|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
FBI targets computers suspected in Web attacks
Consulting firm says its server was used to attack AOL
WASHINGTON (CNN) -- The FBI is hoping to seize computers at undisclosed businesses within the next couple of days in California and Oregon that the agency believes triggered at least one of the cyber attacks against popular Web sites this week, CNN has learned.
Those computers may turn out to be just one piece of the puzzle.
"It's like you're walking along a chain-link fence in the fog. You know you're moving toward the end, but you don't know where the end is until you get there," said former head of the Justice Department computer crime unit Scott Charney.
No arrests are considered imminent at this time, sources familiar with the investigation said.
The FBI believes the computers were used to hijack a computer in a research lab at the University of California at Santa Barbara.
"We have both the situation of having our machine broken into, and then used to cause somebody else trouble," said the university's campus network programmer, Kevin Schmidt. "We don't like this. We feel very victimized."
He noticed an abnormality in the university's computer traffic late Tuesday night. After running an overnight check, he called CNN to report that a school computer was involved in the denial of service attack on CNN.com.
CNN.com was one of several major Web sites hit in cyber-attacks this week. Others included the Internet portal Yahoo!, the most popular site on the Web, and the e-commerce sites eBAY and Amazon.com.
Sources declined to identify the owners of the computers that are being targeted in the investigation. The sources point out that the computers might have been programmed without the owners' knowledge.
Such computers are sometimes called "zombie" computers. In a denial of service attack, they send commands to high capacity computers that flood the affected Web site with millions of messages, blocking access to would-be users.
Envisioneering Group, a Long Island, New York, technology consultant, told CNN on Friday that one of its servers was hijacked on two separate days to launch a version of a denial of service attack on a major Web site.
The first intrusion was on January 29 and involved using a computer to pass large volumes of e-mail from a third party to a Web site server in an attempt to overwhelm the site.
In the span of 15 minutes, several dozen e-mails a second were sent through the Envisioneering server to both Yahoo! and America Online, the largest Internet provider.
While the attack was in progress, engineers at Envisioneering stopped it, according to Envisioneering Group President Richard Doherty.
"We dumped all the pending mail, and that stopped the repeated attacks (on Envisioneering)," Doherty said.
Yahoo! was jammed by messages on Monday.
The Envisoneering server was used again in the same fashion on Tuesday, a day when highly trafficked Internet sites such as CNN.com and the retail sites Amazon.com and Buy.com were hit with denial of service attacks.
But in the second incident involving his server, Doherty says he doesn't know exactly where the messages were sent.
The first attack could have been a form of target practice to confirm that the Envisioneering server was vulnerable, with the intention of using it in the later attack.
AOL, for its part, reported no out of the ordinary traffic on either of the dates cited by Doherty. The attack had no effect on the huge Internet provider, an AOL spokeswoman said.
Envisioneering uses Mindspring for its Internet access. But even if a hacker somehow gained control of the entire Mindspring network and pointed it at AOL, it wouldn't "register a significant amount of volume to cause a problem," said AOL spokesperson Tricia Primrose.
That is because of Mindspring's relatively small total bandwidth. With the known resources of the intruder -- one computer at Envisioneering Group -- the assault didn't amount to a pinprick, Primrose said.
America Online and Time Warner, the parent company of CNN, announced in January their intent to merge in a $127 billion deal. The merger is subject to pending regulatory review from the Federal Trade Commission.
Yahoo! did not immediately return calls for comment.
As the smoke begins to clear from the spate of attacks, CNN continues to get sporadic reports about other major Web sites assaulted.
Excite@Home confirmed that its portal and search engine were attacked Wednesday at 7 p.m. PST. The attack lasted about an hour, according to a spokeswoman.
About 50 percent of users trying to access the portal and search engine couldn't reach the site during the attack, which targeted and overloaded routers.
Only the Web site was under attack; the @Home cable network was not affected.
"We're working with the Internet community to try to find out what's going on," said Excite@Home spokeswoman Kelly Distefano.
Also, a Silicon Valley-based Internet company was hacked into this week, with the cyber saboteurs gaining access to secure customer files that contained thousands of credit card numbers, officials said Friday.
RealNames said their staff discovered that their Web server was hacked into Wednesday afternoon, and that some information was obtained.
The company provides a "key word" Internet service that helps find sites or information for its 60,000 customers -- 15,000 of whom have credit card information on the site.
All customers and credit companies were notified by e-mail that their information may have been accessed.
Schmidt said an intruder entered the UCSB machine at least twice. After entering the first time to open doors needed later, the intruder returned to install a software package designed to carry out an attack, Schmidt said.
The program, once executed, began its assault by sending out connection requests to the target Web site, creating a denial of service attack.
In order to conceal the attack, the program began rotating the origination addresses of the requests. This method, known generally as "spoofing," is used to thwart filters on the target machine designed to identify and weed out malicious data.
Schmidt said the intruder was "sloppy" in his work and failed to destroy all the logs monitoring activity on the server.
"There wasn't a great effort to hide their presence," Schmidt said. "I don't think this behavior was atypical" of an untrained hacker.
The intruder entered the UCSB computer through a known vulnerability in an installed network service.
These vulnerabilities are frequently announced through Carnegie Mellon University's CERT group, National Infrastructure Protection Center and other network security forums.
To plug the holes, administrators simply need to install patches or workarounds. However, with so many individual machines on the Internet and other demands competing for the time of a network guru, many computers are left unsecured.
As CNN has reported, the programs needed to make a denial of service attack are simple to find on several Web sites. They are ready-made programs that are easy for almost anyone to use.
Sources tell CNN some of the attacks on other popular Web sites apparently also came through West Coast universities, making it clear they are especially vulnerable.
"It's particularly difficult at universities, where there are a very large number of computers being used in research and in creative ways," said Robert Suger, professor of physics and chair of the Information Technology Board at UCSB.
As a sign of the seriousness of the cyber-threat -- President Clinton will meet with Internet executives at the White House on Tuesday to discuss recent hacker attacks, White House spokesman Joe Lockhart said Friday.
Interactive Technology Editor D. Ian Hopper and Justice Correspondent Pierre Thomas contributed to this report.
FBI agents focus on university, business computers as cyber-attack launch pads
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.