InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity March 2009

Security Basics

Why not much has changed in 20 years.

Our feeble thoughts on security have always invited newer and stronger worms to take control of our systems, but have we ever learnt from our repeated mistakes? It is now time for us to pay attention towards better and stronger security.

Since early days of computing we have faced several internet worms, which eventually is a result of our weak thoughts on security. Cyber criminals have been inspired with these and have played active role to damage computing environment with an ill motive. But have we ever learnt from our repeated mistake? If we still don’t learn, the day is not far from end of healthy computing environment. This article looks back at past to remind us how we have been always defeated by cyber criminals.

A Glance at Past

Back in the days of the early Internet, on November the 2nd 1988, a malicious program, thereafter known as the Internet worm—but often known as the Morris worm (after it’s writer) was released onto the Internet. The Morris worm spread very aggressively across systems connected to the Internet, by using a variety of tricks, including scanning other systems for vulnerabilities in the finger protocol and the popular mail agent sendmail. Having found one of these, it would then copy itself across to the vulnerable server by exploiting those flaws.

(Finger is a directory service protocol, which returns information about a person, given his email address—many universities in the USA still run finger services for faculty staff).  Once copied, it would launch itself on the new system, which, when infected, would then itself start to scan the network looking for further vulnerable machines to infect [1]. The only fix was to patch the systems to fix the vulnerabilities, and within a few days the the worm was effectively disabled through this strategy. It had long been known that there were flaws in these UNIX based systems (a warning perhaps to all who believe Linux and UNIX to be immune from viruses and worms) but no-one had expected them to be exploited in such a way. Today, you may imagine, no-one would be able to execute the same sort of attack with anywhere near the success of the Morris worm. How wrong you would be.

Fast forward to October 2008—almost exactly 20 years after the Morris worm and we encounter one of the most successful and aggressive worms of recent times—the Conficker worm—(sometimes known as Downadup). Conficker takes advantage of a flaw of Microsoft’s Windows Operating systems, and was such a large scale problem that Microsoft released an emergency security patch (MS08-067) to close down the vulnerability [2].

Weak Security Inspires Cyber Criminals

Who would think that after 20 years, this could still happen? Conficker is only the latest in a long line of malware, but what makes it interesting is its very visible and very rapid spread, and what it shows us about the state of our thinking on security.

First of all, we all know that passwords are still the major means we have to secure systems—unfortunately, passwords are not always very strong. People tend to forget them unless they’re simple—so they use things like names, or common words, sometimes with simple variations like 1 for i or 3 for e, and they tend to be short—six to eight characters. The people behind Conficker knew this, and gave it a list of common passwords to try, so that if you had a weak password configured, it would attach to shares, copy its files across and use a buffer overflow (fixed by the Microsoft patch) to execute itself on the system. So, Conficker showed that a lot of people still use very weak passwords.

Secondly, we found out that people don’t patch their systems, despite Microsoft making it quite easy to do so using Windows Update. Microsoft released the emergency patch on the 23rd of October, 2008 but as of mid January, around three in every ten systems remained unpatched, and continued to be exploitable by the Conficker worm (and anything else that decided to use that vulnerability). While a vulnerability exists unpatched, it’s very likely to be exploited by not just one, but several pieces of malware, as the attackers are aware that people don’t patch in a timely fashion. In some cases, people with pirate copies of may be unwilling to patch systems, leading to very outdated systems which are infected by multiple malwares, and act as incubators for infecting systems across the internet. We no longer live in an isolated world, but one where our action (or inactions) can affect many people across the world. One of the actions of Conficker is to join machines to a large botnet (I’ll discuss botnets shortly), and this means infected machines can act as conduits for spam, further malware attacks and Denial of Service attacks against websites—not to mention the dangers to the users who may be conducting financial transactions on those infected systems—potentially opening themselves up to credit-card fraud and identity theft.

Thirdly, we learn (not for the first time, but I hope the last) that having a service like AutoRun is far more trouble than it’s worth. When you insert removable media, such as a CD/DVD or a USB flash drive, Windows will look for a file called ‘autorun.inf’ that will tell it what action to take when the media is mounted. This is why many times you’ll get a nice pop-up screen when you insert a software CD—it’s quite helpful for launching the installer file. Unfortunately, it’s also very widely used to launch malware. To add insult to injury, there was a bug in the way AutoRun works, which meant that even if you had AutoRun disabled, in some circumstances you could still get infected by double clicking on the drive to open the folder. Although this has now been fixed—as we’ve already discussed, not everyone applies security updates, and those people are still vulnerable. Even with the patches, it is a somewhat complex operation to disable AutoRun. However, I heartily recommend disabling it, there have been too many occasions where USB flash drives have been pre-infected with malware at manufacture, which will then infect the machine when you insert them with AutoRun enabled.

Stronger Worm, Larger Impact

So, I promised to mention botnets—botnets are the state-of-the-art in terms of malicious software. Stemming from the word ‘robot’, bots used to be simple drone programs that would perform boring admin tasks, like welcoming you to an IRC (Internet Relay Chat) channel, or running jobs on UNIX systems - but in modern usage the word is usually used to connote malware that is used to remotely control a machine as part of a botnet; that is, a large network of machines infected by the same type of bot. By infecting thousands of machines with bots, malware authors have realized they can make money. Botnets are all about making money. Indeed, there is a whole underground economy based on botnets—the people who use them pay the people who control them and those people pay other people to write the malware to create new botnets. They sometimes also pay people to get unsuspecting users to install them—like affiliate programs for malware. Once you have several thousand machines in your control (we often call these controllers ‘bot-herders’) you can do just about anything—but usually, the botherders sell time on the machines, to send spam, perform DDoS (Distributed Denial of Service) attacks for extortion (imagine an online business being taken off the internet unless they pay a fee to the attacker), to perpetrate Phishing attacks and, importantly, to deliver new updates to their bots to try to avoid the botnet being detected by anti-virus software.

The Conficker worm very quickly built up a huge botnet—estimates range between 15 and 50 million infected machines—with that kind of firepower, you could DDoS almost any site on the internet—and send an enormous amount of spam, causing more misery and mayhem for users of the Internet.

Conclusion

So having learnt that we don’t learn from the past, I can only re-iterate some good advice in the hope that at last someone might listen!

Keep updated with system patches and maintain a frequently updated and reputable anti-malware program. It is essential, really! It is! Use strong passwords wherever possible—they don’t have to be hard to remember, just hard to guess. For instance the password “MyD0ghasbigSharpTeeth!” is a strong password, but is easy to remember (just don’t use that one now!!). Disabling AutoRun is also a really good idea; after all, you wouldn’t want to let anything run on your computer without your knowledge… would you?

To help with some of the issues raised in this article K7 Computing have released a free AutoRun configuration tool to allow easy changes to the AutoRun service and a free Conficker/Downadup removal tool. They’re both available at

http://k7computing.com/index.php/Support/freetools.html

References
[1] Eugene Spafford — The Internet Worm Program: An Analysis http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf

[2] MS08-067 Vulnerability in Server Service Could Allow Remote Code Execution http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

[3] John Leyden - Three in 10 Windows PCs still vulnerable to Conficker exploit  http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/

By: Andrew Lee Chief Technology Officer K7 Computing


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media