Technet Home > Gang Warfare in latest Viral Attacks Gang Warfare in latest Viral Attacks Confidence at getting half way through the year without a monster virus erupting was temporarily shaken last Tuesday as a new breed of worms crashed through major media corporate systems in US and UK. And as different strains of worms appeared to attack each other, leading analysts speculated that a form of gang warfare had broken out amongst hackers. | |
The malware war erupted shortly after Microsoft published details of vulnerability in Windows 2000. Microsoft usually reveals these soft-targets during the monthly “Patch-Tuesday” security bulletins release, once they have devised a remedial patch. However, their announcement was the starting gun for hackers to devise a means of exploiting the opportunity before IT administrators reacted and immunized their systems with the patches.
Next in Line to Sasser and Blaster
Within 24 hours, an apparently Russian-based programmer (and Sasser-suspect who operates under the nom-de-guerre ‘houseofdabus’) had published an enabling code which could be used by virus writers to target a flaw in Microsoft Windows’ Plug and Play functionality. Hackers then rushed to devise and launch their worms, the first appearing only five days after the patch was released.
According to Finnish analysts, 12 different versions of the virus had been identified during the first three days of viral activity. They were being grouped into three distinct families (four according to some sources) including Zotob, Botzori and IRCBot. But in a new twist, the later viruses to emerge utilized bot software, and appeared to be attacking the worms of the earlier Zotob family.
The initial worms entered computers via any port 445s which they found open, and then installed themselves on the nearest control-server where they activated a file transfer protocol. As the bot versions became active, computers were directed to log into a dedicated internet relay chat (IRC) session, after which they became vulnerable to external control, and ‘zombified’.
Although the concept of virus wars between hackers is not new, this is the first time that skirmishes have broken out using bot software. Later versions of the worm demonstrated the capacity to automatically identify vulnerable systems, replicate themselves, displace the original worms and attack other infected systems. The so-called ‘bot-masters’ set the computers to task, commonly stripping out security information and settings, attacking earlier versions of the virus at they did so.
Singapore gets off Lightly
According to Microsoft’s Chief Security and Privacy Advisor (Asia-Pacific) Kang Meng Chow, Singapore emerged almost completely unscathed. Within 48 hours of the first worm emerging, all Windows 2000 customers had been notified and issues with guidance. Only one customer reported that they had been afflicted by the worm.
The reason, he suspected, is because IT administrators here have been blocking the avenues for illicit access to their systems’ port 445s.
Meng Chow added that most properly managed firewalls were capable of denying access to the worm, though there remained the residual risk from un-patched home based lap-tops remotely accessing corporate systems.
A New Kind of Warfare
The so caller war erupted as rival bot-masters competed to turn victim systems into their own remote controlled resources – the so-called ‘zombie’ tactic. Some commentators have pointed out that these hacking wars signify a potential change in the objectives of malware propagators.
Traditional ‘Graffiti- Hackers’ want to crash challenging systems. They are motivated by the qudos of being able to do it, and the fame of being known as the people who achieved it. ‘Trojan Horsemen’- who infiltrate controlling software onto foreign systems - adopt the reverse tactic: wanting to remain undetected whilst security features are stripped and valuable data extracted.
The latest skirmishing erupted in the pattern established by the Sasser and Blaster attacks, in which the hackers race to exploit a publicized weakness before patches can be downloaded by corporate IT administrators. According to Microsoft’s Security Response Centre Director, Debbie Fry Wilson, only a week after this patch become available, it had already been downloaded onto 200 million computers.
Compared to the corporate response when previous worms erupted, the speed of the uptake of the patches means that the window of opportunity to develop, deploy and exploit malware is becoming increasingly constricted.
Unpatched Systems more Vulnerable
Currently the most vulnerable application to bot attack is an unpatched Windows 2000. Data from UK indicates that Windows 2000 is the standard desktop product used in over 50% of UK companies which deploy over 250 PCs. Singapore sources confirm that that trend is even more pronounced in the City –State. Most home users still use Windows 98, or have switched to XP, and in any case tend to patch themselves automatically via Microsoft Updates software.
The attack also highlights how instant messenger (IM) has become a vulnerable route for attack. Worms, especially worms harboring Trojans, are increasingly exploiting the fast-paced environment of corporate IM users, who frequently and unwittingly clicking on an unfamiliar IM pop-up.
Private networks, as well as the more public MSN, AOL and Yahoo Messenger systems are equally vulnerable. In April this year Reuters, the UK-based News Agency, suffered a complete shutdown of its internal IM system following an onslaught from the Kelvir virus. That virus - called a ‘Backdoor Trojan’- installed itself via an IM MSN pop-up link. The Rbot virus which was then downloaded allowed the computers to be remotely controlled via IRC connections. Along with Bropia and Serflog, the Kelvir virus is now one of the three most prevalent strains of IM malware.
Local Advice
Implementing and maintaining an effective patch management process in order to manage security up-dates is the most important priority for IT administrators, according to Meng Chow. The speed at which vulnerabilities are now exploited means that new patches must be managed and applied in ‘race conditions’.
He added that the areas of greatest vulnerability would always be at the perimeter: at the interfaces between corporate systems and the Internet. “Vulnerabilities can usually be managed by a firewall, including use of a personal firewall,” he said. “But administrators should always look into more granular control, e.g. by filtering of URLs in IM systems, which new worms and viruses are now targeting.”
Prelude to the Killer Virus?
The concept of a ‘Killer Virus’ is not new, but the latest ‘bot wars’ may also indicate the form that such a virus might take, if a sufficiently devastating one could be devised and deployed fast enough. Experts increasingly talk of a ‘blended attack’ where a highly concealed Worm-Trojan combination will be used.
Hiding itself under re-written program code which mimics established functionality, the worm element would replicate itself undetected across systems. The remotely controlled Trojans could then be activated simultaneously in a concerted attempt to disrupt the functionality or the integrity of public and private systems.
For the moment, Microsoft and IT Administrators appear to have the upper hand. Contingency planning provides for special war-rooms to be activated within Microsoft whenever a publicized flaw starts to suffer exploitation. Ms Wilson pointed out that whilst this form of warfare persisted, the key response is for IT administrators to install security updates as fast as possible. This appears to be exactly what IT administrators have become adept at doing.
Currently, the name of the game remains speed of reaction. What would happen if the attackers contrived to co-ordinate a carefully timed Trojan attack, is less clear.
|
| |
