HW 11(12)

profileSam@98&
Chapter12.docx

Chapter 12. Conclusion

Our malware journey is now drawing to an end. Throughout this book, we've discussed many of the most common and damaging malware attacks we face today, right along with a historical perspective and numerous predictions for future malware evolution. However, information security sure isn't a static field, and the malware threat evolves continuously. Folks in the computer underground are constantly pushing the envelope, devising new tools and techniques for attacks. Similarly, in the defensive community, we continuously improve our capabilities, with refinements in processes and updates to our technologies. Sometimes, you just can't help but feel like a minnow swimming upstream against a tidal wave of new information. Keeping our knowledge up to date is essential if we want to avoid the scourge of malware. So how can you keep up with this onslaught? In this chapter, we'll turn our attention to information resources you can use to keep up as malware continues to evolve. We'll also end with a few parting thoughts, associated with the current and near future state of the information security, and malware's place in our industry.

Useful Web Sites for Keeping Up

To keep myself abreast of the latest developments, I rely on a variety of different vital Web sites featuring content from some of the most prolific information security experts on the Internet today. In this section, we'll discuss these sites, which I strongly recommend that you peruse on a frequent basis. I'm not throwing just any site on this list. These are the particular sites that I try to read on an ongoing basis. I cruise by many of these sites each and every day, just to get a feel for what's new in our industry. On the rare occasions when I go for three or four days without checking these sites, I feel a certain withdrawal, almost an alienation from our community. Perhaps I'm a security junkie, but it's been an addiction that has helped me in understanding the latest attacks and, more important, protecting my systems from the bad guys' latest moves.

For each site, I've listed the most current URL as of the time of this writing. However, in this book, you and I face a limitation of current paper technology. Once this book is printed and in your hand, I can't update the text, of course. In the future, we might be able to zap a wireless message to your book and magically change the text, but we're not there yet. Unlike the paper you are holding now, the Web itself is a relentlessly dynamic medium. Unfortunately, the owners of these Web sites do sometimes change their URLs or deploy other Web sites. Although I've chosen each site based on its usefulness and long-standing reputation for solid security information, some of these URLs will undoubtedly grow stale with time. Therefore, to help extend the usefulness of this section, I've included a list of key words for you to use in your favorite search engine to find these sites in the future. Given the high value of each of these sites, many mirrors exist and will continue to host their content, even if these URLs are altered or stop working. With the appropriate keywords, you'll still be able to find these sites and use their wisdom in understanding malware.

Packet Storm Security

Current URL: packetstormsecurity.nl and www.packetstormsecurity.org

Key Words to Search for: Packetstorm Security, last 20 tools, last 20 exploits

One of the single most valuable information security tool repositories on the

Internet available today is the venerable Packet Storm Security Web site. With new offensive and defensive tools posted on a regular basis, this Web site is a popular stop for attackers and defenders alike. Their lists of the 20 most recently released advisories, tools, exploits, and other items are invaluable. They also poll various news organizations around the Internet and list the most recent headlines associated with information security.

Packet Storm is operated by a group of independent security researchers and interested hobbyists who maintain a vast archive of software and security advisories. From a malware perspective, this Web site includes specific directories loaded with various backdoors and RootKits. In particular, if you find UNIX RootKits to be interesting, you should definitely look at the packetstormsecurity.nl/UNIX/penetration/rootkits/ directory, which includes more than 50 different varieties of user-mode and kernel-mode RootKits.

Security Focus

Current URL: www.securityfocus.com

Key Words to Search for: Security Focus, Bugtraq

The Security Focus Web site is extremely useful for keeping up with technical developments in the information security industry. With insightful articles about the latest attack and defense strategies, Security Focus will help arm you technically for battle against computer attacks. Beyond technology issues, Security Focus offers cutting-edge articles about political and public policy issues associated with computer security. For example, you can learn about how to defend against the latest kernel-manipulation tactics, and follow it up with a hard-hitting article describing the legal complexities of deploying honeypots.

Making it even more valuable, the Security Focus Web site also hosts the popular Bugtraq mailing list, possibly the most useful freely available technical information security resource on the Internet today. Attackers and defenders alike submit information-rich posts to this moderated yet highly spirited discussion of computer attacks and defenses. If you seriously want to keep up with computer attacks, you should read the Bugtraq archives at www.securityfocus.com/archive/1 . Additionally, if you want more focused discussions on a particular technical area than the general Bugtraq offers, you should check out the other mailing lists at Security Focus, such as their individual lists that focus exclusively on a single topic, including incident handling, Web applications, computer forensics, penetration testing, firewalls,

and other areas of computer security.

Global Information Assurance Certification

Current URL: www.giac.org

Key Words to Search for: GIAC, SANS, GCIH, Certified Incident Handling Analyst

Founded by the SANS Institute in 1999, the Global Information Assurance Certification (GIAC) program certifies information security professionals, offering numerous areas of specialization, including incident handling, intrusion analysis, firewalls, Windows, and UNIX. I find the associated Web site immensely helpful. In the interest of full disclosure, I have been involved with the GIAC program since its inception, contributing major portions of the GIAC Incident Handling and Hacker Attacks curriculum. But I'm not mentioning GIAC as an advertisement. On the contrary, I mention GIAC because it is a veritable treasure trove of information about computer attacks and defenses, all available for your perusal and use, free of charge.

To qualify for the certification, each applicant is required to submit a practical paper, ranging from 30 to 100 pages, on an information security topic relevant to their area of focus. These papers, which often include fascinating new research topics and tools analyses, are then carefully graded and publicly posted at the GIAC Web site. Make sure you check out the papers that have received the "honors" designation, as they represent the best of the best. They often include particularly detailed, insightful, or cutting-edge research. All of the different GIAC specializations are interesting, but I especially value those honors papers associated with the GIAC Certified Incident Handler (GCIH) program, which deal with computer attacks, malware analysis, and penetration tests. Some of these papers are just awesome! You can search through and download hundreds of them at http://www.giac.org/GCIH.php .

Phrack Electronic Magazine

Current URL: www.phrack.org

Key Words to Search for: Phrack, Phrack World News, Hacking, Phreaking, Reverse Engineering

Do you ever read a detailed technical discussion about some kind of computer

attack, and, based on its sheer malevolent cleverness, shout "Oh, man!" and slap yourself in the forehead? I do, and it often occurs while I'm reading the latest missive from the folks over at Phrack Magazine, a free online publication at www.phrack.org . Phrack has a long history, with its first publication back in the mid-1980s. I have to remind some of our younger readers that we did indeed have computers back then, and even telephones. The Phrack Web site includes archives of more than 60 different issues, going all the way back to good old Phrack Number 1. From then until now, each issue of Phrack has discussed how to manipulate various technologies, often with new and very novel twists.

Phrack is not released on a regular basis; each issue comes out approximately every six to nine months. However, when a new Phrack is released, it's usually full of amazing articles. Recent editions have looked at kernel manipulation and very stealthy backdoors, two areas of intense research in the computer underground.

The Honeynet Project

Current URL: www.honeynet.org

Key Words to Search for: Honeynet Project, Lance Spitzner, Scan of the Month Challenge, Reverse Challenge

Back in September 1999, my phone rang. It was a high-energy security geek named Lance Spitzner, calling to discuss a new idea he had that he named the Honeynet Project. Lance spoke very quickly, as he always does, but his enthusiasm for doing research in the wild was highly infectious. Lance was building a team of 30 like-minded security geeks to install systems, put them on the Internet, and wait for them to get attacked. These honeypot targets aren't announced in advance. They are just standard, unadvertised systems, sitting on the Internet waiting for the bad guys to venture in. Such collections of honeypots are referred to as honeynets because they are entire groups of systems waiting for attack, used for research purposes. Like Dian Fossey observing gorillas in the mist, the Honeynet Project attempts to watch and record the attackers' every move. After an attack occurs, the team then scours each victim machine, piecing together the techniques used by the bad guys to break in. The team's original goal continues to this day: "To learn the tools, tactics, and motives of the blackhat community and share the lessons learned."

At the Honeynet Web site, you'll find papers dealing with analyzing worm

attacks, profiling the bad guys, understanding statistical analysis of scanning, building honeypots, and a variety of other fun topics. One of my favorite components of the Web site is the Scan of the Month Challenge. Each month, the team takes sniffer data from a recent unusual scan of one of our target systems and posts it on the site. Web site visitors are invited to read the challenge and answer a series of questions about that particular attack based on the sniffer data. The team judges winners based on the best overall analysis and posts the winning entries on the site. One of the challenges even involved reverse engineering a backdoor installed on a honeypot system by an attacker, using some of the same techniques we discussed throughout Chapter 11 of this book. I thoroughly enjoy reading the winning responses, as they often provide a new trick or two for my own analytic tool bag.

Mega Security

Current URL: www.megasecurity.org and http://kobayashi.cjb.net/

Key Words to Search for: Mega Security, Aphex, Doc, MaGuS, MasterRat

The Mega Security site hosts one of the largest collections of Trojan horses, backdoors, and RootKits I've ever seen, located at www.megasecurity.org/files_all.html . Maintained by folks calling themselves Doc, MaGus, MasterRat, and Aphex (the author of the AFX Windows RootKit we discussed in Chapter 7 ), this site sorts them all by month and year of release, with detailed archives going back all the way to March 2000. Some months include a mere seven different backdoors (March 2000), but others include more than 90 (July 2002). For each piece of malware, the site includes screen shots, the author's name, the country where the tool originated, and a summary of the software. The site is useful in researching the names and capabilities of new backdoor tools in particular, but keep in mind that many of the tools themselves are not available on the site for download. This quite reasonable strategy helps to somewhat limit the widespread availability of these malware specimens.

Infosec Writers

Current URL: www.infosecwriters.com

Key Words to Search for: Infosec Writers, Information Security Guild, Hitchhikers World

The Infosec Writers Web site (formerly known as the Information Security Writer's Guild) includes a cornucopia of different security topics, written by a variety of authors from around the world. Each week, Charles Hornat and his merry crew post new original papers describing various aspects of information security, recently including such topics as reverse engineering vendor patches, local and remote buffer overflows, and honeypot projects. One of the niftiest features of the site is called the Hitchhiker's World. This electronic magazine, released on a sporadic basis, features interesting informal briefings on some very focused topics in information security. Edited by Arun Koshy, it's a great read and tends to be short, technical, and fun. Therefore, I try to keep up with each and every Hitchhiker's World entry.

Counterhack

Current URL: www.counterhack.net

Key Words to Search for: Counter Hack, Counterhack, Ed Skoudis, Crack the Hacker Challenge

My own Web site, at www.counterhack.net , includes a hodgepodge of various information security musings, ranging from technical papers to geek humor. In particular, you might want to read my "Crack the Hacker" challenges. These monthly technical contests challenge information security professionals to analyze a movie-themed case study and answer questions about how to prevent, detect, and respond to the situation. Each of these scenarios is based on a real-world incident, dressed up in a scenario to disguise the real organization that was attacked. Winners of these contests receive a small reward, as well as a microscopically tiny measure of international acclaim and fame.

Parting Thoughts

Now that we've seen some resources you can use to help keep up with the malware threat, let's turn our attention to a big-picture view of malware. After I wrote each chapter of this book, I calmly pondered the overall implications of each type of malware, peacefully jotting down a few notes about the techniques we've discussed. Augmenting this tranquil approach to pondering malware, I also contemplate the evolving nature of the malware threat when I'm under fire, responding to computer attacks in real time. As I wrote this book, when one of my clients', friends', or my own machine got hacked, I would often frantically jot down acerbic notes in the heat of the moment about the nature of malware.

To compose these parting thoughts, I reviewed both my peaceful and frenzied notes to try and get a big-picture view of malware. As you might expect, I come away with two very different mindsets, and perhaps, as you've read this book, you do as well. One of these mindsets is the pessimists' view, whereas the other is much more optimistic. Let's start out with the pessimists' take on the future state of malware.

Parting Thoughts : Pessimist's Version

The problem's plain to see:

Too much technology.

Machines to save our lives.

Machines dehumanize!

The​ song "Mr. Roboto" from the album "Kilroy Was Here," by Styx, 1983

Perhaps you read some sections of this book with a certain sense of foreboding. You may have thought, "I can't keep up with malicious, polymorphic, worm-propagating, anti-forensic, kernel-mode, sniffing backdoors loaded into my BIOS! I give up. I'm going to move to the mountains and raise cows. I've never been hacked by a cow." If that's what you thought, I know exactly what you mean. As we've seen in chapter after chapter, bad guys are invading our systems, shoving malware into every possible nook and cranny that can hold executable code. Malware sneaks in via the Web, e-mail, application programs, operating systems, kernels, and someday maybe even into the BIOS and CPU microcode itself. When you really think about it,

malware is specifically designed to abuse the very flexibility and power that we use computers for in the first place.

We've unwittingly entered into a sad trade-offin​ exchange for powerful applications and underlying machines that can be quickly and easily altered with executable content, we've introduced the possibility of malware at all levels of our systems. In the computer revolution, we focused on extremely flexible general-purpose computers for their utility and economic value. Decades ago, only a scant few visionaries realized that malware-wielding attackers could use this very flexibility to undermine our systems from the inside. Due to all-too-common mistakes in implementation, the very flexibility of our machines has rendered them quite feeble.

Maybe this whole trade-off was a mistake. Perhaps we should have far more limited systems devoted to specific applications that resist executable content of all kinds. We could build systems with very specifically defined functions that attackers will have much greater difficulty exploiting. It might be amazing that we have a single box on our desks or in our travel bags that we use as a game console, library, jukebox, writer's tool, medical advisor, trusted financial planner, and storage device for our innermost personal secrets and desires. Amazement aside, however, perhaps these functions should be split into different systems, each with a lot less flexibility.

Yet we're heading in exactly the opposite direction. Instead of separating functions and limiting the flexibility of the machines we use, we're using the same underlying flexible technology that is so easily targeted by malware in a host of other electronic gizmos. As the computer revolution marches on, we're deploying stereos that can play MP3 audio files, or personal video recorders running a variation of Linux. We see cars with on-board computers for engine control and navigation, some of which use Windows. As an experiment, try walking through a hospital and counting the number of Windows and UNIX-based machines you can spot for running health-care services, helping doctors match patients to cures and even dispensing medicines. Furthermore, our militaries are increasingly relying on the same types of underlying machines for combat operations. Imagine the damage a worm could cause if it infected such hospital and military systems, to say nothing of your entertainment systems. Even though each of these systems is focused on a set of specific tasks, they all still use the same underlying technology from our desktops and servers: UNIX and Windows, along with TCP/IP networking and familiar lines of CPUs. Instead of limiting the options for malware, we've inadvertently invited it deeper into our lives.

Compounding the problem, many (or perhaps even most) organizations are plagued with inadequately trained system administrators who aren't sure how

to defend their machines properly or even check their systems for signs of attack. Often, information security budgets are thin, and busy system administrators have enough trouble keeping their machines functioning, let alone secure. Training and then trusting them to use the techniques we've discussed throughout this book will take valuable time and boosts in funding that we just don't have. A mediocre system administrator hardly stands a chance against a really good attacker. Heck, even a mediocre attacker who simply reuses malware written by others can cause immense damage.

The situation gets even worse when we consider end users. Even with a brilliant system administrator, a clueless user could easily infect a system with malware. By accidentally executing the wrong program, a user could unleash malware that grabs superuser privileges on a machine and inserts itself at a very fundamental level. A mistake on a critical server could jeopardize not only the single clueless user, but all other users who rely on that box. Taking all of these concerns together, in a lot of organizations, the deck just seems stacked against us. Maybe raising cows isn't such a bad idea after all.

Parting Thoughts: Optimist's Version

Unless someone like you

Cares a whole awful lot,

Nothing is going to get better.

It's not.

The Lorax, by Dr. Seuss, 1971

But don't despair! Cows have their problems, too. Although they cannot (yet!) be infected with computer malware, they do suffer from a variety of other ailments. In my opinion, raising cows isn't nearly as much fun as working with computers. I periodically stray into the pessimists' camp, but I am at my core an optimist when it comes to computer security and fighting malware. Sure, the bad guys are improving their malware at an alarming pace and taking aim at all kinds of computing systems, but we can (and must) work to stop them. I know it's a lot of work to keep up. I spend seemingly endless hours securing systems and responding to attacks. Maybe you do as well.

However, defending our machines against the vast majority of attacks is indeed feasible. We can't turn our back on the inherent flexibility of our systems, as massive components of our infrastructure and even portions of our economy depend on these features of already deployed systems. At the risk of mixing in

another barnyard metaphor, that horse has already left the barn. Instead, we need to carefully design and build our systems to be flexible and secure at the same time. If you think about all of the defenses we've discussed throughout this book, they come down to doing a thorough and professional job of administering and securing our systems.

Whenever I start to get discouraged, I think about it this way: We currently live in the golden age of information security. I strongly believe that, 20, 30, or 40 years from now, we will look back on these very days as the most exciting time of our professional lives. When we're old, toothless, and gray, sitting in our rocking chairs pondering the past, we'll think, "Wow what a ride!" It's true that the middle-2000s certainly are a lot of hard work for information security professionals. However, in exchange for our hard work, we get the excitement of learning new and fun technology, fighting bad guys, and protecting some of our society's most valued information. Perhaps we were even put here for a time such as this. With a concerted effort at deploying the defenses we've discussed throughout this book, we can make the world a better, more secure place.

Also, skilled security personnel will remain in high demand for the immediate future. Our society needs people like you and me to help protect the feeble infrastructure of our computer systems. You want security? How about job security! So, savor these thrilling times. In the future, it's quite possible that information security won't be nearly as exciting as it is right now.

In fact, I believe that we are, today, at a tipping point in the information security business. We'll likely look back and realize that this is the time that things started to radically improve from an information security perspective. Vendors have always paid lip service to security, but recently, they've started to integrate it much more carefully into their systems. Increasingly, security is not just marketing schtick. Vendors are starting to actually do what we've wanted for so long! Yes, the ball is just beginning to roll, and I'm very happy at some of the recent news.

Several computer manufacturers have announced that they will start shipping new systems with many high-risk features disabled. In the olden days (of just a year or two ago), a new, out-of-the-box workstation or server had all features turned on from scratch by the vendor without regard for security concerns. Vendors did this because such default-on features suppressed costly help desk calls from users asking about how to turn things on. However, these features also significantly compromised our security. Now, the marketplace is getting the message that security is more important than minimizing help desk calls, and vendors are reacting by shipping their systems with far more secure default settings than was common just a few years back.

Similarly, operating system and application vendors are getting the same message, as they turn off risky functionality by default and close frequently exploited holes. We are seeing profound security ideas being built into OpenBSD and Linux. Lest these operating systems get too much security attention, Microsoft itself has jumped on board with its trusted computing initiative. Solaris is under constant improvement, as are other operating systems. The solid ideas for making systems more secure are trickling down from some operating systems into others, making them all safer.

In the end, over the next five or so years, I believe that we will start to see significant fruit from these endeavors, with machines that are less vulnerability-prone than in the past. It won't happen overnight, of course, but the momentum, driven by market demands, is moving in the right direction. Using the defenses we've discussed in this book, buttressed by these fundamental underlying changes in the computer security industry, I believe we'll increasingly be able to thwart the malware menace.