Summary

Abstract

Earlier this year a hacker broke into several of our university's machines and installed a program that was until then unknown to the anti-virus and security communities. After a detailed analysis of the program using a method called reverse engineering, (reconstructing the functionality of a program without have it's source code). It turns out to be a tool that not only allowed the attacker complete control over the infected systems but also provided a framework for a Distibuted Denial of Service (DDoS) attacks. At this point it is unknown if our systems have been used in such attacks. DDoS attacks are a very powerful weapon and were used to knock the popular yahoo.com out of service for almost a complete day in Feb 2000.

What this program can do

As explained in the introduction the program has remote control features and can therefore be used to take control of the system and install for example new versions of itself, other hacker tools to recover passwords of users on the machine and more. The DDoS parts of the tool allow it to use our machines and others together to attack a single target that will then be over flooded by traffic and knocked out of service. This will both cost us (because we send out a lot of data) and the attacked system (because it receives a lot of data) bandwidth and therefore also money. Thus it is very important to protect ourselves from tools like these.

How we can protect ourselves

It is very hard to protect against attacks like these. First of all we have to make sure we will not get infected again, this can be done by applying security updates to all of our machines when they become available. The second thing is to try and protect our network from sending out packets that are usually used in DDoS attacks. We have altered the university's main router to detect and block outgoing DoS attacks.

Conclusion

Around the world thousands of systems are infected with tools similar to the program that was found on our machines and are used to infect other systems and to carry out DDoS attacks. Our university has been a victim of such a tool, we will try to make some modifications to our network to make it a lot harder for attackers to break into our systems. When you think you have been infected please contact the computer security office (security@honeyp.edu) so a security engineer can remove this tool from your system, please do not attempt to remove it yourself.