SecurityFocus Identifies New DDoS Tool Controlled by Internet Relay Chat Spreading Rapidly Worldwide
MATEO, Calif.–(BUSINESS WIRE)–Nov. 21, 2001–
Infected Agents up by 600% in the Last Six Hours;
Executives Available to Offer Analysis
SecurityFocus(TM), the leading provider of security intelligence products and services for business, has identified a new hybrid tool that combines distributed denial of service (DDoS) tools, with the automated propagation techniques previously seen only in worms.
SecurityFocus ARIS(TM) Incident Analysts identified a rapidly growing network of controlled agents or “bots”, increasing 600% in the last six hours, which can be used to launch a DDoS attack. The tool is propagated through incorrectly configured Microsoft SQL server systems by scanning the System Administrator accounts that contain a password specified by the attacker.
The tool named “Voyager Alpha Force,” a modified and enhanced version of the DDoS tool, Kaiten, is human controlled through Internet Relay Chat (IRC) communications by connecting to an IRC server and joining a password-protected channel. An attacker is effectively able to control a large number of agents residing on compromised hosts, by issuing commands that would initiate a DDoS attack or cause the program to continue propagating.
The emergence of this tool highlights previous warnings that DDoS activity is on the increase, and that the sophistication of DDoS technology is advancing at a fast pace. There is currently no evidence that the agent network observed by SecurityFocus is related to the September 11 terrorist attacks.
ARIS and SIA customers vulnerable to the threat received an early warning as well as customized analysis and recommendations on November 20, 2001 at 12:45 pm PST and November 21, 2001 at 3:40 am PST to assist IT managers in quickly mitigating their risk before their network was attacked.
WHO: SecurityFocus ARIS Incident Analysts including CTO Elias Levy
WHAT: Expert commentary on the threat and up-to-the-minute attack
WHERE: Levy and analysts are available by phone
— Verify that the System Administrator “sa” account does not
have a blank password if running Microsoft SQL server
— Use a firewall to block port 1433