Are Hackers Going Beyond Zero-Day Attacks?
eSecurityPlanet Columnist Ken van Wyk was surprised by the sophistication of a recent phishing attack. Will hackers soon be moving beyond zero-day attacks into 'neg-day' attacks?
And that lies not so much in the forged emails and websites we've come to associate with phishing attacks, but in the Trojan horse software they're planting on unprotected PCs that are used to wander into these sites or open their emails.
Sure, we've been hearing about Trojan horse software for years, but rest assured the stuff that's coming from the phishing crowd takes these attacks to an unprecedented level of technical capability and maliciousness.
Before I continue, I should point out something. Throughout my career, I've promised myself that I'd never be a FUD mongerer -- someone who spreads fear, uncertainty, and doubt in order to drum up publicity or sales. So, I want to make it perfectly clear when I'm talking about things I've seen firsthand and when I'm merely offering my opinion, and then you all can decide for yourselves.
On a recent business trip, a colleague of mine who is deeply entrenched in the war against phishing showed me some first-hand examples of what we're up against. We looked at what happens when an unprotected Windows computer points its Internet Explorer (IE) browser at some of the rogue websites that are controlled by people engaged in phishing attacks. I've been doing incident response professionally ever since I was first hired at CMU's CERT back in 1989, but I have to say what I saw was more than a little surprising to me.
In the above demonstration, my colleague and I watched as malicious code on a couple of phishing websites exploited security defects in IE and installed Trojan horse software on the test computers. In some cases, the Trojans themselves would connect out to other websites -- sometimes several -- and download additional components of their attack code.
Next, we looked at some of the analyses that my colleague's team had done on the Trojans and downloaded code. The complexity of the attack software was at least on par with the most modern rootkits and other attack code I've seen. Most of the Trojans set up agents or bots that could execute instructions provided by their controllers (wherever and whoever they were). Some took their instructions from IRC sites, others from an ever-changing list of websites, drop points, and so on. A common feature among them was keystroke logging of the unsuspecting victim's computer. They're looking for key words, like user names, passwords and credit card number, on the screen.
Ok, so this isn't new stuff. We've all heard of similar sorts of things. So why was I so surprised?
Well, to me, the level of complexity and the coordination necessary to successfully carry out attacks like this represents a degree of determination and planning that goes way beyond the mere script kiddie attacks of the past. The attack software, for example, was mostly written to evade analysis and detection efforts.
These are not amateurish efforts by bored teenagers. It was glaringly obvious to me these attackers must be profit=motivated and not just garden-variety criminals.
Now, add to this the fact that the attackers are getting increasingly effective at incorporating the latest exploits into their attacks. We hear much about so-called zero day or 0day attacks; I have no doubt the people behind the attack tools I saw are the ones who are seeking out these latest exploits.
Here's where I'm going to resort to a bit of educated conjecture... Based on the attack code we saw in action, I firmly believe it's reasonable to assume the authors of this stuff are actively searching for pre-zero-day exploit code to put into their attacks. I'm convinced these 'neg-day' attacks are just around the corner, if they're not already taking place.
This means it's not enough to have really good reaction times in installing vendors' patches, anti-virus signatures, and such. It also means all the talk about monocultures making us vulnerable to large-scale attacks is entirely true. I, for one, completely abstain from using Internet Explorer and Outlook on my workhorse laptop I travel with.
It also means it's time to wake up and smell the coffee. The only long-term solution is to get serious about tackling the problem at its source. Literally.
We need to adopt security best practices in the software we rely on. We've got to make it cost in-effective for the attackers to search through our software for buffer overflows and the like to be used to execute arbitrary code on our systems -- the breeding ground for the sorts of Trojan attacks I've described here.
Until we do, phishers and the like are going to continue to enjoy the target-rich environment we've provided them today. Clearly, they now recognize there is serious money to be gained by their heinous activities. The combination of their ill intentions and their new-found money can only be bad for us. We've got to do much better than we have been or our technology users are going to lose all faith in the net.