Stopping Bots at Their Weakest Point

Carl Weinschenk

Carl Weinschenk spoke with Roger Thompson, CTO, Exploit Prevention Labs. In early September, the company released the latest edition of the Exploit Prevalence Survey. The report covered July and August.


Weinschenk: What did you find in the report?
Thompson: Most of the action is Web-based. When you start a browser, you punch a hole right through the firewall. Firewalls do a good job of keeping bots or worms out, but if you visit a Web site with hostile intent, code can find its way to the desktop. What we are seeing these days is everyone wants to build the next MySpace or YouTube. Tools like Ajax essentially allow a mix of code and data. So [bad things] keep finding their way in. In fact, we're thinking of renaming "HTTP" "GFBP," for Generic Firewall Bypass. What I believe is happening is that there are two broad forces at work. One is Chinese state-sponsored stuff, which is really quite dangerous but that you don't see that much. It is very directed, usually at the government. The second thing is that there is a general move toward writing exploits by Chinese college kids, basically. Their prime interest seems to be stealing World of Warcraft passwords. We see the stuff coming in from China. You can tell from the coding style [that it is from] Chinese gangs as opposed to Russian gangs, which is the other big force. The Russians are the customer for Mpack, IcePack, WebAttacker, Neosploit. Their Web pages always are in Russian and many of the most egregious server networks are Russian.


Weinschenk: Is the dynamic changing among all these hackers and crackers?
Thompson: What happens is every couple of months things shift around a little bit. By and large, it's just the marketing efforts of this group or that group. In the last couple of months, the prevalent trend is social engineering attacks. You go to some Web site that you think is showing a video of Britney or Paris and it says that your media player can't play the video and you have to install codec to view it. It says, "click here to install the codec" and, if you do, comes up with a EULA [end user licensing agreement]. You install it and don't see video and try it again and still don't. You give up and uninstall, but it generally leaves behind a rootkit. That's a protected backdoor, so they essentially own you. There is nothing particularly momentous about it. This just reflects the activities of gangs with that MO. They have been pushing hard for the last couple of months. I don't think there are new general trends. They are making money and don't need to change anything they are doing.


Weinschenk: What about Storm?
Thompson: Storm is another factor. It is big, not terribly new, and certainly aggressive. It very well could be getting bigger. I am not sure anyone has a good way to tell. What I can say is that every week they are bringing out a new type of lure, and the lures are increasingly sophisticated. A current e-mail says, "Come and get these games from here." When you go there, there is quite a professional-looking page, animated .gifs, lots of content. Actually, they are throwing exploits at the same time. If you are unpatched, it gets on your system and you become part of a botnet. They are trying to do drive-bys while you are looking at the page. They also say, "click here to download," and you will get infected if you are unwise enough to do that. The only limiting factor on the botnet is if they have too many machines. It would be hard to control them all.


Weinschenk: From some reports, it's almost like Storm is acting like a giant supercomputer. Some observers have made the comparison.
Thompson: It certainly has that potential to be that. It is [however] simply hard to control a massive amount of computers. I think it's a worry. What they are interested in is making money. What they are doing is sending spam and probably selling services to other people. I'm not sure how bad it might get. I don't know just what they are capable of. I think we are at war for the Internet. Eventually, the criminals may be able to control it or a portion of it. I think they are getting more sophisticated, more organized, and are certainly are getting bolder. There are places like the Russian Business Network. An awful lot of devious activity that comes from there, let's put it that way.


Weinschenk: What can people do to protect themselves?
Thompson: I'm not sure I think know that there is an easy answer. The Internet was built to be open and trust-driven and there are people who want to misuse that. There are things for an IT person to do. They've got to keep their systems patched and antivirus software up to date. These days, they need an extra layer, something like we produce, an anti-exploit system. The reason is the exploits are hard to modify so you [can improve security by using] a signature that identifies and eliminates a specific exploit. With Storm, the number of nodes that might be part of a network is potentially infinite. So there is no possibility of blocking them all. The number of payloads it is capable of delivering is potentially limitless. In fact, at one point, they were uploading new versions of Storm every minute.


Weinschenk: So what does an anti-exploit approach focus on?
Thompson: Even though the number of servers Storm uses is infinite, it uses the same JavaScript to try to take advantage of these exploits every time. Good security is done in layers. You should keep as many in place as you can. Antivirus is one layer, keeping patched is another. I think because the world has changed so much and the Web is a battleground, I think people need an anti-exploit layer as well. An anti-exploit package doesn't care what the payload is. We are looking at the exploit that they are trying to use to deliver the payload. The Storm bot itself is the payload, and they are actually changing the Storm bot as often as every minute. But they keep using the same JavaScript to try to deliver that payload and that's what we look for.


Weinschenk: Won't they just start changing the exploit?
Thompson: They will try eventually, but it's not that easy because the exploits have to be done just so. It's easy to change the payload. You just need to repackage it. But it's not so easy to change the exploit. [The party mounting a specific attack] probably didn't create the exploit. The level of skill to create the exploit is greater than the level of skill to copy it. There aren't that many new exploits created, and as soon as they do we identify and send out a new signature. This is a great place to nip this stuff in the bud.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data