Are Hackers Going Beyond Zero-Day Attacks?

We’ve all, no doubt, heard about phishing attacks, but it’s not as likely that most peopletruly understand what the real danger is.

And that lies not so much in the forged emails and websites we’ve come to associate withphishing attacks, but in the Trojan horse software they’re planting on unprotected PCs thatare used to wander into these sites or open their emails.

Sure, we’ve been hearing about Trojan horse software for years, but rest assured the stuffthat’s coming from the phishing crowd takes these attacks to an unprecedented level oftechnical capability and maliciousness.

Before I continue, I should point out something. Throughout my career, I’ve promised myselfthat I’d never be a FUD mongerer — someone who spreads fear, uncertainty, and doubt inorder to drum up publicity or sales. So, I want to make it perfectly clear when I’m talkingabout things I’ve seen firsthand and when I’m merely offering my opinion, and then you allcan decide for yourselves.

On a recent business trip, a colleague of mine who is deeply entrenched in the war againstphishing showed me some first-hand examples of what we’re up against. We looked at whathappens when an unprotected Windows computer points its Internet Explorer (IE) browser atsome of the rogue websites that are controlled by people engaged in phishing attacks. I’vebeen doing incident response professionally ever since I was first hired at CMU’s CERT backin 1989, but I have to say what I saw was more than a little surprising to me.

In the above demonstration, my colleague and I watched as malicious code on a couple ofphishing websites exploited security defects in IE and installed Trojan horse software onthe test computers. In some cases, the Trojans themselves would connect out to otherwebsites — sometimes several — and download additional components of their attack code.

Next, we looked at some of the analyses that my colleague’s team had done on the Trojans anddownloaded code. The complexity of the attack software was at least on par with the mostmodern rootkits and other attack code I’ve seen. Most of the Trojans set up agents or botsthat could execute instructions provided by their controllers (wherever and whoever theywere). Some took their instructions from IRC sites, others from an ever-changing list ofwebsites, drop points, and so on. A common feature among them was keystroke logging of theunsuspecting victim’s computer. They’re looking for key words, like user names, passwordsand credit card number, on the screen.

Ok, so this isn’t new stuff. We’ve all heard of similar sorts of things. So why was I sosurprised?

Well, to me, the level of complexity and the coordination necessary to successfully carryout attacks like this represents a degree of determination and planning that goes way beyondthe mere script kiddie attacks of the past. The attack software, for example, was mostlywritten to evade analysis and detection efforts.

These are not amateurish efforts by bored teenagers. It was glaringly obvious to me theseattackers must be profit=motivated and not just garden-variety criminals.

Now, add to this the fact that the attackers are getting increasingly effective atincorporating the latest exploits into their attacks. We hear much about so-called zero dayor 0day attacks; I have no doubt the people behind the attack tools I saw are the ones whoare seeking out these latest exploits.

Here’s where I’m going to resort to a bit of educated conjecture… Based on the attack codewe saw in action, I firmly believe it’s reasonable to assume the authors of this stuff areactively searching for pre-zero-day exploit code to put into their attacks. I’m convincedthese ‘neg-day’ attacks are just around the corner, if they’re not already taking place.

This means it’s not enough to have really good reaction times in installing vendors’patches, anti-virus signatures, and such. It also means all the talk about monoculturesmaking us vulnerable to large-scale attacks is entirely true. I, for one, completely abstainfrom using Internet Explorer and Outlook on my workhorse laptop I travel with.

It also means it’s time to wake up and smell the coffee. The only long-term solution is toget serious about tackling the problem at its source. Literally.

We need to adopt security best practices in the software we rely on. We’ve got to make itcost in-effective for the attackers to search through our software for buffer overflows andthe like to be used to execute arbitrary code on our systems — the breeding ground for thesorts of Trojan attacks I’ve described here.

Until we do, phishers and the like are going to continue to enjoy the target-richenvironment we’ve provided them today. Clearly, they now recognize there is serious money tobe gained by their heinous activities. The combination of their ill intentions and theirnew-found money can only be bad for us. We’ve got to do much better than we have been or ourtechnology users are going to lose all faith in the net.

Kenneth van Wyk
Kenneth R. van Wyk is an internationally recognized information security expert and author of the O'Reilly and Associates books Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, he currently holds numerous positions—the Director of Cigital's Research Labs, monthly columnist for online security portal eSecurityPlanet, and Visiting Scientist at Carnegie Mellon University's Software Engineering Institute.

Top Products

Related articles