An international network monitoring group has alerted corporate Australia to a growing file-sharing racket that uses Internet Relay Chat "robots" to compromise networks. That, and the recent release of exploit code for certain Microsoft IIS Web server vulnerabilities, means the hacker community has all the tools necessary to launch a massive attack.
Internet Security Systems, which monitors networks around the world from seven points of presence, including a "war room" in Atlanta, has seen an increase in IRC (Internet Relay Chat) traffic in the last month, according to Grant Slender, principal ISS consultant for Australasia. The traffic surge relates to an increase in the use of IRC bots by the file-sharing community to swap files and pirated software across the Internet.
"If you're a malicious person and have pirated software held on your computer and people are downloading it, you'll be the target for prosecution," Slender said. Alternatively, "what we are starting to see happen is networks being compromised and automated systems for file transfer being installed on them."
This is possible due to robot pieces of code, which were originally developed as a method to notify online IRC users when a "chat" on a particular topic had begun but have evolved into sophisticated pieces of software.
"People have now thought of a smarter way to use them to automatically transfer files around the Net," Slender said.
File-sharing hackers will target the networks of companies that have high bandwidth and lots of storage, particularly Web hosting companies -- often known as "Web farms" -- that house hundreds of servers in one room.
Although so far there have been no direct reports of Australian corporate networks being compromised in this manner, organisations need to be on alert.
"There are companies in Australia that meet that criteria," Slender said, pointing to the nation's telcos, which use huge amounts of bandwidth and are often in the Web hosting business. "I can say that's what (hackers) would be aiming for, organisations of that calibre."
Following reports of networks being compromised by the file-sharing community in parts of Asia and the United States, organisations should check their networks to see if there has been an increase in IRC traffic, Slender advised.
Second part of the equation
Also of concern to ISS is an exploit released last week that takes advantage of numerous Microsoft IIS Web server vulnerabilities announced in April. According to Slender, this is exactly how the infamous Code Red and Nimda worms got started. A vulnerability was detected, someone proved the exploit and the next thing Code Red was unleashed. "Code Red, we believe, was a testing tool, it didn't do a lot of destructive damage," Slender said. Of the subsequent Code Red variants, he added, "quite obviously they were testing the right way to spread." It's only a matter of time, according to Slender, before someone compiles a malicious program based on the new Microsoft IIS exploit. "All the right things are in the right place for that to happen," he said. According to ISS, the likelihood is that the Microsoft IIS exploit code will be enhanced sometime soon to include a more destructive payload and worm-like propagation capabilities, fuelled by increased peer-to-peer chat programs, increased access to more "warez" products and hackers who increasingly look for ways to distribute their goods. "Traditional organisations think, 'I'm nobody, I'm insignificant,' and that the biggest threat is being defaced," Slender said. He used the analogy of having a shed on one's property. "if you leave it unlocked, you should expect to go in there one day and find a lot of stuff stored in there," he said. "The same concept is happening on the Net."