Security Watch

1 Million Compromised Computers?

A recent study on botnets shows that it might be time to call in Will Smith.

• By Russ Cooper
• 04/04/2005

According to the study, botnets, or botherds as they're sometimes called, launched 226 distributed denial-of-service (DDoS) attacks on 99 different targets in a three-month period from November 2004 to January 2005. The reporters estimate the population of infected computers under the control of the bots to be approximately 1 million.

Two analyses of the study said the authors made a mistake by publishing that amount of detail. They're concerned the bot writers will start using SSL or encrypted tunnels a lot more for bot control traffic. There have been experiments that have used tunneling for communications, but it's never become a standard attack method.

Nothing prevents botherds from using SSL or encryption, particularly given that Windows includes the CryptoAPI, which provides all the components necessary to do good cryptographic tunneling. The downside for bot writers that consistently use encrypted control channels is that it could make the bots more easily identifiable to defensive programs.

Trustworthy Computing
Dell, Hewlett-Packard, and IBM have started selling PCs with a hardware-based security device based on the Trusted Computing Platform's specifications. The device is a chip on the motherboard which provides storage and handling of encryption keys and other secure information. This is the same concept behind Microsoft's Palladium, now known as the Next-Generation Secure Computing Base (NGSCB). Microsoft is including software to support the devices in its next OS, code-named Longhorn, due out in 2006.

Separating such sensitive information from the rest of the information on a PC is an excellent idea. In the end, though, its viability will depend greatly on access requirements. If, for example, you simply have to log on to your computer to open this data vault, then any virus that runs on the system would have access to it. That means it's more likely that you'll have to enter a password or some other key each time access to the vault is desired. And, as any Windows administrator knows, Windows users have been historically against the idea of having to frequently enter passwords.

Hacking
Three new vulnerabilities were announced in MySQL. Patches are available.

1. Authenticated users with certain privileges can create a denial-of-service attack by using the database named "LPT1" under Windows installations. It would require one of the following privileges: References, Create temporary files, Grant option, Create or Select.
2. Invalid parameter validation on various function calls could bring down MaxDB, a MySQL SAP add-on.
3. Via the Create function, it's possible to inject code to be executed or cause a library to be loaded and subsequently called or executed. The Create function should only be able to create databases.

Malicious Code
RootKits are getting more attention lately. A RootKit is software that installs itself within an OS in a way that makes it more difficult to detect. Typically detection is made more difficult because the RootKit intercepts attempts by the OS to detect it, preventing it from being seen in process lists, the Registry, the file system and so on. F-Secure recently announced a new RootKit detector, and Microsoft Research has published a paper on its own RootKit detector called Strider Ghostbuster.