trojan code by placing a
   new .zip file on geocities server.  This "once in a while" was set to
   30 seconds by mistake.

 - I don't think this was meant as an attack on GeoCities.  Even
   at current frequency it's very little percentage of total traffic
   handled by their servers.  I'm sure they noticed this not because their
   servers were DoSed, but rather because they don't any member sites
   that receive millions of visitors daily.


I don't see any way to fight this except of trying to spread the knowledge
about BO and possible a BO-remover/detecter along with it.



--Vitaliy.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault