… the most sophisticated attackers make their malicious programs able to recognise …

Tracking down hi-tech crime

By Mark Ward
Technology Correspondent, BBC News website

Simply putting a PC online invites lots of attacks

If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighbourhood.

And while that may not be happening to your home, it probably is happening to any PC you connect to the net.

An investigation by the BBC News website has established the scale of the dangers facing the average net user.

Using a computer acting as a so-called honeypot the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day.

Attack traffic

Honeypots are forensic tools that have become indispensable to computer security experts monitoring online crime. They are used to gather statistics about popular attacks, to grab copies of malicious programs that carry out the attacks and to get a detailed understanding of how these attacks work.

To the malicious programs scouring the web these honeypots look like any other PC. But in the background the machines use a variety of forensic tools to log what happens to them.

Perhaps one indicator of how useful these tools have become is seen in the fact that the most sophisticated attackers make their malicious programs able to recognise when they have trespassed on a honeypot.

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another guest operating system. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.

36 warnings that pop-up via Windows Messenger
11 separate visits by Blaster worm
3 separate attacks by Slammer worm
1 attack aimed at Microsoft IIS Server
2-3 "port scans" seeking weak spots in Windows software

This guest machine, once armed with some forensic software, became the honeypot.

When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them. The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it.

The majority of these incidents were merely nuisances. Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file.

Serious trouble

However, at least once an hour, on average, the BBC honeypot was hit by an attack that would leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003.

If the BBC had let them take over the machine rather than simply logging their visit the PC would have been crippled. The bugs swamp net connections as they search for fresh victims and make host machines unstable and prone to crashing.

They have not been wiped out because they scan the net so thoroughly that they can always find another vulnerable machine to leap to and use as a host while they search for new places to visit.

Many of these worms were launched from different PCs on the network of a French home net service firm but others were from machines as far away as China.

There were also many attempts to probe the BBC honeypot to see how vulnerable the machine was. Hijacked machines in Brazil as well as at the Indiana offices of a public accounting and consulting firm carried out "port scans" on the BBC honeypot to see if it could get a response that would reveal how vulnerable it was.

Via the honeypot we could see these machines sending test data in sequence to the ports, or virtual doors to the net, that the PC had open.

Windows is the favourite target of malicious and criminal hackers

More rarely, once a day on average, came net attacks that tried to subvert the honeypot to put it under the control of a malicious hacker.

Again these attacks came from all over the world – many clearly from hijacked machines. The BBC honeypot was attacked by a PC at a Chinese aid organisation, a server in Taiwan and many machines in Latin America.

Via the forensic tools installed on the honeypot we could see the booby-trapped data packets these bugs were trying to make our target machine digest.

By using carefully crafted packets of data, attackers hope to make the PC run commands that hand control of it to someone else.

Via this route many malicious hackers recruit machines for use in what is known as a botnet. This is simply a large number of hijacked machines under the remote control of a malicious hacker.

Botnets are popular with hi-tech criminals because they can be put to so many different uses. The slaves or bots in a botnet can be used to send out spam or phishing e-mails.

They can become the seeding network for a new virus outbreak or act as a distributed data storage system for all kinds of illegal data. Spammers, phishing gangs and others often rent a botnet to use for their own ends.

Often once a machine has fallen under someone else’s control, a keylogger will be installed to capture information about everything that the real owner does – such as login to their online bank account.

This stolen information is often sold as few of those that steal it have the criminal connections to launder stolen cash.

On Tuesday we recount what happened when we let the BBC honeypot get infected with spyware, adware, viruses and other malicious programs.

This entry was posted in News and politics. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s