By Dan Ilett, 12 October 2004 09:20
NEWS Security experts have discovered an instant-messaging tool that could change the way denial-of-service (DoS) attacks are performed.
Combining the open-source tool nmap - a program that discovers devices on a network - with an IM bot, hackers can infiltrate, steal information and carry out denial-of-service attacks on networks, says the director of security for Whitehat UK, Jason Hart.
IM runs over port 80, which is often regarded as a trusted port because internet traffic travels through it. Nmap uses ping requests and port scans to discover network devices.
Hart said: "The bot could send itself to 10,000 addresses, which could then attack one IP address. This means that 'denial-of-service attack' has taken on a whole new meaning. What's worrying is that this would look internal."
If instructed, the nmap bot is capable of a DoS attack by sending a massive amount of pings, a term hackers have dubbed 'the ping of death'.
"IM has always been a major concern," said Hart. "Just imagine the consequences - it can do a ping of death from an internal address, which confuses administrators. And the technology might not know to protect from the inside."
For the bot to run, it must be executed via either a download, an attachment or a .JPEG file - so won't run automatically. However, many of these approaches require little or no social engineering - hence the huge increase in simple phishing attacks. Although the tool is still in its 'proof of concept' stage, Hart said he has been able to make it work in the lab and that it may already have been used in the real world but simply been undetected.
"Between now and Christmas we're going to see some major developments in the hacking world," he added.
Many firms favour IM over email to get around compliance regulations, which require them to log all emails. In this year's SANS top 20 vulnerabilities, threat research director Ross Patel highlighted IM as a major cause for concern.
Whitehat's Hart advised companies to avoid use of IM: "Don't use instant messenger. Anything going over port 80 should be checked and controlled. The easiest way of preventing the bot is by stopping people installing software."
To see a proof-of-concept example of the nmap bot, see: http://www.sharp-ideas.net.
Dan Ilett writes for ZDNet UK
Comments
There are 5 comments. Join the discussion
1. Daniel Schrader
The article’s advice, “The easiest way of preventing the bot is by stopping people installing software”, is about as useful as telling network administrators to point their fingers and say, “don’t do that.” The fact is, most organizations don’t have a way to lock down desktops and prevent users from installing IM and P2P software.
Tools exist to scan for and either block or enforce policies on IM to P2P use. Though firewalls and IDS tools aren't very good at the job, companies such as FactTime Communications (my employer), Akonix and IM Logic all have products that can identify and block some or all IM and P2P protocals.
2. anonymous
Well, thanks for letting us all know this, I will spread the article. Im not a hacker, nor am I an antihacker. Im in between. I dont spam p2p networks with Sub7, I dont spam it with anything else. All I have make os for personal use. But if I wanted to I can start doing this stuff. See, by pubishing this article you are making Techys aware but youre also teaching hackers new tricks. You listed the program name, you yourself tested it and got it to work. Oh, I wonder why there are more hack attacks. With all do respect you yourself must have the knowledge of a hacker. Hacking is a two sided blade. But for every antihacker there must be atleast 10 or 20 kids picking up Sub7 and other n00b programs online trying to get into your pc's.
3. royston
i agree with the above, and after asking several people they all agreed the same, CNET ! STOP GIVEING PEOPLE THE INFO TO HACK OUR PC'S, your a flaming liability. i know you are aware this is a public site and we are all tossers in your eyes etc etc.....but your getting worse! i remember in the early days of cnet, you was realy good at reporting but your are rapidly becomeing the daily gutterpress. do something about yourselves please, before you become rubbish, huh.
4. anonymous
totally agree, working out new flaws is good, protecting against them ... sure! but publishing the details and "proof of concept" for a security company? stinks of "give us your money" to me, shameless advertising.
5. anonymous
With all "do" respect - it doesn't take a rocket-surgeon to find nmap...