SANS warns of biggest ever hacking probe

Is it or isn't it? Anti-Virus companies question significance of Trojan probe

The American SANS (System Administration and Network Security) institute claims to have pieced together evidence of the world's biggest ever network monitoring operation involving hundreds of instances of a Trojan program called Ring0.vxd.

SANS says it has received reports from hundreds of its members indicating that Ring0 is collating information on commercial servers and sending data back to a script running on a closed Web site based in Germany. SANS has described the virus as "a quantum leap in distributed attack technology".

The owner of the German Web site -- -- Andreas Kraus claims to know nothing of the reported activity however. The only explanation offered by Kraus is that perhaps his computers have been broken into. Stephen Northcutt, the expert at SANS who issued the initial alert, concedes this is possible.

No anti-virus firm has reported detecting Ring0.vxd in the wild. Most anti-virus software will detect its activities according to Jack Clark of Network Associates who believes the danger of Ring0 is being dangerously exaggerated. "From what we've been able to ascertain, this Trojan has no characteristics that do what SANS say it is doing. My feeling is that is has been blown out of all proportion. We have generic detection for it, so who cares what it does."

Another network anti-virus expert from Datafellows Antivirus, Paul Brettle, agrees. "This is a bit confusing really. This is not something that we have highlighted as a serious threat. I think SANS is getting a bit over ambitious. This scans for open ports but the chances of actually mounting an attack as a result of that are quite low."

But Northcutt sees the situation somewhat differently. "As for anti-virus, not everyone runs it and not everyone keeps their sig. [virus signature] tables up to date either. This could be a significant factor."

SANS recommends that system administrators should be vigilant to possible scans on ports 80, 8080 and 3128 and should delete any files called Ring0.vxd, its.exe and pst.exe.

Take me to Hackers

They can see you... Read about how and why in Surveillance , a ZDNet News Special