Sunday, August 21, 2005

IRC botnets: The Needle and The Damage Done

Since August 15th, many organizations have been struggling to recover from the onslaught of the various exploiting the Universal Plug and Play (UPnP) buffer overflow exploit. Those unfortunate enough to see large numbers of systems hit by one or more worm variants face the usual challenge of recovering the systems. Microsoft and the AntiVirus Vendors are eager to help you recover your systems, with several offering their own custom cleanup tool to eradicate the worms. Victims of this crop of would do well to heed the long standing recommendation of information security experts. Recover your contaminated systems by re-imaging them from pristine media, particularly if they were able to contact the outside world even for a few minutes using an control channel. It's often difficult for non-technical management to weigh the risks involved with any given outbreak. This week I've heard this sentiment expressed almost exactly the same way from managers in several different organizations:
"It's just a virus, right? I have those on my home PC all the time and nothing bad has ever happened."
Well, I'm sorry to be the bearer of the bad news, but that's not the way it is, certainly not any longer. The largest to date, in which up to 40 million credit card numbers were recently stolen was reported to be due to a "computer virus". That was undoubtedly a pretty bad event for quite a few people. It can take many months, even years, for an innocent individual to recover from problems deriving from the theft of their identity. Far more people than you might think are affected by identity theft, as described in the Federal Trade Commission – Identity Theft Survey Report from two years ago. Experts acknowledge that the problem is getting worse, as large scale automated attacks by worms and botnets are employed to harvest identity data. Worms and bots execute arbitrary code on the zombied systems hosting them. They typically run with Administrator rights and can do anything the computer can do -- and they start doing it within seconds after the systems is exploited. These things are not just hypothetical. Here are a few of the things that zombied PC systems have been observed to perform, at the request of remote attackers, controlling zombied systems from outside the corporate firewall. By the way, these are not alarmist proclamations, rather, they are mundane work-a-day activities of the typical botnet, observed and documented by many independent security consultants.
  • contact an IRC channel at a remote location, and receive arbitrary instructions
  • update the bot software, install new bot modules
  • scan penetrated networks for other vulnerabilities
  • probe the vulnerable systems and spread the bots
  • perform denial of service attacks on other networks
  • harvest (find and upload to remote servers) private, sensitive, secret or classified documents from hard drives
  • harvest passwords, user names, and other login information (from the Windows Registry, the Internet Explorer cache, cookies, and text or document files on the system)
  • harvest email addresses, contact information
  • sniff network traffic to capture passwords and other information
  • install rootkits, trojans, keystroke loggers and other malicious software
  • use the system to send spam
Botnet controllers could also employ the zombied PC for or other fraud (e.g. for internet advertising). The modern worm and bot attack has all the characteristics of yesteryear's intrusion -- a manual exploitation of a system by a hostile attacker. The universal consensus of the information security community to a crack of a system by an intruder is that a system must be re-imaged to regain assurance of its security. This recommendation hasn't changed in years, despite advances in rootkit detection techniques. The authors of such systems consider them to be useful for forensic analysis, not system recovery. When a modern Botnet invades your network, a remote person (or team of people) unknown to you has (or have) gained Administrator access to your systems. They have taken actions that you cannot trace because they were not logged and because they may have modified system files or installed a rootkit. Somehow, because these attacks evolved slowly over a period of years from mundane virus and ostensibly benign worm attacks, managers sometimes don't take them seriously. The primary difference between a classic intrusion and a botnet invasion is that the cracker quickly (within minutes) gains control of dozens, hundreds, or even thousands of compromised systems with a bot. The tasks allotted to the botnets can be automated as well. The nature of the threat is considerably greater than the virus or worm of days gone by. It's more appropriate to think of a bot as a manual intruder, multiplied times the number of contaminated systems, and treat it with the same degree of seriousness. One last motivation for treating botnet invasions more like traditional "intrusions" is provided by increasing attention of legislative, regulatory and oversight agencies. Private and governmental organizations alike may be under increasing legal and regulatory obligation to provide stronger assurances that recovery strategies are adequate. Legislation at the Federal and State level may require private industry to disclose serious computer breeches which expose their customers, business partners and employees to risk. Sometime in the next year or so, you're going to read about a big problem -- a giant identity theft, a massive leak of confidential or sensitive documents, an organization with hundreds of machines owned by a botmaster for months before it was discovered. Don't let it be your organization that you're reading about. If you didn't focus on prevention after the last botnet invasion, and you got hit again, don't try to cut corners now. Restore compromised systems from pristine media, then get to work on a layered defense posture.

Technorati Tags: , , , , , , , , ,

No comments: