Security Watch
1 Million Compromised Computers?
A recent study on botnets shows that it might be time to call in Will Smith.
Denial of Service
The
Honeynet Project released a report titled "
Know
your Enemy: Tracking Botnets." A
honeypot
is a machine exposed to the Internet intended for hackers to break into. Typically,
honeypots run pseudo operating systems, emulating, for example, Windows XP.
In reality, though, they're running another OS such as VMWare or UNIX. This
allows the owner to observe the actions the hacker takes to compromise the system.
A Honeynet is a group of such machines, or a single machine which emulates a
network of computers, allowing for even more observation of attack methods.
According to the study, botnets, or botherds as they're
sometimes called, launched 226 distributed denial-of-service (DDoS) attacks
on 99 different targets in a three-month period from November 2004 to January
2005. The reporters estimate the population of infected computers under the
control of the bots to be approximately 1 million.
Two analyses of the study said the authors made a mistake by publishing that
amount of detail. They're concerned the bot writers will start using SSL or
encrypted tunnels a lot more for bot control traffic. There have been experiments
that have used tunneling for communications, but it's never become a standard
attack method.
Nothing prevents botherds from using SSL or encryption, particularly given
that Windows includes the CryptoAPI, which provides
all the components necessary to do good cryptographic tunneling. The downside
for bot writers that consistently use encrypted control channels is that it
could make the bots more easily identifiable to defensive programs.
Trustworthy Computing
Dell, Hewlett-Packard, and IBM have started selling PCs with a hardware-based
security device based on the Trusted Computing Platform's
specifications. The device is a chip on the motherboard which provides storage
and handling of encryption keys and other secure information. This is the same
concept behind Microsoft's Palladium, now known as the Next-Generation
Secure Computing Base (NGSCB). Microsoft is including software to support
the devices in its next OS, code-named Longhorn, due out in 2006.
Separating such sensitive information from the rest of the information on a
PC is an excellent idea. In the end, though, its viability will depend greatly
on access requirements. If, for example, you simply have to log on to your computer
to open this data vault, then any virus that runs on the system would have access
to it. That means it's more likely that you'll have to enter a password or some
other key each time access to the vault is desired. And, as any Windows administrator
knows, Windows users have been historically against the idea of having to frequently
enter passwords.
Hacking
Three new vulnerabilities were announced in MySQL.
Patches are available.
- Authenticated users with certain privileges can create a denial-of-service
attack by using the database named "LPT1" under Windows installations.
It would require one of the following privileges: References, Create temporary
files, Grant option, Create or Select.
- Invalid parameter validation on various function calls could bring down
MaxDB, a MySQL SAP add-on.
- Via the Create function, it's possible to inject code to be executed or
cause a library to be loaded and subsequently called or executed. The Create
function should only be able to create databases.
Malicious Code
RootKits are getting more attention lately. A RootKit
is software that installs itself within an OS in a way that makes it more difficult
to detect. Typically detection is made more difficult because the RootKit intercepts
attempts by the OS to detect it, preventing it from being seen in process lists,
the Registry, the file system and so on. F-Secure
recently announced a new RootKit detector, and Microsoft
Research has published a paper
on its own RootKit detector called Strider Ghostbuster.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.