Thieves Trick Crackers Into Attacking Networks
By Lee Kimber, Network Week
Feb 16, 1999 (9:10 AM)

Corporate networks are coming under attack from an army of 
amateur crackers working unwittingly for professional 
thieves, security experts have warned. They have identified 
signs that organized criminals and "professional" crackers 
are using trick software that lets teenage enthusiasts -- 
known as "script kiddies" -- attack networks for amusement. 
The software then secretly sends the findings of these 
surveys to experienced crackers.

Professional gangs could use this trick to build massive 
databases of network insecurities for thieves to exploit.

Consultants cited the hacking group New Order's Aggressor 
network-attack software, which invites amateurs to register 
for a full copy on the promise that they will receive 
hidden tools to mount stronger attacks on their victims.

"We could be looking at half a dozen teenagers doing 
cracking on behalf of New Order," warned Internet Security 
Systems security expert Kevin Black. "It's: 'Here's a toy 
to play with,' then: 'Thank you, soldier.' "

The growth of Java programming skills lies behind another 
new trick, where crackers build Java cracking software into 
websites. When surfers browse the site, the program returns 
the surfer's IP address to network security tools' logs, 
leaving the cracker's real location a secret.

[What? So a surfer visits a site and it returns their IP?
Web servers log the incoming traffic, not pass info back to the 
surfer. This statement makes no sense.]

Canadian hacking group HackCanada is encouraging crackers 
to rewrite the Python network-scanning script Phf in Java 
so it can be loaded into Web surfers' browsers during a 
visit to an innocuous-looking site. 

HackCanada adopted the tactic after a cracker received a 
warning from a corporate network administrator who detected 
him using the Phf script in its native Python form.

And in a gloomy warning for network administrators Axent 
security consultant David Butler warned teenagers and 
students who collected cracking tools to impress their 
peers would quickly try them out.

"Cracking attempts rise by a factor or three or four during 
school holidays," Butler told a joint Toshiba-Inflo 
security presentation earlier this month.

The news came shortly after security experts learned the 
freely available password authenticator Tcpwrapper had been 
rewritten and redistributed in a form that sends passwords 
it finds to an anonymous Hotmail address.

["password authenticator Tcpwrapper"? TCPWrappers
have nothing to do with password authentication. They control
who can connect to the site at all.]

"It's a shift in the mentality of cracking," said Black. 
"It's the difference between the men and the boys."

"We have been under constant attack by hackers since 
Christmas," said Nokia Telecommunications' Europe, Middle 
East, and Africa marketing director Bob Brace. The company 
had detected 24,000 cracking attempts since October last 
year, he said.

Nokia runs IP440 firewall and NAT with log analysis, so 
Brace could see the hackers first tried to ping every IP 
address, then probed for specific ports such as the default 
port for Back Orifice (1234) and port 80. (Back Orifice 
lets crackers gain control of a remote PC and is often 
hidden as a trojan in games.)

[Back Orifice defaults to port 31337 and would rarely (if ever)
be installed on port 80 as it would conflict with HTTP if it was

"I believe much of the probing is automated and some of the 
more serious attacks are spread out so they are not easy to 
identify in a trace," Brace said.