[8107] in bugtraq
Re: Internet Wide DOS Attack using IRC
daemon@ATHENA.MIT.EDU ([deicide])
Fri Oct 2 22:43:19 1998
Date: Fri, 2 Oct 1998 19:06:21 -0400
Reply-To: "[deicide]" <deicide@GAMEAHOLIC.COM>
From: "[deicide]" <deicide@GAMEAHOLIC.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.02.9810021532550.12197-100000@lockdown.net>
On Fri, 2 Oct 1998, Kameron Gasso wrote:
> This might be an unreleased Back Orifice plugin from an internet user who
> dislikes GeoCities (only speculation). Odds are, it was distributed
> widely over IRC in a Warez package or something similar.
I have a feeling this is some kind of plugin that has dynamic loading of
trojan code:
- It is trying to download a .zip file from geocities. Presence of
"winrar" in the registry keys hints that it will uncompress the file.
(WinRAR is a .rar archive program that also supports .zip, .arj, etc.
Sortof like WinZip).
- The reason it has turned into a flood attack is because it's probably
set to retry on failure, OR it was coded to re-get the file once in a
while so that the author can "upgrade" the trojan code by placing a
new .zip file on geocities server. This "once in a while" was set to
30 seconds by mistake.
- I don't think this was meant as an attack on GeoCities. Even
at current frequency it's very little percentage of total traffic
handled by their servers. I'm sure they noticed this not because their
servers were DoSed, but rather because they don't any member sites
that receive millions of visitors daily.
I don't see any way to fight this except of trying to spread the knowledge
about BO and possible a BO-remover/detecter along with it.
--Vitaliy.
