Friday, January 21, 2005

Backdoors to BotNets

Ever sat down and just thought about the history of computer intrusions? How about just a small part of it? Well, I did...and wanted to share some thoughts...

How long ago was it that Back Orifice was released? Amusing name, eh? Got to give those cDc
guys some credit for their sense of humor. I suppose that at first no one really thought that opening and closing someone's CDRom tray was a big deal...until the helpdesk at various companies started getting calls and couldn't figure out what was causing it, or how to remove it.
Then came the updated version, BO2K and the plugins. Again we see the sense of humor of the guys creating this stuff (in how they named their plugins), but yet again, I don't think that the real issues were taken seriously. While opening and closing someone's CDRom tray, or sending goofy 'net send' messages to the user was annoying, it wasn't viewed as a real threat. Okay, so some helpdesk hours are sucked up, just assign the ticket to the new guy. But it seemed as if no one was really looking at the big issue, which was that external, unauthorized software had been installed and was running on a (corporate) system. While the outwardly visible effect was that someone was annoying the user, what was going on "under the hood"? Was there a sniffer or a keylogger (or both) installed?

Many times, when faced with an incident, I'll ask the above question, and get an emphatic response. However, asking for proof is usually met with indignation. How do you know? Did you find a log file? Did you find an unusual process? If so, what made it "unusual"?

The idea behind backdoors is that the attacker gets one on a system, and then connects to it from a remote location. In some cases, as with the SubSeven backdoor, the remote attacker usually ended up with a greater level of control of the system than the person sitting at the keyboard. However, this could be easily blocked by enabling filtering on your perimeter routers and firewalls...allow only the traffic you specify, and then allow that traffic to go to specific machines or groups of machines that you designate. So...someone inadvertantly gets a copy of SubSeven on their corporate workstation, and it's unlikely that someone from the Internet is going to connect to it.

So, moving on...

Desktop security is something of an arms race. Take a look at tanks (if anyone thinks for an instant that this is a blatant shout out to Lance Spitzner...you're right). Tanks had armor to protect them from bullets and grenades. So the TOW missile was produced. To offset the effects of the TOW, reactive armor was added to the tanks. And on and on. Someone designs a weapon, and someone else designs a countermeasure. Then the original designer designs a counter-countermeasure, then...well, I think you get the idea.

So, you're probably wondering how this applies to computer and network security. Well, once folks finally started to catch on and block inbound traffic from the Internet with their perimeter devices (routers, firewalls), it became clear that another means of gaining access and control of systems was necessary. Some attackers began targetting the servers they could reach, such as web servers. These attackers assumed that the systems were misconfigured in some way, and in a great many cases, they were right. Others started attacking users with a different kind of threat...one that would "phone home", rather than sit there and wait for a connection. One popular implementation of this was the IRCBotNet. Basically, an IRC client is dropped onto the system, which then makes an outbound connection to an IRC server. Once connected and logged into the specific channel used by the attacker, the attacker could easily control all systems connected to the IRC channel by sending a single command to the channel itself. For example, if someone wanted to conduct a massive denial of service attack against a target, they'd issue the command "ping server.example.com" to the channel, and all of the systems connected to the channel (in some cases, there have literally been thousands of infected systems, or 'zombies', connected) will start pinging the system, and the overwhelming traffic would result in a denial of service attack. However, not a single packet sent against the target would ever have been issued from the attacker's own system.

The crux of the issue is that now, the malware on the infected system reaches out from behind the firewall, and most places allow all traffic to leave their infrastructure, completely unrestricted.Know anyone who does egress filtering? I know of some that block only specific ports. Very few block all outbound traffic except that which is specifically allowed to leave the network. Knowing this, the attackers configure their IRCbots to use different ports, allowing them to bypass thosefirewalls that block specific traffic/ports only.

How do these bots get on systems in the first place? One way is through email. Another is to take advantage of flaws in the IE browser and get a downloader on the system, which then downloads the bot.

Remember the russiantopz bot? This bot was one of many that was able to sneak in past anti-virus applications, as it consisted of two legitimate applications, one being the mIRC32.exe IRC client. (Note: In the case of the russiantopz bot, this baddie was dumped on an IIS system using the directory transversal exploit.) The bot was dropped onto the system using the TFTP client residing on the system, and then launched. Artbitrary/unauthorized software was copied to the system and successfully executed. The necessary patch was provided long before the system was compromised, but following some of the online configuration guides (as well as common sense), the system would not have been vulnerable, even if it hadn't been patched.

Now, take a look at this recent post to the SecurityFocus Incidents list about a bot being dropped on a system via SQL Injection. Notice here that the same thing had happened, to the same site, just two weeks earlier. Ouch! In both cases, the attack seems to have been successful.

I think at one point, President Bush tried to say "fool me once, shame on you...fool me twice, shame on me" (see #5 on the list). 'Nuff said.

The point of all this is to demonstrate the growth and modification of attack techniques over time.When one door is closed, the attacker will try another. It's an arms race. However, the necessary protective measures that need to be used by the good guys have been around for a long time...defense in depth, the Principle of Least Privilege, minimalization, and good ol' common sense. However, too many times, these measures aren't implemented, and the bad guys are right there to take advantage of it.

I won't go into too much detail, but the use of botnets has created a new economy for online crime particularly in extortion ("pay up or I'll crash your site"). Some folks are even renting botnets out to be used for spam, DDoS attacks, etc.

Thoughts?

No comments: