Earlier this year there was a lot of attention about the shutdown of famous US based web sites like eBay, Yahoo!, CNN and Amazon.com. The technique used, was a so-called Distributed Denial of Service (DDoS) attack and is discussed in Norman's Security Information week 6 this year.

This kind of attacks works briefly like this:

• The attacker exploits several computers and places DDoS agents on the computers. These systems are often called "Zombies" - they are later to be used as unknowing participants in the attack(s) to come.
• At some point the attacker feels that she has enough "Zombies" available (we are talking about several hundreds or thousands, here!) to carry out the attack on one particular victim. This victim is not among the former compromised computers.
• From her computer the attacker sends commands to the Zombie computers, and they simultaneously overflood the victim computer with "information", causing it to be unavailable for legitimate requests.
• Since the attacks on the victim computer seem to come from a lot of different computers - spread around the world, potentially - it is very difficult to trace the real attacker. She may even (probably) initiate the attack itself from another compromised computer and not her own.

Some of the DDoS tools are:

• trin00 (also called trinoo)
• Stacheldraht
• shaft
• Tribe Flood Network (TFN) and TFN2K
• mstream

There are several versions with different functionality of the abovementioned tools. The tools may use different techniques to carry out the attack.

More in-depth information about the techniques used is available form Dave Dittrich's web site - which probably have the best analyses of such tools.

From UNIX/Linux based DDoS tools to Windows based

At that beginning, the tools used for these exploits were UNIX/Linux based. Thus the computers in danger of being used as unknowing Zombies, had to run one such operating system.

However, some DDoS tools are now available for Windows systems as well. With the emerging of cable modems, enabling home computers to be constantly on-line, home computers are increasingly a potential victim for compromise and potential misuse e.g. to be part of a DDoS attack.

Windows backdoor programs as a tool in a DDoS attack

We have seen a lot of new - very advanced - Windows backdoor programs, or trojans, being released during the latest years. Some of these may actually be used for legitimate purposes, some are even sold commercially. This security information, however, focuses on the illegitimate use of such programs.

Some of the programs which are often used to take illegitimate control over another computer are (follow link to see Norman's description):

• Netbus
• Back Orifice
• SubSeven

These are all very powerful and when planted unknowingly on a computer, makes an attacker able to do virtually anything by remote control of that computer, that the owner is able to do sitting in front of it.

Among such activity is transferring program files to the infected computer. These program files in turn may be used to participate in (or launch) a DDoS attack on a computer located anywhere in the world.

As such - even though the infected computer is not vulnerable from Internet attacks. If an attacker has tricked the owner of the computer to install one of these Windows backdoors, the computer is accessible from the Internet and free to use for the attacker in her DDoS attack on an innocent victim.

A recent advisory from Internet Security System's X-Force tells that over 800 computers was found infected by the SubSeven DEFCON8 2.1 - a backdoor used among other things to test new DDoS techniques.

Even though it is very difficult to protect oneself against DDoS attacks, it is much easier to check if your PC has installed programs which enables you to be an unknowing part of such an attack. The major antivirus vendors regularly updates virus detection files with signatures of Windows backdoors as well as DDoS agents.

Be sure that your virus detection files are regularly and often updated!

Per Olav Førland