Security Watch

1 Million Compromised Computers?

A recent study on botnets shows that it might be time to call in Will Smith.

Denial of Service
The Honeynet Project released a report titled "Know your Enemy: Tracking Botnets." A honeypot is a machine exposed to the Internet intended for hackers to break into. Typically, honeypots run pseudo operating systems, emulating, for example, Windows XP. In reality, though, they're running another OS such as VMWare or UNIX. This allows the owner to observe the actions the hacker takes to compromise the system. A Honeynet is a group of such machines, or a single machine which emulates a network of computers, allowing for even more observation of attack methods.

According to the study, botnets, or botherds as they're sometimes called, launched 226 distributed denial-of-service (DDoS) attacks on 99 different targets in a three-month period from November 2004 to January 2005. The reporters estimate the population of infected computers under the control of the bots to be approximately 1 million.

Two analyses of the study said the authors made a mistake by publishing that amount of detail. They're concerned the bot writers will start using SSL or encrypted tunnels a lot more for bot control traffic. There have been experiments that have used tunneling for communications, but it's never become a standard attack method.

Nothing prevents botherds from using SSL or encryption, particularly given that Windows includes the CryptoAPI, which provides all the components necessary to do good cryptographic tunneling. The downside for bot writers that consistently use encrypted control channels is that it could make the bots more easily identifiable to defensive programs.

Trustworthy Computing
Dell, Hewlett-Packard, and IBM have started selling PCs with a hardware-based security device based on the Trusted Computing Platform's specifications. The device is a chip on the motherboard which provides storage and handling of encryption keys and other secure information. This is the same concept behind Microsoft's Palladium, now known as the Next-Generation Secure Computing Base (NGSCB). Microsoft is including software to support the devices in its next OS, code-named Longhorn, due out in 2006.

Separating such sensitive information from the rest of the information on a PC is an excellent idea. In the end, though, its viability will depend greatly on access requirements. If, for example, you simply have to log on to your computer to open this data vault, then any virus that runs on the system would have access to it. That means it's more likely that you'll have to enter a password or some other key each time access to the vault is desired. And, as any Windows administrator knows, Windows users have been historically against the idea of having to frequently enter passwords.

Three new vulnerabilities were announced in MySQL. Patches are available.

  1. Authenticated users with certain privileges can create a denial-of-service attack by using the database named "LPT1" under Windows installations. It would require one of the following privileges: References, Create temporary files, Grant option, Create or Select.
  2. Invalid parameter validation on various function calls could bring down MaxDB, a MySQL SAP add-on.
  3. Via the Create function, it's possible to inject code to be executed or cause a library to be loaded and subsequently called or executed. The Create function should only be able to create databases.

Malicious Code
RootKits are getting more attention lately. A RootKit is software that installs itself within an OS in a way that makes it more difficult to detect. Typically detection is made more difficult because the RootKit intercepts attempts by the OS to detect it, preventing it from being seen in process lists, the Registry, the file system and so on. F-Secure recently announced a new RootKit detector, and Microsoft Research has published a paper on its own RootKit detector called Strider Ghostbuster.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular