On Sun, 23 Jun 2002 13:06:49 -0700, Jonas M Luster wrote: > Quoting Hugo van der Kooij (hvdkooijat_private): > > > > hi, My box was compromised, and i cant rm a binary > > > that listens over tcp, i need help support, watch: > > > > S.O.P. (Standard Operating Procedures) describe that a compromised box > > should be considere lost and be installed from scratch. > > S.O.P: Someone broke into my house and stole my TV. Let's just go > ahead and level the whole building and build a new one. S.O.P in this > case stands for Severely Overreacting Professional. This is a poor analogy. A compromised building is very different from a compromised computer. For example, suppose that a cracker and a burglar both want to rootkit something they have compromised. In the cracker's case, it's a computer system, and in the burglar's case, it's an apartment building. The cracker's first step is to download a rootkit from a prepared location, untar it, and run an installation script. The equivalent step for the burglar is to bring a huge box of tools and gadgets with him and install them all as he goes. The box can weigh up to five thousand pounds and can carry anything smaller than a truck. Each gadget takes ten milliseconds to install, regardless of its physical location, and he already knows in advance where and how to install them. Each gadget can also replace or disguise itself as any feature of the apartment building that you'd recognize, and, if the burglar's friends are good craftsmen, you will not be able to tell the difference. If the burglar has a gadget that cannot be disguised as part of the apartment complex, he creates a room and puts it there. You will not be able to see this room, because while you slept the burglar has broken into your bedroom and replaced your eyes. If the burglar is no good, you will be able to find this room by licking the walls. If he is very good, he will have replaced your tongue, too, along with your fingers, nose, and ears. The burglar will also install a door in the building which, if one has the right key, will let you into the manager's office. The inside of this door is invisible, but once you leave the premises it stands out because nobody ever paints their doors that color. The cracker's second step is to secure the service that he entered by so that other crackers cannot break in the same way, often by disabling the service or upgrading to a patched version. The burglar, having broken down a door but not having left any trace, will either have carried a new door with him in his box of tools, which he will use to replace the old door, or he will destroy the old door, causing a ten meter thick wall of concrete to spring up in its place. Passers-by may notice the change from a door to solid concrete. They may even notice the replacement of the door, though this is less likely because the burglar is careful to use a door from the same manufacturer as the old door. In either case, they may attempt to ask the manager of the apartment complex why the old door is gone, but he will not hear them, because the burglar has replaced his ears. They may instead hear the burglar himself speaking, because the manager's new ears direct everything they hear to the burglar first. The burglar will tell them that nothing is wrong, and because the burglar is also a master disguise artist, he will be indistinguishable from the manager. The cracker's third step is to use the system he has taken over as a base from which to take over more systems. He often hops through many systems in an attempt to disguise his trail. Similarly, the burglar will enter the back door of one apartment building, then walk to another building, enter its back door, walk to another, etc. The burglar will often walk through a door or two in East Asia, because none of the door manufacturers write their instructions in East Asian languages, and consequently East Asian apartment managers do not know how to lock their doors. If the cracker is ever caught, he will attempt to remove all the evidence that leads back to him. In a similar manner, if the burglar is ever caught, he will raze the building. Obviously I'm stretching this analogy much too far. It's a pretty good one, but where it really breaks down are rootkits and the purpose of the invader. There is no realistic physical equivalent to a rootkit. A perfect rootkit is completely undetectable and nearly instantaneous to install, both of which are physical impossibilities. While I don't think there are yet perfect rootkits out there, there are very good ones, and I wouldn't ever be so certain of my own analysis of any system that I thought I had found everything that might be there. Furthermore, a burglary is usually a one time event: A burglar decides upon a location, invades it, takes what he can, and leaves. He does not usually come back night after night. A successful computer intrusion, however, allows the cracker to pass through the system at will (which is more useful for him than it would be for the burglar), and allows him to set up DDoS zombies, autorooters, IRC clients and servers, and so on. The cracked system provides him with resources just because it is there. Taken together, the use of rootkits and the resources that a cracked system provides makes it imperative that any cracked system be rebuilt from scratch before it is put back into production use. Of course, it need not be put back into production use immediately--with a proper router configuration and a packet sniffer, you may be able to use it to track the cracker's movements, and the information from a proper forensic analysis can be invaluable. At the very least you need to figure out how you were invaded so that you don't make the same mistake next time. You probably want to back up your personal data, too. But eventually the system must be rebuilt from scratch--nothing else is safe, and I wouldn't want to risk leaving any part of the cracker's rootkit or back door behind. (I should say, though, that I like your "What to do if your system appears compromised" list. My only quibble is that I would say "reinstall your system" where you say "restore your system", just to make sure.) -- Kyle R. Hofmann <krhat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 18:50:39 PDT