Malware "best practices"

Chris Brenton cbrenton at chrisbrenton.org
Wed Jul 26 17:22:00 EDT 2006 

On Wed, 2006-07-26 at 14:34 -0400, Ben Scott wrote:
>
> > Mass infections are soooo 1990's.
> 
>   I wish.  Recall that SQL Slammer hit in 2003, and severely impacted
> the whole Internet. 

Agreed, but the cost was distributed. I think you would be hard pressed
to find anyone that went out of business solely because of Slammer. Due
to modern spear virus attacks I've seen:

* R&D documentation worth multi-millions stolen and end up at a
competitor. 
* Personal client information stolen and then company blackmailed into
to paying up to keep it from being released.
* Sensitive government information extracted by hostile nations.

There's been more, but you get the idea. This stuff is nasty.

So the old AV model was to mass infect as many people as possible and
brag to your friends. Sure we are still seeing that today, but its
mostly kiddies with more ego than skills. The cost of recovery from
these attacks is relatively minimal.

The modern AV model is to leverage virus writing skills as a business
solution. These folks make good money by attacking networks and either
blackmailing the target or selling what they've extracted. Sometimes its
work for hire and sometimes it appears to be freelance. Either way the
cost of recovery from one of these attacks can be much higher, and I
have in fact seen folks go under.

>   *Very* interesting.  Can you speak more on this, or give pointers to
> published info? 

There have been a number of variations, just to point out a few:
http://www.niscc.gov.uk/niscc/docs/ttea.pdf

The DoD was hit with a spear phishing attack about 6 months back that
claimed to be a heads up on a new Windows vulnerability. The download
was actually a call home Trojan to which no AV vendor had a signature.

There's also a story on how Israel was penetrated and nuclear secrets
where stolen. The story was released about a year ago. Same MO, a custom
virus was used. They actually caught the purps of this one and it turned
out to be a private eye firm.

This is also going on in industry but its kept pretty quiet. Seems only
the government stuff makes a big splash. Corporate espionage takes a
back seat to possible terrorism. 

>   That is like just a reflection of overall deployment percentages.
> If we're talking targeted attacks, there is certainly nothing
> preventing anyone from targeting nix.  And Lord knows nix isn't immune
> to buffer overflows and other stupid mistakes.

I have a theory on this...

About 8 years ago I was working at a consulting company as a perimeter
security guy. Big part of my job was auditing firewall configs. I
started noticing that folks running FW-1 tended to have enough holes to
drive a truck through while folks running Gauntlet and PIX were
relatively secure. Didn't take long for the lightbulb to go on as to
why. FW-1 has a simple point and click GUI that made it trivial to pass
traffic. At the time the other two did not. They required a higher level
of skill just to get them working that seemed to translate into a higher
knowledge of securing the perimeter. In other words, if you did not know
what you were doing you would not be able to get a functioning policy in
place.

In the Windows/Linux realm it seems to be much the same. A majority (not
all) of the folks running Linux have a clue about what goes on under the
hood, while the majority (not all) of Windows users do not. So its not
just deployment numbers, its overall skill set as well. 

HTH,
Chris

More information about the gnhlug-discuss mailing list