× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2000

Re: Denial of Service, Good for AS/400?

  • Subject: Re: Denial of Service, Good for AS/400?
  • From: Blair Wyman <wyman@xxxxxxxxxxxx>
  • Date: Fri, 11 Feb 2000 11:15:02 -0600 (CST)
 
WinXX has been called "The Petri Dish of the Internet."  Everyone loves
to hate B.G., and they express their feelings by writing viruses to
crash boxes running his software.  (Personally, I think it's just
"billionaire-envy," but I'm no psychiatrist.)   

And WinXX is *notoriously* easy to crash!  

Remember "winnuke" from a few years back?  Until M$ released their
"fix," a very short Perl script could crash any WinXX box connected to
the 'net, given it's name or IP address.  All the script had to do was
connect to the target box on port 139, send so-called "out of band"
(MSG_OOB) TCP data, and <plonk> -- instant BSOD. 

Excerpts from midrange-l: 10-Feb'00 Re: Denial of Service 

> [...]hard to fight something that you cannot see...specially if its
> coming from multiple places (from what Zdnet say at least 1000+ pc s
> attacked at the same time...its intimidating to think that you have
> 1000+ hackers doing this from all over the world conducting this attacks
> simultaneously..... 

What got me started on this thread was this expressed fear -- that
thousands of hackers had suddenly banded together to simultaneously
wreak some havoc.  On the contrary, even though thousands of machines
might have been involved, I'm confident the attack could have been
perpetrated by a lone cracker. 

From the little bit of news I've heard on the recent DoS attacks (sounds
like the feds are keeping the details fairly close to their bureaucratic
vests -- and even leveraging the general ignorance by saying they're
playing "catch up", and that it'll take them more money for them to
figure it out ;-) it sounds like the attacks could easily have been
perpetrated by a *lone* cracker.  All the cracker would need would be a
database of the addresses of machines known to be infected with the
NetBus or BackOrifice programs.   This database would be easily
compiled, given the subnet scanners in these programs. 

By way of background, NetBus and BackOrifice are something like "trojan
horse" programs that are surreptitiously loaded on a WinXX machine and
started at boot-up.  They can be attached to innocous programs or even
legitimate programs from illegitimate sources, and can install
themselves silently.  Once installed, for the most part they sit quietly
and consume very little (if any) CPU.  AFAIK, they don't even show up on
the 'process' list on WinXX. 

All that these programs do is "listen" on some TCP port (12345, 12346
and 31337 are ones I'm aware of, but they can be configured to use any
available port) for attempts to connect, and when another computer (our
cracker) attempts to connect on that port, the program responds in the
affirmative -- indicating that the box at this address is, in fact,
infected.  (All our cracker would have to do, first time around, is have
his scanner add that address to his database.) 

Once the computer responds -- effectively saying "I'm infected" (here's
the kicker) -- the program on the infected PC effectively allows the
remote cracker to do almost ANYTHING (s)he wants, up to and including
making the CDROM drive open and close!  The cracker can copy files, run
commands, take screen snapshots...  You name it.  And, if you don't
happen to catch it while it's happening, you might NEVER KNOW. 

Well, with the proliferation of cable modems and other wideband home
internet services -- services that are always "up" if the computer is on
-- and with the incredible lack of awareness of the risks of running
.exe files that are downloaded or arrive in e-mail (the original
disseminator of BackOrifice was something called whackamole.exe or
somesuch) -- NetBus and BO infections are undoubtedly proliferating
rampantly.  And, while I've never tried it (trust me), I believe that
the NetBus or BO could trivially be told to "ping" a given IP address
(for instance), which could easily effect a DoS attack by flooding the
common target with incoming ICMP packets from thousands of machines. 

So, that's how it could've been done by one miscreant.  Of course,
firewalls work well to prevent the connection from the cracker machine,
and there are programs you can run on your PC that will detect attempts
to connect on a number of ports and report the attack to you.  There's
even one program that has your machine "pretend" to be infected, so it
can get honest-to-goodness actionable EVIDENCE of an attempt to break
in, since just attempting to connect to a port (IIRC) is not considered
"illegal."  (I'm not a lawyer, either -- there are already enough people
who don't like me.) 

Excerpts from midrange-l: 11-Feb'00 RE: Denial of Service, Good.. "Bob
Crothers"@cstoneind (855*) 

> >>What cannot possibly be done is to write an OS/400 object that is a virus<< 

> This is totally wrong.  Nobody (that I know of) has successfully distributed 
> one, but it would be possible to do. 

I don't want to open up Pandora's Box of Viral Etymology, but want to
weigh in here, too...   

The AS/400's virus resistance is largely due to a couple of key factors. 

While WinXX exposes its cellular innards to anyone who can write a .dll,
the AS/400 has a highly-specialized and selective "permeable membrane"
around its nucleus -- the Technology Independent Permeable Nuclear
Membrane (a/k/a the "MI" ;-) -- that reserves a set of special functions
to only be done by the Trusted Mitochondrial Base (a/k/a "SLIC" and
"OS/400").  <plonk> cannot be easily crafted in the same way as on
WinXX, since the nucleus is so protected. 

Of course, a determined programmer can use system tools to modify the
object code at the hardware-instruction level, but again the selective
membrane is designed to detect such "viral" modifications, and to
prevent them from passing from machine to machine.  So, the membrane
works both ways. 

> That said, there are several things that make virus's on our AS/400's 
> unlikely.  The first is just the number of systems.  There are about 
50,000+- AS/400's in the USA. 

Interesting numbers -- I don't know about US only, but I've heard a
number more like 600,000 world-wide.  And, with the visibility the
AS/400 is getting on various fronts, I expect it may become a target at
some point.  I do hope and trust that we will continue to be as
"infection-free" as we've been to this point -- get out the Lysol!  ;) 

Sorry for rambling. 

-blair 

  ___   _           Blair Wyman                  IBM Rochester 
 ( /_)  /  _  ' _   (507)253-2891            blairw@us.ibm.com 
__/__)_/_<_/_/_/_'  Opinions expressed may not be those of IBM 



+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.