[ISN] Catching a Virus Writer

From: InfoSec News (isn@private)
Date: Thu Jun 03 2004 - 00:30:35 PDT

  • Next message: InfoSec News: "[ISN] Simple passwords no longer suffice"

    By Kelly Martin 
    Jun 02 2004 
    Like a sneeze in a crowded subway, it's hard to find the human source
    of the latest viral infection. On the Internet it's not much
    different. The people who write these nasty little programs and
    release them into the wild almost never get caught. Why? The answer is
    easy, but it's also a sort of technical nemesis: there's simply no way
    to track these people down.
    The current approach to catching virus writers isn't working. Code
    analysis and disassembly provides clues about the author, but it's not
    enough. Virus writers boast of their accomplishments in private
    bulletin boards, yet only the most vocal and arrogant few will get
    caught. Even with logs, IP addresses and private access, it's still
    near impossible to track them down.
    Law enforcement agencies in every country are clearly ill-equipped to
    deal with the myriad of technical hurdles required to track virus
    authors down, and so they turn to a few elite security consultants,
    some working as threat analysts at the major A/V vendors for help.  
    They can usually narrow down the source of a virus to having been
    released in a geographic part of the world, but the rest is a mere
    packet in the bitstream.
    Add Microsoft's new $250,000 bounty into the mix and at first glance,
    you'd think we're right on track. Not a chance! There are simply too
    many ways to be anonymous on the Internet, and more so today than ever
    before. You don't even need to spoof IP addresses these days; there
    are too many ways to have perfect stealth, starting with an
    untraceable MAC address on a borrowed IP address, linked into a
    wireless router down the street which has access logging disabled? and
    you tunnel through countless proxies and compromised zombies until you
    reach the desired launch point. Someone who does not wish to be caught
    (and knows what they're doing), cannot be caught. With wireless, it
    become a physical battle between a million victims and one guy walking
    down the street.
    Why WiFi?
    WiFi has exploded. Welcome to the truly anonymous Internet. There is
    no easier way to slip on and off the Internet now without being
    noticed than on an unsecured 802.11x wireless network in a coffee
    shop, under a tree in Central Park, at a library or even just leaked
    through the walls of the apartment next door. North America, and
    indeed the rest of the world, already has an incredible number of
    wireless devices that are effectively free, unsecured, and readily
    available to anyone - to such an extent that it's more difficult to
    avoid these sprawling networks than it is to connect to them. My Mac
    with embedded g-band happily connects to just about any network it can
    find, and it appears there are literally a hundred wireless Access
    Points within a short walking distance downtown.
    There are a mind-boggling number of wireless access points now, and
    only the ubiquity of these devices is new: while four or five years
    ago I may have been the first on my block with WiFi, now there are so
    many devices I have to worry about interference.
    More than that, there are a mind-boggling number of wireless access
    point that are not Secure by Default, out of the box - just like the
    machine owned by your average Microsoft Windows user. But even if they
    were, it wouldn't matter.
    I live in a sparsely-populated area, at least for a major metropolitan
    city. Yet without even leaving the couch of my living room, I can
    "borrow" someone else's Internet connection, mask my MAC address and
    have complete stealth on the Internet. It would be difficult, if not
    impossible, to prove it was me.
    If I wanted to be a bit smarter about things, however, I'd walk to the
    park and get my access from there... less likely that the police come
    knocking on my door. Or I'd drive down to the coffee shop, and setup a
    launch from there. Or better still: point my homemade antenna (made
    out of a soup and used according to the exacting laws of wavelengths
    and physics) and bounce it off a digital satellite dish, extending my
    network's range by up to 2km. In other words, I could literally get my
    Internet access by simply pointing my directional antenna towards
    metropolitan downtown.
    I have no malicious intent, however. I'm generally not searching for
    these insecure networks, they just appear all on their own. When I'm
    not publishing articles on SecurityFocus, I go for coffee at a shop at
    the bottom of our building. There is free wireless Internet access
    available, sure -- though I'm not sure if it's actually provided by
    the coffee shop, or if it's coming from an office next door, or below
    me, or above me -- the service has never been advertised. Instead, one
    day I just opened up my Mac with OS X, and it was there (broadcasting
    itself, with no security). Most Windows machines, by default,
    similarly connect to the strongest local signal without discretion,
    and voila.
    I check the connection, and can instantly surf the web. SSH works
    fine, and thus secure (and dynamic) SSH tunnels are possible. And
    secure email, through port 993, is possible as well. Web access, like
    usual, is in the clear (except when using SSL and then it too, is
    secure). No security whatsoever. It's wide open. I drink my coffee and
    imagine opening up a can of worms... or rather, imagine someone
    logging onto his bot network through IRC, sitting anonymously in some
    coffees shop, drinking espresso and launching DDoS (distributed
    denial-of-service) attacks.
    If I fudge my MAC address and make up a fake one, it will be
    impossible for anyone to know it's me. I'll change the apparent MAC
    address again tomorrow and maybe I'll sit in a different coffee shop,
    Free but insecure networks
    What I'm trying to get at is this "promiscuity" of wireless networks
    has already made security on the Internet redundant - a virus writer
    using this technology could never be tracked down. There are hundreds
    of access points within my five kilometer radius, and the number is
    growing every day. Having had 802.11x access myself for a long time,
    the technology and its weaknesses are hardly new - what's new is the
    proliferation of access points, the vast majority of which are freely
    available for personal use.
    Even a robustly secured wireless access point can be cracked in a
    matter of hours. The extreme, industrial-strength security using LDAP
    and/or RADIUS and rotating keys is possible, but not for the faint of
    heart. In other words, for tens of thousands of access points across
    the country and around the globe, their security is already
    irrelevant. For someone searching for a novel launch point for their
    virus, you might still be the next in line.
    Salon published an interesting (and entertaining) article by Micah
    Joel (requires free day pass) about the opening up access points and
    its legal implications: no security, broadcast the SSID, and turn
    logging off. Encourage people, in fact, to use the free connection.  
    With no way to know who has used your Internet connection, there's no
    way that you could be held liable for inappropriate (or illegal) use.  
    You'd be just like everyone else who took it out of the box, and
    plugged it in. While this theory has yet to be help up in court, at
    least here in Canada, a precedent is waiting to be set. It's already
    everywhere. Don't believe me? CNN published an article recently only
    confirming what many of us already knew: the insecurity of wireless
    networks has become extreme.
    Of course, it would be just as easy to launch a virus from an Internet
    café in many other parts of the world, like Asia and India where
    anonymous access is given for a dollar an hour. And then there are the
    libraries, colleges, user groups and other institutions everywhere
    else that, once again, provide a bastion of easy, cheap anonymity.
    Let me now be clear about my motivations: while I do not have the
    skills to write a virus myself, there are many, many people out there
    who do. Writing it and sharing code is one thing; launching it into
    the wild is another thing altogether. Similarly, technical stealth is
    now very easy, so we're left to rely on the social component of a
    coder leaving his mark, showing some arrogance, and perhaps doing some
    public code sharing, that will ultimately do the virus writer in. The
    only way they might be caught is if one of their inner-circle friends
    squeal on them - and then traditional law enforcement steps in, grabs
    all the electronic equipment, and the forensics start. Then once the
    informant is linked to the virus world as well, the blue cloud of
    Microsoft's $250,000 bounty again fades into the mist.
    Virus writers can launch their dubious malcode from just about
    anywhere in the world, a form of cyber-terrorism that cannot be
    stopped. The promiscuity of the Internet is here.
    Kelly Martin is the content editor for SecurityFocus.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Thu Jun 03 2004 - 02:13:45 PDT