Thieves Trick Crackers Into Attacking Networks

Corporate networks are coming under attack from an army of amateur crackers working unwittingly for professional thieves, security experts have warned.

They have identified signs that organized criminals and "professional" crackers are using trick software that lets teenage enthusiasts -- known as "script kiddies" -- attack networks for amusement. The software then secretly sends the findings of these surveys to experienced crackers.

Professional gangs could use this trick to build massive databases of network insecurities for thieves to exploit.

Consultants cited the hacking group New Order's Aggressor network-attack software, which invites amateurs to register for a full copy on the promise that they will receive hidden tools to mount stronger attacks on their victims.

"We could be looking at half a dozen teenagers doing cracking on behalf of New Order," warned Internet Security Systems security expert Kevin Black. "It's: 'Here's a toy to play with,' then: 'Thank you, soldier.' "

The growth of Java programming skills lies behind another new trick, where crackers build Java cracking software into websites. When surfers browse the site, the program returns the surfer's IP address to network security tools' logs, leaving the cracker's real location a secret.

Canadian hacking group HackCanada is encouraging crackers to rewrite the Python network-scanning script Phf in Java so it can be loaded into Web surfers' browsers during a visit to an innocuous-looking site.

HackCanada adopted the tactic after a cracker received a warning from a corporate network administrator who detected him using the Phf script in its native Python form.

And in a gloomy warning for network administrators, Axent security consultant David Butler warned teenagers and students who collected cracking tools to impress their peers would quickly try them out.

"Cracking attempts rise by a factor or three or four during school holidays," Butler told a joint Toshiba-Inflo security presentation earlier this month.

The news came shortly after security experts learned the freely available password authenticator Tcpwrapper had been rewritten and redistributed in a form that sends passwords it finds to an anonymous Hotmail address.

"It's a shift in the mentality of cracking," said Black. "It's the difference between the men and the boys."

"We have been under constant attack by hackers since Christmas," said Nokia Telecommunications' Europe, Middle East, and Africa marketing director Bob Brace. The company had detected 24,000 cracking attempts since October last year, he said.

Nokia runs IP440 firewall and NAT with log analysis, so Brace could see the hackers first tried to ping every IP address, then probed for specific ports such as the default port for Back Orifice (1234) and port 80. (Back Orifice lets crackers gain control of a remote PC and is often hidden as a trojan in games.)

"I believe much of the probing is automated and some of the more serious attacks are spread out so they are not easy to identify in a trace," Brace said.

Feb 16, 1999 (Tech Web - CMP via COMTEX)

Copyright (C) 1999 CMP Media Inc.