Attack Classes

When all the various types of possible attacks against any computer system are analyzed, four descriptive classes are noted: automated malware versus the dedicated, manual attacker and remote versus local execution (see Figure 1-1). This section discusses the four categories and then breaks down the methodologies that each employs.

Figure 1-1

Automated Versus Dedicated Attacker

Automated malware is composed of any rogue code designed to exploit and replicate with a minimum of human intervention. The category includes worms, viruses, trojans, spyware, bots, and spam, or phishing attacks launched through any of the former types. Indeed, 99.9% of all computer attacks occur from automated malware! As simplistic as this statement seems, it appears that much of the world still doesn't get it. For reasons still unknown to me, most Windows security courses and defenses concentrate far too much time on the dedicated attacker threat, when automated malware is considerably more prevalent and dangerous. Part of me thinks it is because of the "mysterious intrigue" the evil hacker provokes. It is just human nature to be more concerned with an unpredictable and emotional warm-blooded threat than with the predictable automated attack of a coded program. Whatever the reason, too many books, classes, and people concentrate on the wrong threat.

This is not to say that classes concentrating on the very real threat of hacker's are a waste of time. No, the threat of hackers is a real threat, and the skills learned from those classes can be applied against automated malware. It's just that so many classes ignore the bigger threat of automated malware.

If this text appears overly defensive about the issue, it is because the idea of malware being the largest threat goes against conventional wisdom in many circles and has been the subject of a few heated debates among computer security experts. I've been asked many times to provide proof of my conclusions. My first response is "Go check your own firewall logs!" Any network or security administrator can tell you that their security and antivirus logs are full of daily attacks from automated threats. My web sites and honeypots receive hundreds of attempted exploits a day. Almost all are from automated malware scans. Today, the biggest threats to Windows computers are malicious e-mail attachments, Internet scanning worms, and botnets.

Today, the most popular e-mail worms exploit tens to hundreds of thousands of machines in a single day; and even those barely rate mentioning in the press anymore. It takes a 10-minute infector like the SQL. Slammer worm for the automated attack to become noteworthy. How many sites can a single hacker successfully exploit in a night without having to rely on automated malware? A handful, maybe. The sheer mechanics of automatic attacks alone suggests the veracity of my claim. Once an automated malware program is released, it can exploit millions of computers in a day. They keep on infecting and exploiting until the hole they use is closed or the technology moves on.

The first (known) IBM PC virus, Pakistani Brain, spread around the world with no problem, albeit it took months in the era before the Internet. It infected only 5 1/4-inch floppy diskettes.

The Brain virus remained one of the most popular viruses until the 3.5-inch floppy diskette and hard drives became more prevalent and the original PC floppy drive disappeared.

The Wild List (www.wildlist.org) reports each month on the most popular viruses still seen "in the wild." Its November 2005 list (www.wildlist.org/WildList/200511.htm) has several viruses from the 1990s, including a few from 1994 and 1995. Once released into the wild, an automated malware program can never be recalled. If a hacker stops hacking, whether through maturity or being incarcerated, the hacking stops immediately.

Statistics

If you don't believe me and your firewall logs, let's look at some verifiable statistics. According to the FBI's respected 2004 Computer Crime and Security Survey (available at www.gocsi.com), 78 percent of reporting businesses detected a computer virus on their network, making it the number one reported computer threat. Although I'm not sure how the survey defines computer virus in the results (for example, does it include worms and Trojans?), I'm fairly confident that many cases went unreported.

The 2004 ICSA Labs Tenth Annual Computer Virus Prevalence Survey (www.cybertrust.com/intelligence/white_papers.html) has numbers even more in line with most corporate administrators' experience. The survey reports an average of 392 automated malware encounters per 1,000 computers in the typical large corporation, with an average of 116 successful infections per site per month. Has anyone you've known received 116 manual hacker attacks in a given month? Average recovery cost from a virus outbreak in 2004 was $130,000 (with an average server downtime of 23 hours). Despite the fact that nearly all (99%) the companies surveyed had antivirus measures on at least 90% of their computers (84% claimed 100% coverage), only 12% of the respondents felt that the automated malware problem was the same or better than in the past. This means 88% of the survey takers perceive the problem being worse than ever!

Several computer security reporting agencies have reported that nearly 100% of active e-mail addresses have received spam, viruses, and fraudulent e-mails. MessageLabs, a leading e-mail security service provider (www.messagelabs.com/emailthreats/intelligence/reports/monthlies/april05/default.asp#t7) reports that 69% of all e-mail is spam, and 1 in 43 contains a virus. They also report (www.messagelabs.com/emailthreats/intelligence/reports/monthlies/march05/default.asp) that over 70% of all spam (including phish e-mails) is created and sent by automated bots that have compromised the computers of innocent users.

The Anti-Phishing Workgroup (www.antiphishing.org) reports in its February 2005 report (www.antiphishing.org/APWG_Phishing_Activity_Report_Feb05.pdf) that fraudulent "phishing" e-mails have been increasing at a rate of 26% per month since July 2004, with an estimated 75 to 150 million phishing e-mails sent daily (www.antiphishing.org/APWG-FDICCommentaryLetter.doc). The average conversion rate (i.e., the percentage of users revealing personal identification information to the phisher) ranges from about 2% to 15%. Even the lower end is not miniscule when you consider the overall volume. Spyware is an even more prevalent problem.

A Dell Computers survey (www1.us.dell.com/content/topics/global.aspx/corp/pressoffice/en/2004/2004_10_15_dc_000?c=us&l=en&s=corp) revealed that 90% of all computers in the United States have spyware installed, and most users aren't aware of its presence. Another report (http://aroundcny.com/technofile/texts/tec082904.html) claims that the average PC has 50 to 70 spyware infections, but PCs with 900 or more infections are not uncommon.

Connect a computer directly to the Internet and it will begin to receive probes within minutes to hours. Before the first 24 hours have passed, it will have received dozens to hundreds of attempted exploits. You can recognize automated attacks versus the manual methods by looking at the type of attacks and the timing. Automated attacks rarely port scan a particular host looking for a vulnerable port, or try to fingerprint any found services. They immediately launch their exploit against a particular host without even trying to figure out whether the host could ever be successfully compromised by its specific exploit. A common web site malware script program tries nearly 100 different attacks in five seconds. About half would only work against Microsoft's Internet Information Server (IIS), the other half would only be successful against the open-source Apache web server. The automated malware program tries all attacks regardless of the found host, and it needs only one to be successful. It then e-mails the originating hacker (who is using a free and hard to trace e-mail account) if it is fruitful. Another common Microsoft SQL Server malware program attempts dozens to hundreds of different passwords against found SQL connections, one right after another. I can tell the SQL malware program is automated because of the speed of the password guesses and the fact that it launch against any PC advertising the standard SQL ports, regardless of whether a SQL login prompt is offered.

Without a doubt, automated malware, not the dedicated lone hacker, is the biggest threat to computers. But in my many years of teaching Windows security, no class I've been hired to teach (outside my own) has focused on automated attack types. Most courses teach the classical hacker methodology (covered below) by teaching students how to be would-be attackers, and then teach how to defeat the hacker menace. Students love becoming ethical hackers. I love teaching them. But it really doesn't do much to make their systems more secure.

Some readers may ask if it makes a difference whether we are defending against a dedicated attacker or automated malware. Yes! First, it is very difficult to stop dedicated manual attackers. Usually, they are well trained, methodical, and patient. You would have to ensure perfect security on every computer you manage to keep them out. Hackers only need to find one hole, one unpatched machine, one gullible end user — and your network is theirs. Dedicated hackers can change their attack methodology based upon what they learn during the early course of the attack. If they start out attacking your web server or router and come across your even weaker SMTP server, they can change their attack on the fly. Automated malware can't do that. It does only what it was predefined to exploit. Small defense changes can completely defang an automated attack tool.

Simple things, like renaming the Administrator account or changing the default port number on a service, will defeat automated malware. A dedicated hacker can use anonymous enumeration (covered in the forthcoming chapters) to find a renamed Administrator account, and a hacker can easily port scan a particular host and then do connection probes to find out where you moved a particular service's listening port. Automated malware can do the same thing, but they are rarely investigative. For instance, I have one of my honeypot Microsoft SQL Servers listening on the default TCP/IP ports of 1433 and 1434. It receives nearly a hundred SQL brute-force password guessing attempts a day. Another honeypot running the same version of Microsoft SQL on a non-default port has been up for over two years with zero attacks. It has only received three probes at the redirected ports, none of which were SQL-based. So, forget the conventional wisdom — security by obscurity as a defense works, and works well for automated malware!

Anyone that says otherwise isn't fighting the right problem or practicing critical thinking. For example, if I move a service's default listening port to something other than its expected value, how could I be doing anything but strengthening security? I liken it to a house that is covered with entrance doors on all four externally facing walls. Only one is the right door that will allow entry into the house. If a thief shows up to check out the entry door (i.e., a port scan) to determine whether the door is unlocked (i.e., a vulnerability), by having multiple doors I've increased the thief's workload by a multiplication factor equal to the number of additional doors. Automated malware usually only looks for one door, and only in front where it expects to find it. A dedicated manual attacker can check all the doors until it find the right one. Automated malware can do the same thing, but I've yet to run into the worm or virus that ever looked for a non-default service port or checked for any admin account that wasn't named Administrator or root. Chapter 2 covers more unconventional thinking.

Remote Versus Local

Another big attack distinction that is significant to attackers and defenders alike is whether the attack can be accomplished remotely or must be executed locally by the end user. Remote attacks without any end user intervention are the most devious kind. The attacker runs a manual or automated program from a remote location and takes over the user's computer. Buffer overflows are the most common example of this type of attack. Most security experts worry about remote attacks much more than local attacks because they can, if coded right, exploit every vulnerable machine the rogue code can contact very quickly. SQL Slammer worm anyone?

Fortunately, most malware requires some input from the end user in order for the exploit to occur. As Microsoft's first law of the Ten Immutable Laws of Security (www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx) states, if a bad guy can persuade you or a program on your system to run his program, it isn't your computer anymore.

The vast majority of malware requires that end users (or their computers) be tricked into executing the code locally. E-mail worms, which, according to the ICSA Survey mentioned above, make up 92% of all automated malware attacks, almost own this category. Most e-mail worms are transmitted in malicious e-mail attachments, although a smaller but growing category tricks the user into accessing the malware through a rogue Internet link. E-mail worms can also use malformed attachment formatting, embedded scripts, and other HTML auto-run vulnerabilities to accomplish their malicious deeds.

If we could get all end users to stop clicking on every file attachment or HTML link they get in e-mail, our current malware craze would be almost non-existent. But end users will always ignore the security advice you give them and there will always be at least one person on the network who will execute every file attachment no matter how often warned, so you need to keep reading this book.

Tricking the user into running the malware program can also be done by constructing a malicious web link and embedding it into an HTML e-mail. Most e-mail programs readily execute HTML content, so the malware program or commands can be auto-launched simply by a user opening an e-mail. As we will cover in Chapter 11, Protecting E-mail, the two best things you can do for e-mail users is to block malicious file attachments and disable HTML content.

One of my favorite examples of an embedded HTML link trick is when a malicious web link executes a program the user isn't even aware they have installed, like an instant messaging or telnet client. The link then uses the launched program to carry out further malicious instructions on the compromised system. Over the years, I've seen several malicious HTML links embedded in otherwise normal-looking e-mails that launched previously unused software to install worms and other malware programs.

Perhaps the user doesn't even use Instant Messaging (IM). No bother, the web link starts the program, downloads the malicious file, and then executes it. If the user doesn't regularly use IM, it is almost certain that the IM client hasn't been updated with the recent version and is vulnerable to the exploit. Another example, the Blaster worm, used the Trivial File Transfer (TFTP) program located on every Windows computer to download its main body. No regular users that I know have ever heard of the TFTP program, much less one that allows anonymous file transfers to their computer. That's why I always recommend removing unused software. The software you don't use can still be used to hurt you. We will cover how to stop unauthorized software execution in Chapter 8.

In a related category, if hackers can gain physical access to your computer, they can also execute malicious code locally. This is often the case in privilege escalation attacks, password cracking attacks, and data theft cases. Local attacks can be devastating, but remember that if hackers have local access to your computer, then they can do anything. They can steal the computer. They can douse it in lighter fluid and set it on fire. Fear of local attacks is usually concerned with preventing a trusted insider from gaining higher unauthorized access and privileges.

To summarize the previous information, all computer exploits can be divided into four categories: automated or manual, remote or local. Automated malware allows fast exploitation, but cannot be as creative as a dedicated attacker. Remote exploits are the most dangerous because they don't require end user interaction to execute. Most exploits require that the end users (or their computers) be tricked into executing harmful code locally on the system. With few exceptions, automated remote exploits, such as SQL Slammer or the MS-Blaster worms, have been involved in the fastest and most widespread malware outbreaks.

Lastly, it must be recognized that many, if not most, of today's exploits are a combination of multiple categories. Often a hacker will use automated malware to find computers susceptible to the initial exploit and allow the malware to compromise the computer. The malware then is predefined to contact the hacker (e.g., via a secret IM channel), whereby the attacker can pick and choose his targets at his leisure. Today, it is rare to hear of attacks accomplished solely by a hacker manually typing commands on a keyboard one at a time against a remote host, although they do exist.