Summary
Abstract
Earlier this year a hacker broke into several of our university's machines and installed a program that was
until then unknown to the anti-virus and security communities. After a detailed analysis of the program using
a method called reverse engineering, (reconstructing the functionality of a program without have it's source code).
It turns out
to be a tool that not only allowed the attacker complete control over the infected systems but also provided a
framework for a Distibuted Denial of Service (DDoS) attacks. At this point it is unknown if our systems have
been used in such attacks. DDoS attacks are a very powerful weapon and were used to knock the popular yahoo.com
out of service for almost a complete day in Feb 2000.
What this program can do
As explained in the introduction the program has remote control features and can therefore be used to take control
of the system and install for example new versions of itself, other hacker tools to recover passwords of users on the
machine and more. The DDoS parts of the tool allow it to use our machines and others together to attack a single
target that will then be over flooded by traffic and knocked out of service. This will both cost us (because we
send out a lot of data) and the attacked system (because it receives a lot of data) bandwidth and therefore also
money. Thus it is very important to protect ourselves from tools like these.
How we can protect ourselves
It is very hard to protect against attacks like these. First of all we have to make sure we will not get
infected again, this can be done by applying security updates to all of our machines when they become available.
The second thing is to try and protect our network from sending out packets that are usually used in DDoS attacks.
We have altered the university's main router to detect and block outgoing DoS attacks.
Conclusion
Around the world thousands of systems are infected with tools similar to the program that was found on our machines
and are used to infect other systems and to carry out DDoS attacks. Our university has been a victim of such a tool, we will try to make
some modifications to our network to make it a lot harder for attackers to break into our systems. When you think
you have been infected please contact the computer security office (security@honeyp.edu) so a security engineer
can remove this tool from your system, please do not attempt to remove it yourself.