Friday, February 18, 2000

FBI's new Internet computer cases quadruple since last week

WASHINGTON (AP-CP) -- ABC News reports an Internet security expert has been in contact with an unidentified 15-year-old Canadian being investigated in connection with last week's attacks on major U.S. Web sites. Michael Lyle, chief technology officer for Recourse Technologies Inc. in Palo Alto, Calif., told ABC he spoke with the boy, who uses the e-mail name mafiaboy, by Internet last Thursday and Friday. Lyle said those conversations bolstered his belief that mafiaboy was involved with copycat attacks that followed an initial hacker attack that temporarily shut down Yahoo.com. Mafiaboy, who hasn't been identified, told Lyle specific details about the ports he used to connect with zombie computers and launch the attacks -- information Lyle says only someone involved in the attack would know, ABCNews.com reported Thursday. Investigators in the United States and Canada theorize mafiaboy is among several copycats who have emerged since someone used so-called slave computers to flood Yahoo's site with an overwhelming stream of data that prevented legitimate customers from gaining access to the site. Earlier this week, Canadian service provider Internet Direct said it had provided the identity and other information about a former client who had used the mafiaboy code name to the RCMP after police turned up with a search warrant. Attacks have continued into this week and no one knows if they have ended, FBI spokeswoman Debbie Weierman said Thursday. Two days after the first attack overwhelmed Yahoo! and Toronto-based HMV.com on Feb. 7, the FBI had opened four new investigations of the so-called distributed denial of service attacks. Now the total is "more than 17 new investigations, including more than 13 where the victim suffered a distributed denial of service attack," Weierman said Thursday. Only eight of the more than 13 have been publicly identified. Four investigations are into the placing of denial of service tools, known as daemons, on middleman computers that can later be remotely ordered to attack a victim site, Weierman said. Hiding these daemons on unwitting host computers is a key step in mounting a distributed denial of service attack. "The possibility of copycats is out there, as are other theories, with these piggyback incidents," she said. At first, the coincidence of timing suggested the attacks were launched by the same people. As the attacks continued, investigators began actively looking into the copycat theory, according to other federal law enforcement officials, who requested anonymity. One factor that contributes to the theory is the use of more than one type of tool to mount the attacks. Without saying where or when they have been employed, FBI Director Louis Freeh has identified three such tools: TFN for Tribal Flood Net, trinoo and stracel draht. Some can be downloaded free from Internet sites. The co-ordinated denial of service attacks are known to have overwhelmed Web sites run by eBay, Amazon.com, CNN, ZDNet, Buy.Com, ETrade and Excite as well as Yahoo! and HMV.com. There are more than five other victims whose identities are not public. And those whose attacks were not noticed by large portions of the public. Weierman said the bureau would not disclose the identities of all the victims "to preserve the integrity of the investigation." Other federal law enforcement officials said some victims companies want their names withheld to protect their reputations or for fear of losing the confidence of the public or seeing their stock price drop. Investigators say that dozens, even hundreds, of middlemen computers, known as zombie computers, have been unwittingly used in past distributed denial of service attacks.

http://www.canoe.ca/TechNews0002/18_hackers.html

-- Martin Thompson (mthom1927@aol.com), February 19, 2000