over 900 pedophiles were infected with a sub7 defcon version and the victems infected were used in DDoS attacks against dif host. The victems were infected with files such as Sexxxymovie.mpeg.exe When the file is executed on a Windows platform, it installs itself as a randomly named file and alerts its author using irc.icq.com Internet Relay Chat network. The software listens for requests on port 16959, a deviation from previous versions of the Trojan. From a logs i got that i will not post because im to lazy to edit all the host and IPs out ... it shows the bots attacking many websites and other such things like dalnet servers.

They talk about the owner testing dif DoS methods from the bots such as a powerfull UDP flooder called Shiver (which old head packet monkeys will rember from way back and things like IGMP attacks.

Also there were logs of ISP hubs being attacked from many semi-popular ISPs like compuserve, mindspring, and many others...

another funny thing is a popular snort accually added rule sets against this acidphreak DDoS

alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; content:"acidphreak"; nocase

I have a interview with "acidphreak" if any of you would like me to post it just ask

heres some light reading ....
www.xforce.iss.net/alerts/advise65.php
http://www.nwfusion.com/newsletters/.../1016bug1.html
archives.neohapsis.com/archives/iss/2000-q4/0041.html
www.new-trends.co.uk/advisories/iss00-0810.htm
http://www.pheonix.za.net/shared/hog.../rules0727.txt
www.tla.ch/TLA/NEWS/2000sec/20001010DEFcon.htm
www.informationweek.com/story/IWK20001010S0007
(not very light eh?



_NetSyN_