The Present: Blended Threats

Previous page
Table of content
Next page
 < Day Day Up > 

Just as computers have become more complex and efficient with new productivity features, so have security threats become complex and efficient. Just about any feature you have come to love over time can be exploited and used against you or others if not appropriately implemented and correctly secured. To help illustrate this concept, you need look no further than your favorite e-mail program. If someone releases an exploit that compromises a system running a vulnerable e-mail application, the exploit may inappropriately send unauthorized e-mails containing a virus to everyone in the local address book. These e-mails appear to come from the local user s address; therefore, they have a much better chance of compromising the receiver s machine because the receiver believes the e-mail was sent by a trusted source, such as a colleague, friend, or family member.

Blended threats combine propagation mechanisms, exploits, persistence, and damaging payloads. In the past, each of these pieces would need to be manually executed in the proper sequence to fully "own" a system. Today, these pieces are bundled together to automatically execute at the appropriate time. The fact that they are bundled together into simple-to-launch executables makes anyone with a computer a potential script kiddie. Script kiddies are individuals who are incapable of developing malicious code but instead use the available tools to attack systems. Although not necessarily the most dangerous individuals, script kiddies are by far the most common and pose a very large threat simply due to the number of attacks they can generate with little or no knowledge of what they are doing. In most cases, they are not attempting to gain access to a specific system but rather are seeking to gain access to any system.

Blended threats can be very damaging in a very short period of time. The next sections look at some of the features of a blended threat that make this automated system so damaging.

Delivery and Propagation Mechanisms

For a blended threat to compromise many machines in a short period of time, it needs to be transmitted machine to machine very quickly. Today, the most likely way for such a tool to propagate is via the IP protocol using some specific TCP or UDP Layer 4 communication. You have witnessed in recent years many different protocol paths between hosts, but the most common method of automatic threat propagation continues to be e-mail, Microsoft Windows Distributed Component Object Model (DCOM) and Remote Procedure Call (RPC) communication protocols, and automatically downloaded content received from web pages using HTTP or HTTPS while surfing the Internet.

Another important piece of the typical blended threat is the built-in scanning mechanism. Via scanning mechanisms, such as port scans and ping sweeps, the blended threat attempts to locate other vulnerable systems from the vantage point of the already compromised machine. Regardless of the way a compromised host searches for targets, after they are located the blended threat moves on to the second phase of its attack: exploitation.

The Bundled Exploit

A propagating blended threat needs to locate vulnerable systems to compromise. A vulnerability is a security hole in a system s code or configuration that can be compromised via an exploit. This vulnerability can be just about anywhere software is running, such as part of an operating system, a script on an application server, a protocol stack, or an end user s application.

An exploit is the method, software, script, shell code, and so on that is used to compromise a system vulnerability to gain unauthorized control of or access to the system s resources. Some exploits may automatically compromise an endpoint through a known or unknown vulnerability (you learn more about unknown or day-zero attacks in Chapter 2, "Introducing the Cisco Security Agent") such as a buffer overflow with injected shell code. Other methods may require a user to open and execute the infected file to be successful in gaining access or rights to a system. Who would do such a thing? Unfortunately, many people with myriad motivations. Hackers, those who write exploit code, have become very creative over time and have employed many and varied ways of tricking computer users into executing their malicious code. An example of this is to send an e-mail to an individual with an attachment that appears to be a website, such as www.company.com, but is actually a COM file that causes undesirable effects when executed by the host operating system. In any case, after the exploit has gained unauthorized and unapproved access and rights, the blended threat can then repropagate to other systems and may also attempt persistence on the endpoint.

Persistence

After the hacker has penetrated the system and the hacker s tool has moved on to attempting to locate other systems from its new vantage point, the typical blended threat attempts to become persistent on the endpoint such that any basic attempt to clean or stop the virus or worm will only be temporarily successful. Often either the next reboot or some other restart mechanism allows the virus to maintain its nefarious hold on the infected system. There are many ways for a program to auto-start itself. Among others, these methods include the following:

  • Inserting into the Windows system registry Run or RunOnce keys

  • Inserting into the Windows Startup group

  • Inserting into startup scripts or initialization files of Windows or UNIX systems

  • Registering itself as a Windows service

  • Replacing or editing a file or service that already has access to the system using common Trojan methods

  • Creating or modifying a cron job on a UNIX system

These are only a few of the many creative persistence methods available. To ensure survival, complex blended threats employ as many of the previous methods as possible. Remember: The goal of any virus, worm, or blended threat is typically to compromise as many systems as possible as quickly as possible; therefore, guaranteeing that the malicious code will restart after being terminated or rebooted is a great way to continue its mission. When the blended threat has propagated and become persistent, it can deliver the final blow to the endpoint that has become its temporary home: paralyzing or destructive behavior.

Paralyzing or Destructive Behavior

After the blended threat has used the compromised system for all it can, it attempts to destroy the end system or at the very least make it unusable. Many security professionals refer to this action as the damaging payload. Some methods to paralyze or destroy an end system are as follows:

  • Delete or modify the NTLDR file or other important system files in specific Microsoft operating systems

  • Remove or modify portions of the Windows registry

  • Delete or modify device files or drivers

  • Create runaway processes to render the local system unusable

  • Randomly write to the local file system to fill up the usable storage or corrupt files

  • Format or otherwise destructively alter the storage systems

Many of today s blended threats have not been truly destructive, but many have paralyzed endpoints. A major concern in the security industry is what will happen when destructive rather than nuisance types of threats become the norm.

The Global Implications

At this point, you see the potential for severe and far-reaching destruction due to these automated attack tools. For example, consider the Slammer worm. Slammer attacked the Microsoft SQL database server engine and gained database administrator privileges before propagating to other systems. Because of its architecture and targets, the Slammer worm propagated extremely rapidly, reaching worldwide in less than half an hour and infecting hundreds of thousands of hosts, many thousands of them representing critical systems for the businesses and governments involved.

Imagine if instead of merely propagating rapidly Slammer had also either deleted database records or files or, even worse, made subtle alterations to the database data administered by the infected SQL management process. Such an attack would have caused untold worldwide destruction and economic chaos and made mitigation of Slammer infections more expensive by an order of magnitude.

What is truly alarming is that there was no way to predict the Slammer attack or prepare for it in a general sense. Available patches and firewall best practices would have limited its spread, but there is no guarantee that today s fix will stop tomorrow s issue. None of the normal security methods used to mitigate attacks takes the behavior of the attacked system into account. As a result, the security community is always chasing the attackers and repairing infected systems rather than stopping them before the attack.

Spyware

Beyond the typical virus and worm, other threats impact many personal home computers and enterprise networks. One of these major threats today is spyware. Spyware is an application that runs on a system and performs undesirable reconnaissance that the system owner is unaware of. In most cases, spyware is loaded much like a Trojan horse. It is commonly hidden in another application that the user intended to install. An example is a program that is installed along with the latest freeware game the user downloaded. Unknown to the user, the game not only installed itself but also installed another application that monitors the users keystrokes watching for usernames and passwords, logs every website visited, can turn on the microphone and webcam attached to the system, and can open the locally installed e-mail application to steal the local address book. All of this information can be transmitted back to a collection point, which the spyware creator harvests from time to time, gathering information about everyone who has installed the freeware game.

Cases of similar spyware that automatically installs as a result of a vulnerability in the common JPEG files used on websites have also occurred. Just viewing a page with an exploited image can cause your system to unwillingly participate in the spyware creator s data-collection system. As you can see, an action as simple as installing a program that was "desired," can cause many "undesired" results, including identity theft or loss of intellectual property.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
    A+ Fast Pass
    Service-Oriented Architecture (SOA): Concepts, Technology, and Design
    Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
    Microsoft WSH and VBScript Programming for the Absolute Beginner
    Python Standard Library (Nutshell Handbooks) with
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy