The Rootkit and Botnet menace
latest threats on the security radar map are rootkits and botnets. What is worrying
is that few security solutions can detect these bits of malware. Kumar Dawada
examines the security vulnerabilities that could end up plaguing India Inc.
Just when you thought things couldnt get worse, they did. The latest
bits of malware floating around the Net and on that copy-protected CD one of
your managers just played on his PC are rootkits and botnets. These threats
have managed to stay ahead of security software for now. Botnets not only use
the latest trends in encryption and polymorphism, they conceal themselves in
rootkit code to permanently reside and remain undetected on compromised systems.
This is like Jack the Ripper becoming Invisible Man. The recent brouhaha about
Sony Musics copy protected CDs having a rootkit that affected one in six
DNS servers, across a statistical sampling of one third of the 9 million DNS
servers that security researcher Dan Kaminsky estimates are in existence, could
just be the tip of the iceberg as the security battle intensifies.
The sudden spate of improvements in bot design and state of the art stealth
technology is a result of the phenomenal growth of botnets as an underground
industry. The bot masters collaborate, share code and help each other develop
mutated bots that are rich in capabilities and commands. Modular bot designs
allow these black hat hackers to come out with bots in record time using new
methods to exploit emerging vulnerabilities in operating systems and applications.
Botnets and rootkits have been around for a while but their
combination into a unified, malicious attack tool has caused shockwaves worldwide.
The saddest bit is that even those enterprises that have conscientiously invested
in deploying the best security solutions available and implemented comprehensive
security policies are soft targets for the botnet industry. The slow response
of leading security vendors in developing solutions despite the onslaught has
only raised the concerns of IT-enabled services and enterprises.
|A bot is software that allows a computer system to
be remotely controlled without the knowledge of the computers owner.
A botnet is a group or network of computers controlled by a bot master or
bot herder. These botnets do what the bot master tells them to do. This
can include anything from transmitting important files from the compromised
system (also called zombie systems) to installing new malicious software
or using it as a front for launching a DDoS (distributed denial of service)
A rootkit is a set of software tools, originally
recompiled Unix tools, used by an intruder after gaining access to a computer
system. It is used to conceal the processes, files or system data. This
helps the intruder maintain access or maintain a root to the
system without being detected by the user or owner of the compromised
system. Rootkits can be used effectively on many operating systems including
Windows, Linux and Solaris.
Rootkits are of two typeskernel and application
level rootkits. Kernel rootkits replace system calls with modified versions
that hide information about the intruder. Application level rootkits replace
regular application codes with their own or modify the behaviour of existing
applications using hooks, patches, injected code, or other methods.
The major problem with rootkit detection is that
even the operating system running the compromised system cannot be trusted.
Even a simple request such as asking for a list of all running processes
or a list of all files in a directory is unreliable because there is no
guarantee that all processes or files will be displayed.
How Vulnerable Are We?
Today, India is an internationally favoured destination for outsourcing, whether
business processes or high-end knowledge processes. It has a dynamic software
industry. Many verticals such as BFSI, healthcare, pharma, telecom and government
rely totally on their IT infrastructure for their business processes, business
transactions, business decisions and mission-critical data. This in turn is
dependent on security deployments and policy. Downtime due to malicious attacks
can mean anything from a loss of business worth millions of dollars to loss
of confidence in the eyes of investors or outsourcing clients. The logical question
arising now is how much damage can a malicious botnet and rootkit attack cause
and how vulnerable is the Indian enterprise to such threats?
Milind Tasgaonkar, Principal Consultant, Cisco Systems warns that today malicious
attacks affect millions of systems within minutes or seconds. IT-enabled service
sectors have security gaps which can be exploited by intruders. BFSI is especially
vulnerable as it has mission-critical data stores in small cities and remote
branch offices. Malicious attacks on these systems can spread to the lowest
level and have far-reaching consequences.
Traditionally security was based on the fortress model. Firewalls
and other technologies have focused on keeping everyone except authorised employees
out of the network. Todays business environment demands that any time,
anywhere access be granted to employees, vendors, contractors and even guests.
|Tel Aviv University student Eran Shir and his colleagues
have published an article in the online edition of Nature Physics journal:
Distributive immunization of networks against viruses using the honey-pot
architecture. It is still a theoretical model based on simulations
and analysis. They do not intend to patent the idea and have provided it
as open source.
According to them, the antivirus concept is outdated.
It aims to protect individual computers by removing viruses, worms, spyware
and other malicious software from them. However, this means first identifying
the malicious software every time and then coming up with a solution.
This takes too long and meanwhile, the malicious software has already
done maximum damage. Today malicious software always has a head start
and the antivirus or antispyware is unable to keep up. What is needed
is immunity software which immunises not only individual computers but
also the entire network.
What is required is a response to malicious attacks
in real time. This is possible only if the immunity software spreads across
the Internet faster than the virus or malware. This effectively means
beating the virus and malware at their own proliferation game. The technology
already exists; it only has to be fine-tuned. Erin and his colleagues
propose a system in which a few strategically placed honeypot computers
run automated software that identifies the new virus or malware. Its signature
or behaviour pattern is then sent out across the Internet. The sentinel
program on all other computers in the network can now identify the virus
or malware, and prevents its entry when it tries to attack the network.
Simulations have shown that larger the network, the more efficient this
method becomes. For instance if a network has 50,000 nodes and only 0.4
percent of those act as honeypot then just 5 percent of the network will
be infected before the immune system can halt the virus and other malware
attacks. However, if there is a massive network of say 200 million nodes
and 0.4 percent of these are honeypots then only 0.001 percent of the
nodes will be infected before the immune system is triggered.
The Botnet Mayhem
Captain Felix Mohan
Captain Felix Mohan, CEO, SecureSynergy is of the opinion
that the latest batch of sophisticated botnets have given their owners absolute
power over compromised machines, putting them in a position to launch distributed
denial of service attacks, distribute malware, send spam, host porn, use compromised
systems to store illegal files or information, or use them for any other illegal
activity that the botnet owner desires. Botnet owners have evolved themselves
as infrastructure providers. For a price, they hire out their botnets with their
armies of compromised machines to whoever wants to engage in malicious or criminal
activity. Botnets have made large-scale criminal activities affordable and easy,
even for novices, says Mohan.
Saran Gopalakrishnan, Senior Product Manager, Websense agrees that the risk
to Indian enterprise is enormous and includes loss of intellectual capital,
loss of confidence and credibility among customers, investors and partners,
spam attacks, phishing and storage of illegal or stolen files on compromised
systems. Botnet owners use keylogging, packet sniffing, searching the hard disk
for data and transmitting it without the knowledge, consent and assistance of
the systems owner to wreak havoc.
A Deafening Silence
Solutions to combat the botnet and rootkit menace have not been forthcoming.
Only F-Secure has come up with a toolkit called BlackLight to detect and remove
rootkits, while Microsoft is said to be developing prototype anti-rootkit software
called Strider Ghostbuster. In such a scenario, how can SMBs and large enterprises
combat the botnet and rootkit menace?
Tasgaonkar feels that one solution to combat new viruses and
malware is to develop a self-evolving network that can defend itself from current
and future threats. Network routers and switches already see and control
the flow of all data and IP-based communication. If the core networking components
are combined properly with specialised security technologies and services including
endpoint monitoring software then proactive security can be obtained through
network intelligence, he says.
|F-Secure (www.f-secure.com/weblog/) claims that it
is the first vendor to provide a rootkit scanner called BlackLight as part
of its security suite. According to them, it has already been available
for the last nine months. Their Web site also lists the types of rootkits
Open-source, simple, can be actually incorporated
into worms and bots by simple cut and paste command. However, it
only hides processes, not files or registry keys.
|More serious because
it is used by hackers to compromise corporate servers.
|Sony BMG DRM
||Has the dubious distinction
of being the most common rootkit. BlackLight has not been able to
detect this rootkit. Sony has already released a stand-alone uninstaller
to remove their DRM software from infected systems.
||Does not use rootkits
for hiding, only to prevent its uninstallation and removal.
Solutions On The Horizon
Rajendra Dhavale, Consulting Director, Computer Associates feels that botnet
attacks can be minimised and prevented through a PPT (People, Process and Technology)
approach. It is necessary to educate support and technical staff about the types
of risks prevalent on the Internet. They will retain it longer and can educate
end users who encounter them. Having proper security process and policies
shows staff and customers how serious the company is about security. All security
policies must be reviewed periodically, discussed and updated to address new
threats, says Dhavale.
Viral Raval, VP-IT, Kale Consultants echoes similar sentiments.
He too feels that the key to preventing rootkit and botnet proliferation is
peoples involvement and ownership. Only when the users know that
doing something will actually cause harm and hamper their own productivity,
there can be effective prevention and fewer instances of proliferation. Organisations
should also avoid the trap of overexposure on the Internet. Also the organisations
should do regular checks on IRC and install the latest AV patches, says
Sanjay Sharma, Corporate Head Technology, IDBI Bank feels that having
a proper security deployment and policy in place is enough to take care of the
rootkit and botnet menace. Botnets take control of the system only if
proper security arrangements have not been made by an enterprise. Proper security
deployment including a DMZ (de-militarised zone), internal and external firewalls
and other things to prevent unauthorised access. This prevents botnets and rootkits
from entering the network. There is no need for a special rootkit or botnet
removal tool or solution, says Sharma. He feels that personal computer
systems are more susceptible to black hat hacking and unauthorised controls.
This is because, unlike large enterprises, they do not have elaborate security
deployments in place.
Mohan thinks that protection against rootkits and botnets requires SMBs and
large enterprises to employ stringent end-point security. They need to keep
endpoint anti-virus and security patches up-to-date.
Todays security solutions can easily be circumvented by rootkit and botnet
developers. Major vendors are taking their own sweet time to develop solutions.
Therefore, unless netizens come up with an innovative way to beat rootkits and
botnets at their own game, we may end up living in an era devoid of any privacy.
As in the society envisioned by George Orwell in his novel 1984, each person
may end up saying Big brother is watching you.