By Andy McCue, 24 October 2003 17:20
NEWS The hackers accused of secretly planting a Trojan horse on the computer of Aaron Caffrey, the UK teenager acquitted of bringing down the systems of one of the largest ports in the US, have spoken exclusively to silicon.com about the dangerous script kiddie chatroom wars that are putting unwitting businesses at risk.
The two hackers who go under the tags dryice and frixion - were both named by Caffrey during his defence at Southwark Crown Court in London earlier this month. They were put up as the possible perpetrators who could have hijacked his PC using a Trojan horse to launch a denial of service (DoS) attack on another chatroom user, which resulted in the Port of Houston's computer systems crashing.
Despite the prosecution expert witness testimony that there was no evidence of the hijack and that it would be impossible not to leave any evidence, Caffrey's defence, which the jury accepted, was that the Trojan horse could have contained a wiping tool to erase any tell-tale traces of its existence.
During his testimony, Caffrey told the court that he thought dryice and frixion were "up themselves" and that he had visited one of their chatrooms on a dot-tv domain set up with stolen credit cards where they had demonstrated their expertise with Trojan horses, Zombies and denial of service tools.
dryice and frixion contacted silicon.com to put forward their side of the story and to warn how many businesses computer systems are inadvertently being hit as inexperienced script kiddies use them as hosts to fight denial of service battles with each other.
silicon.com first asked frixion about the claims against their chatroom and their sharing and demonstration of hacking and denial of service tools.
"We, and many other people, used to use a chatroom with a domain name that was purchased using stolen credit card details. However, the domain was not purchased by us, nor did we obtain the credit card details, this was all done way back in early 2000 by an individual we will not name, who very kindly pointed the sub domain irc.nerd.tv at our servers. At the time when we used this we had no knowledge of how the dot-tv domain was purchased, we only found out later," he wrote in an email.
frixion said both he and dryice made hacking tools for their own use but that they were not for release to the general public and that they did not make denial of service tools but he admitted having used denial of service tools already out there.
"Back in the mid-nineties, when we were just kids with a brand new 33.6k modems, there was an element of fun to loading up your out-of-band nuker, and watching someone disconnect, but this quickly becomes boring, and you move on," he said.
One of the pictures that emerged during the evidence presented in the trial was that of the intense rivalry between hackers using these chatrooms, which often resulted in people launching denial of service attacks to try and knock each other offline and gain kudos among their peers.
dryice said: "Some set up huge networks of 'zombie' bots, which would at their command launch a co-ordinated attack at a single focal point using the bandwidth of all of their host machines combined."
These kinds of attacks are unrelated to organised cybercrime gangs, which hold whole corporations to ransom and operate much more secretly than these script kiddies, he said.
But frixion said damage is being done to businesses that are unwittingly caught in the middle of the antics of these script kiddies. The hackers will scan for vulnerable IP addresses - many of which will be those of businesses - download exploits available from any number of underground websites and use the insecure machines to launch a denial of service attack on a rival.
The victim of the denial of service attack who is likely to be another chatroom user will then use different vulnerable IP addresses which could be another unsuspecting business - as hosts to launch an attack back on the hijacked IP addresses that are trying to knock him or her offline.
"So in a very short space of time, multiple businesses can become involved in attacking each other. Most of them are probably used inadvertently," said frixion. "Many businesses probably think 'No one will target us' but what they dont realise is that these people are not targeting specific organisations or individuals, theyre just incrementing a number, testing machine after machine to get whatever they can."
Read part two of our interview next week as dryice and frixion expose more of the shady world of the hacker underground and reveal the latest techniques and tools and the most common security vulnerabilities malicious hackers are using to target businesses.
What do you make of dryice and frixion are they talking sense or is it just scaremongering and hacker bravado? Tell us in the Reader Comments box below.
Comments
There are 39 comments. Join the discussion
1. anonymous
They are right on the money. Scenarious such as this happen every night all over the world.
2. anonymous
Unfortunately the bit in part one is spot on and quite plausible.
Scripts, bots and such are commonplace tools of battle amongst anxiety-prone IRC chatroom users, and remote 'take-over' of ones PC can and has happened.
Think of an IRC chatroom as being akin to your old school playground, with all the various 'character' types from bullies to extroverts and you get the idea.
These chatrooms simply attract more Napoleonic complex sufferers than anyplace else one would travel to in real life ...
3. anonymous
It is sad that society's perception of "hackers" have been brought to this level.
It is the script kiddies of the world that destroy the internet. Although I don't often put much faith in society to make informed decisions about who to blame things on ... it is the fact that script kiddies exist, and that the media perpetuates the concept of what they do as "hacking".
4. anonymous
The script-kiddie phenomenon is increasingly more frequently seen in the modern network as the complexity, capability, and utility of downloadable hacking/cracking tools become more robust. Bandwidth concerns do arise when zombied hordes of compromised systems are turned on one-another, though this is a small amount of the total data abuse present on the network today.
The greatest undersirable consumer of bandwidth is the tremendous volume of SPAM emails which are continually hammering the entire network. When you consider the active content, images, and other data-hogging aspects of most of these intrusive e-mails, it is easy to see why our networks are choked and staggering.
Protection of your system involves regular maintenance of security updates to minimize the ability of hackers to exploit a weakness and take control, obtaining anti-virus software and regularly updating the viral definitions used to detect intrusive programs, regular review of system activity and events logs in order to watch for compromise attemtps or undesirable programmatic elements, to close off or otherwise isolate systems using firewalls and NAT devices which are readily available and relatively inexpensive, and to never open unexpected file attachments received by e-mail, instant messaging, or 'offered' as a 'free download' when you browse the web.
If you want to open up the network itself to better performance, make sure your legislators know you do NOT want to receive SPAM email.
5. anonymous
They are absolutely right, this is not scaremongering. Without revealing companies names, i have been witness to these kind of attacks to an ISP's network, these attacks got to a point where the frequency and sheer size of the attacks (from multiple IP addresses from a multitude of networks) forced the ISP to cancel a customers business account, and leave them without a leased line and website.
6. anonymous
There appears to be a organized comuter crime synicate based in Madison, Wisconsin made up of a large number of hackers and others egaged in a wide variety of criminal activities. Very powerful, it prides itself on it's ability to socially engineer and manipulate law enforcement and appears to contain actual members in law enforcement. Have made numorous attempts to report their activities to both local and federal law enforcement over the last two years and have never received a response. I strongly believe this organisation may actually pose a national security threat if they are not stopped.
7. createcoms
these two hackers are the script kiddies they dont know sh*t about real mans hacking and this discussion with silicon.com is just a big f**** ego trip for them.
8. Ben
Frankly, I think that though the two hackers are right, their "information" is a bit of bravado. They are kids, and as such they fail to see the consequences of their actions. If they warn business that they might be caught in the middle of a war that doesn't involve them they feel they are doing a service by telling them this.
It seems to be a culture that feeds itself. If these kids weren't hacking them, then no one would need to warn them, right? Does doing something wrong and then making it "better" justify the action? Maybe they find another hobby instead of writing scripts and givnig interviews about how dangerous they are.
9. anonymous
Actually, I think this is probably the clearest, and most honest, explanation I've heard in a long while. And, it fits into my experience quite well.
IRC in the late 80s thru mid 90s was a playground/warzone. I nuke you, you nuke me, and then we do it again reversing the order occasionally. And then we do it again, and again.
(I can't comment on the current state of things. I must presume things haven't changed based on the current state of things.)
This DOES get old, boring, and counter-productive for most people. They grow up and "get lives".
The problem is two-fold:
1) The people that never get a life
2) The Kiddies that are just starting out, who aren't bored yet, have more powerful tools at their disposal.
As stated in the article, YOU aren't a target. But, your box is.
And, 99.9% of the time, its nothing personal.
10. vaxen var
what these two 'hackers' are saying is undeniably so. they should be lauded for coming forth and listened to by the 'buzinezz' community. check out .asm guru/freak steve gibsons' report (grc dot com) on what he went through...after a ddos shut them down.
good article. thanks.
11. anonymous
Massive networks of zombie machines are indeed the modus operani of many black-hat types out there nowdays.
It's gotten to the point where there is no easy way to tell if your machine is comprimised or not.
Many users around the world have their computers taken over and secretly used to attack others - and they will never know about it, ever... just that their connection is a little slower than usual for some odd reason.
12. anonymous
Sounds like all Sci-Fi garbage to me and most of these attempted DoS attacks are easily solved.
13. DeKrypt
dryice and fixion are script kiddies - you hang out in #hacker on dalnet and you can find 50 others just like them who use proggies to play games with each other and cheer when you ICMP nuke some newbie who misconfigured his firewall, big deal, this is nothing to be scared of, sysadmins just need to quit being lazy and set up some sort of protection against these wannabe "h4x0rs"
14. Phil Laszkowicz
DryIce is not telling us anything new. These Zombie attacks have been happening for a while and are well documented. I've even been involved in a few myself.
They usually run from IRC channels with each Zombie running on a different (unsuspecting) users machine. The owner of the 'army' would then issue a command that the Zombies are aware of, and the IP address will usually be 'spoken' in the chat room also.
The Zombies will then issue an attack on that address. This can be up to 100's of thousands of Zombies at any one time.
This is not scare-mongering, but at the same time, it's nothing to be scared of. The most vulnerable are the uneducated or arrogant.
I have to admit, I support true White-Hats as they really do fight back for the right reasons. They don't attack businesses or bring down proprietary systems just to embarress corporations. They usually bring down high-Kudos Black-Hats that are using the average user to wage a war just for reputation.
15. anonymous
What a crap.
We all know Aaron Caffrey is not guilty. Same goes for dryice and frixon. These are the typical people you would call "scriptkiddies".
I don't understand how the word hacker can be associcated with this crap.
A few years ago they were some kids, hanging on the MSN IRC network (closed these days) making so called "netsplit-bots" trying to take over IRC rooms. Scanning computers, launching DDoS attacks. This all is very amusing to read.
Please, don't use the term hackers on these kids.
16. Alan Lewis
Nothing new then. The more it changes, the more it stays the same. 20 years ago, hack/phreak groups waged "cyber battles" against each other - witness the struggle between LoD and MoD in the US. This was perhaps more electronic sounding off and reporting each other to the US Secret Service, perhaps. All thats seems to have changed is the greater accessibillity of communication networks means that rival gangs can indeed indulge in e-war, DDoS'ing each other, and any else they find.
20 years ago we had "Shooting Shark", "TiCH'77" (lol), "Taran King" and "Knight Lightning". Now have DryIce...
Why do we seem amazed that PC's can still be exploited? Why do we expect this - buildings have existed for centuries, people and companies are still burglared! Its doesn't matter how many locks and alarms one has, if one forgets to use them, or finds them too complicated to use!
Nothing in the interview is really suprising. Discount the [suprisingly small amount of] teenage bravado, and the story they tell is a pretty accurate reflection of "the scene" at the moment.
Some children read books, some hang around street corners. Some have a technology bent. Most have "heroes", those they aspire to emulate. The former commit physical crimes such as graffitti and vandalism, the later commit their antisocial behaviour in the ether.
The more it changes, the more it stays the same.
17. anonymous
Just about any crime corner is under investigation, sting operations are now the norm in fighting crime, especially internet porn stings. Anti virus companies have many unprotected computers online in order to grab any new or modified virus/worm. WHERE are our governments in this ??? right, they are sitting on their fat asses debating spam legislation and how big of an impact this will have on their personal wealth...
18. Chris Forsey
Quite true, and honest. Visit GRC.com loads more info on "zombies" and DDoS attacks. Very long but interesting reading. Also a wealth of security tools. Anyone slightly worried should use "Shields Up" and the port scanner.
19. Ron Towell
So sad, all that knowledge used to the good would impress me more, other than that, just sad people with no lives.
20. anonymous
Bla, Blah, Blah..... DryTrousers and what's its name Frispon... same old silly names
21. James
They are absolutely correct....no doubt about that. The main problem is getting the business owners/directors to understand the importance of protection. It's like taking out insurance.
The comments I read about these hackers should find another hobby is ridiculous. If they did then there would be nobody to inform us of these goings on.
Hacking is here to stay...sadly its human nature (well...geek nature!). It does mean that our systems get more secure which is a good thing. There just needs to be a proper channel to inform those who know nothing about IT (90% population).
22. anonymous
Sounds to me like a couple of misfits who could do with some real mates to pull their heads out of where the sun don't shine
23. Tony
I think they need to get out a bit more and get some sort of life. Sitting in front of a computer all day is a bit wieny!!!
24. Lawrence (dryice)
Its interesting the varied level of intelligence and maturity shown here. I would like to point out a few things, first of all we are not hackers we are merely people with knowledge on the subject based on what we see every day owning and administrating our own isp (The nicknames 'dryice' and 'frixion' are irc nicknames we used when we were about 15). I would also like to draw attention to the users sitting behind computer's and throwing abuse 1) How old are you? 2) Why have you not included your full names in your comments, is this because they have no truth?
25. Barnendu Goswami
'Shields Up' (GRC) investigated this phenomenon a few years back. It's not something that's sprung up overnight. These guys are just telling it how it is. I'm sure the journalist who wrote the article was well aware of this, but an independent source adds legitmacy and gives the story an interesting edge. D & F should not be criticized for their comments. The simple fact is, that many IT departments are stretched very thinly, and making an argument for a dedicated security staffing seems like an over-reaction. Managers and budget holders will not change their opinions until they have personally experienced hardship (economic variety being the most persuasive).
26. Leigh (frixion)
Firstly, to all those who write in support, thank you, it is greatly appreciated.
To everyone branding us "script kiddies", please just consider this. It is actually quite hard to write answers for the questions we were given and sound entirely professional. Most, if not all of the questions put to us by silicon.com were IRC or script kiddie related.
The actual report I submitted as a response to silicon's questions was about 5 pages long, so you can appreciate that it has been vastly cut down to fit into this article, unfortunately, most of the finer details and humour have been lost.
To those who want to tar us with their stereotype brush, we do have lives, by day we have jobs, by night we enjoy relaxing with a beer in front of the TV, and at the weekend, you can probably find us in a pub/nightclub in the Yarmouth/Norwich area. So all of those who imagine us as pubescent teenagers with greasy hair and thick glasses, sitting alone in our rooms all day. You're wrong.
To all the "sysadmins" plugging GRC.com, you need a new idol. We were witness to the "zombie bot phenomenon" years before GRC took its hit. And Shields Up is pretty poor in my opinion.
27. anonymous
i would just like to say that the real word used should not be scriptkiddie but scriptkiddiot.
28. Kevan Chippindall-Higgin
I know of one very high profile business looking after certain consumer interests which did not have a firewall of any description on its broadband connection.
Despite a carefully written paper on the subject and a full discussion with the manager tasked with conducting a small upgrade, (who entirely agreed with the advice being given), the Chairman refused to pay any attention to the argument and stuck rigidly to the budget.
As long as there are peole as stupid as that out there, they are going to get hit and it serves them right.
Regardless of the motivation of hackers, it is a company's duty to protect itself and if senior management refuses to deal with the issue, then if they are hurt, it is their own fault and I have little sympathy.
29. anonymous
The Prosecution 'Expert' could learn a lot from them.
Contrary to the report that a contiguous log shows it has not been altered, It's been regular practice to amend files by overwriting individual sectors for many years, and Microsoft provide 'API's to read & write to specific disk locations.
30. anonymous
This is ridiculous. I mean the fact that you say those guys are "hackers". Would you believe anyone who says he is a cop as so? Those guys obviously aren't hackers. DoS has _nothing_ to do with any kind of hacking.
31. drew croft
no actually this is a serious breach of our modern world..President Clinton was speaking last night to a 9-11 leadership group last night here in the US and his message he related is how do we as americans view us taking part in the world-as global citizens, beyond terrorism, what do we want our world to become...hackers have to swiftly be dealt with and be exposed to the world that it is unacceptable to bring down a system in this way..that is not the answer..if their motive is exposure leading to wisdom and truth then what they are doing is inaccurate..this kind of petty, childish sandbox type reaction is self defeating...europe leads the united states in many aspects of their culture..take berlin and paul van dyk for example-dance culutre is the answer...not hacking..use flock smart ideals as in be in control and express your joy..change comes through connectivity and adaptability on demand..going live...quantum dot...programmable matter..nano tech..
eugene oregon
32. pankaj bhardwaj
lawrence is right
at least there are ethics involved
but something is not visible right now may be i shall wait for the second part
pankaj bhardwaj
33. Carl White
Please note, that a genuine hacker would *not* voluntarily admit the fact, hackers exploit security weakness and gain infamy in closed circles for their endeavours, DoS is just a new cyber version of knock door run, but with more damaging effects all done for the buzz!
34. stuart
Security always was a journey and never a destination. A stasis may be achievable at any given point in time, but only until someone proves that new measures can be got around. Course they can otherwise no useful work would be done with these machines. Why are we blaming these autonomous moronic machines for purely human failings? Anything that can be used can be abused. Its the human condition......
35. BT
Number one, these arent even real hackers, they are merely kiddies. Developing and using DoS tools means nothing.
Number two, the so called dangerous wars between kiddies are merely immature battles between them. Most of the time, the bystanders who get in the way are often pretty much to blame for not patching their pcs when patches have been released months ago.
Number three, there is no point being afraid of them or overestimating the risk they pose to us. Like terrorists, that is exactly what they want. We need to fight them technologically, and the fight is not very difficult, because the tools they have on their side are not at the level of sophistication thats going to cause problems - the people capable of doing that kind of damage arent going to hang around in lame ego land.
36. martin woodhead
NFN
normal for norfolk
sad pathetic individuals with nothing better to do. Its not big its not clever and nobody really cares
37. monsignor adams
If just the mention of Steve Gibson irks you, then I think you are what you say you are: a hacker <in the better sense of the word>
38. Lawrence (dryice)
To all of the idiots posting abuse, i think the whole point of the article has gone straight over your heads.
39. darkcastle
yes they are right on the money and i happen to know one of these people and would to add my imput as well i am already in the works of trying to get it out there and i hope this will help do the trick they are targeting machines with a program that is a remote access administration program called "Radmin" millions of people out there purchase this program for there buissinesses and run it on the default port 4899 with no password set then kiddies we call em Packet Monkeys when they find these open machines they watch the machine for inactivity when it loooks clear they upload a mirc bot that hides itself and always runs on the computer connecting to a set server as well as joining a chat room awaiting for the master to show up and input commands.
2 important notes about these things grc.com calls zombies are they can open a bnc alowing a master to bounce off the ip addresse of the machine infected as well as the bot scanning for more radmin machines with default port and no pass set.
The point i wanna make here is that the msg has to get out people that run radmin need to be notified NATIONALLY to password there radmin and even more secure would be changing the port it runs on as well PLEASE GET THIS MSG OUT!!!!
it will save on 80% of DOS attacks if not more this needs to be ASAP and not taken as some kind of joke cause i`m not laughing and this is no game.