Future Vulnerabilities and Techniques

Hybrid Attacks

Hybrid malware are agents that attack multiple services, using multiple exploits all at once. Some of the more sophisticated worms that have come out in the past year start to show evidence of containing all of the known attacks, or at least the common ones. This isn't really new, but the number of "canned" exploits that are contained within one piece of malware has increased dramatically to dozens or more. Some of these are not the more common exploits, such as vulnerabilities in SQL Server (UDP/1434), Microsoft RPC (135), and DCOM services (TCP/445), but they contain other packages, some of which are to break passwords. The attacks themselves are becoming more coordinated as well, and not executed by just one piece of malware in some cases, but have multiple bots and different roles for each. This is discussed more later in this section.

Bandwidth Testers and Packet Capture

Some malware now has the capability to test your bandwidth to see what quality of Internet connectivity you have. It seems there are so many bots and botnets out there, the botherders are getting picky about which ones they need bother with or which ones they will use for which purpose. Some might be used for spam, some for capturing bank accounts and online/web site passwords, others might be for DoS attacks, and others might just be for breaking further into systems and digging in, or for implementing a beachhead to provide for a command and control uplink for adjacent systems afflicted with malware from the same author.

Another common technique is to use packet capture to be stealthier and to discover information without the need in all cases to generate traffic on the network. Nonmalware programs that use passive packet capture, such as the popular program p0f, demonstrate how a lot of information can be gathered about systems on a network without generating any traffic.

Port Scanners and Key Loggers

Bots that contain port scanning functionality (similar to that embodied by the popular NMAP program) are becoming more popular and will be commonplace in the future. With a port scanner and a series of the nonintrusive packet capture techniques, these bots are able to map out the network and services that are running on each system in great detail before choosing other targets to attack. The use of key loggers, software that captures keystrokes as they are typed at a user 's keyboard (usually to pick up various authentication credentials), is starting to appear in what was formerly reserved for more targeted or focused attacksmeaning there was someone behind the keyboard typing in commands and trying to break in. The use of key loggers in these bots and other agent software will likely become customary in the near future.

Encryption

Encryption within bot code has always been around, but it was customarily only used in order to obfuscate lists of target IP addresses or e-mail addresses that were to be spammed. The use of encryption to hide the exploit code (shellcode) is becoming increasingly popular. This allows the malware to avoid detection in some cases by anti-virus software, intrusion detection systems, and application-level firewalls. The use of encryption in the actual traffic the bots generate will become customary in the future. Right now, many bots use IRC or an IRC-like protocol to communicate command and control transactions or report status information. They often use common protocols such as HTTP and FTP to download new packages or new code, but in many cases this information isn't encrypted. SSL/TLS encryption mechanisms will become customary in order to protect payloads that the miscreants don't want to be captured and deciphered. The use of encryption will make it much harder to trace the activity of the malicious software and its developers.

Agentware

For a long time, well-known authors such as William Gibson in his epic Neuromancer written over 30 years ago, Neal Stephenson in his popular Snow Crash, and others have predicted the point in time where agent software programs will do our bidding inside the universal computer networksometimes called The Grid, or Cyberspace. Well, that time has finally come, for better or worse . Bots, botnets, spyware, and the various devious tasks all of this malware perform now represent the agentware that was predicted. There will likely be good agents too, ones that hopefully seek out and destroy other bad agents (the bots, spyware, and Trojans). In the meantime, the bad agents are still getting more sophisticated, including breaking up the tasks of their deviousness. They often have what we call a beachhead system, which is a master agent inside an organization's border that coordinates the attack or collection of information from other agents inside the network. The idea here is to be more efficient and to avoid detection. The level of coordination, sophistication, and intelligence is increasing seemingly without bounds.

Advanced Detection Avoidance Techniques

Advanced detection avoidance techniques are normally based on the idea that, from the perspective of an attacker, you want to do everything you can to stay "within the mean" with regard to network utilization and to avoid strange protocols wherever possiblethis reduces the chance of being detected by some form of IDS/IPS. Bandwidth or scanning throttling, as we like to call it, is becoming popular. If the bots generate too much traffic, by a factor of let's say ten times as much as anyone else on the network, they become the focus of the security professionals inside a company and are investigated and cleaned off too quickly. The bots today may only send a few very small packets every ten minutes or it might be ten days or more. Scanning activity has become more random, or what appears to be more random. Instead of just sequentially scanning netblocks, they will jump around in an order more like 1.0.0.1, 2.0.0.2, 3.0.0.3, and so on, then come back to 1.0.0.2.

Many malicious software developers have also adopted a technique called port knocking to send traffic to hosts that don't have (other malicious) programs bound to (listening on) a socket. This allows them to avoid detection by not showing processes bound to a socket or during a vulnerability assessment with a port scanner. By sending a sequence of different packets to different ports (in specific order), this wakes up a bot or agent and then they can communicate using any random ports they want to and in many cases using UDP so that single packets may be sent instead of setting up TCP connections, which are more easily tracked. Enabling this kind of stealth communication mechanism is quite simple: An attacker/developer merely needs to use a packet capture library such as libpcap or winpcap in order to read packets entering a network interface. When it sees the packets (headers) destined for the right sequence of ports, it then wakes up. This is accomplished without placing the interface in promiscuous mode and without opening (binding to) a specific port.

As few operating systems monitor or reject host egress traffic (even if a host-based firewall is turned on), traffic leaving a system's network interface is more difficult to detect as most systems assume that any traffic the local computer sends to someone else is legitimate as long as the local system initiated the communication. One popular exception to this general rule is ZoneAlarm by Zone Labs (a Check Point company), which has a more advanced egress-minded feature set.

Another technique is to encode or obfuscate information into the IP datagram headers themselves, especially when communicating outside of the network in order to hide the real source of the agents or servers that are infectedfor example, using some sort of IP address offset as the source IP address and then having some known algorithm for decoding the information (presumably only known to the developer of the software and his botherding program). A single UDP packet is all that is needed to leak information out of network using this technique. Another option is to use various types of ICMP packets (such as echo responses or echo requests ), which are also single packets, and encode other information in them besides what is usually expected. By using a packet capture on the other side and these ICMP packets that most people allow to egress their network, firewalls and IDS systems are avoided and sensitive information is disclosed.

So, how do you best prepare for and try to prevent these wicked attacks? The list below describes some techniques and tips for detecting, preventing, and avoiding these attacks and new techniques:

• Stack Protection As mentioned previously in the chapter, an operating system that enforces MACL goes a long way toward avoiding or preventing the harmful effects of a buffer overflow that exists within an application. The concept here is you may control what each program can do on the host computer system and on the network. If a buffer overflow occurs, the access provided isn't changed just because of the rights of the program's effective user. It is still controlled by the MAC system, which can't be changed through the program itself. That said, for software whose development we control, we should endeavor to avoid the potential for buffer overflows altogether by using some form of stack protection such as StackGuard, ProPolice, and so on. For more information see Chapter 7's section on "Buffer Overflow Prevention."

• Egress Filtering Monitor and filter network flows not just based upon inbound (ingress) connections, but also what are acceptable outbound (egress) connections. Many systems don't need to be able to perform common functions like browsing the Web, FTPing files, opening connections to IRC ports, or sending SMTP e-mail to the Internet instead of to your mail server! Stopping them with egress packet filtering can go a long way to reducing your exposure. For further details, see Chapter 5.

• File Integrity Tracking and monitoring the versions and signatures/checksums of application binaries on each system provides an advance warning when a program has been changed, which may indicate an intrusion or Trojan program exists.

• Sinkhole Router Another advanced technique is to create a sinkhole router on your network, which then selectively "blackholes" communication at the egress points in your network to detect scanning activity inside your network.

• Darknet In this case, darknet is a term used to describe a special type of sinkhole router/packet collector that is used to help detect scanning activity and as early warning. A darknet is essentially a routed IP address space for a network that has no other legitimate services, and any traffic that reaches the darknet is therefore interesting. A darknet system may also be used to detect backscatter , or response packets from systems being attacked by other infected systems, or miscreants using your address space inappropriately.