Security Watch

OpenSSL Still Wide Open to BOF

Plus: Check Point BOF; zombies and botnets; and rootkits

• By Russ Cooper
• 11/14/2007

It took almost a year to get the majority of products that use the OpenSSL library to issue patches for the 2006 problem, so expect it to take a similar amount of time for this one.

Check Point Lets 'Em Through
A proof of concept exploit has been released which is alleged to run at the local console of a Check Point Firewall-1 R60 system. A SecurityFocus article points to researchers who have published a paper discussing their findings, which they claim includes many buffer overflow vulnerabilities exploitable at the local console. There has yet to be any respond from Check Point.

At this point, to be exploitable, a criminal must be able to run code on the Check Point system. Such access should be restricted to trusted users only, individuals who would likely have permission to execute code of their choice on the platform anyway.

Throw the Book at Bot Herders
The Central Valley Business Times of Sacramento reports on a 21-year-old California man who was indicted on four counts of electronic transmission of codes to cause damage to protected computers. He's alleged to have controlled some 7,000 bots in a botnet and used them to conduct Denial of Service attacks against two businesses.

Let’s hope we see more and more of these indictments. There has been a severe lack of prosecutions against bot herders.

Meanwhile, F-Secure’s Mika Stahlberg believes that bot herders are breaking their big botnets down into smaller chunks in order to help avoid detection and shutdown, says this article at News.com. Stahlberg also believes that virus-writing criminals have stopped trying to make technically sophisticated malware, and instead are simply pushing out myriad variants in an attempt to thwart anti-virus technology.

As far as variants go, there’s little doubt that 10,000 unique pieces of malware a day will do some damage to AV companies' attempts to thwart malware.

As far as botnets go, certainly smaller botnets means the criminal is likely to keep some of them longer, just the way numerous variants of malware work. As for why -- beyond the obvious, that they don’t want to lose their money-making machines -- speculation of other motives run the gambit. At some point, however, this strategy is likely to fail for the criminals. They are either going to need too many people to control the botnets to keep them quiet, or they’re going to have to automate control of them, leading once again to some single point of command and control that could be detected.

Rootkits on the Virtual Frontier?
According to researchers from Carnegie Mellon University, Standford University, VMware and UBC/XenSource, “building a transparent VMM is fundamentally infeasible”, and, “we believe the potential for preventing VMM detection under close scrutiny is illusory -- and fundamentally in conflict with the technical limitations of virtualized platforms.” They have published a joint paper, “Compatibility is Not Transparency: VMM Detection Myths and Realities” (.PDF here), that provides reasons why and some insights into how to detect stealthy virtual machine monitors or hypervisors.

The authors reasonably point out that eventually malware criminals are going to either pass up a large percentage of potential victims by preventing themselves from running on VM platforms, or, run regardless. Ergo, while it will likely remain a constant topic of conversation, the creation of a VMM that can completely hide itself is neither useful nor practical.