Whitepaper Abstract
Some malware threats are simply nuisances, and then there are truly dangerous and malicious ones. In the latter category, buffer overflow attacks and rootkits are the favorites of professional hackers. Often they are used in tandem, with a buffer overflow providing the way in and a rootkit providing a highly stealthy way to stay in.
This whitepaper explains these two threats and why traditional security approaches have been largely ineffective against them. Then the paper outlines how Endpoint Security 2.0 solutions using kernel-level application whitelisting can effectively neutralize the threats and provide greater peace of mind.
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
1. cOmbaTing buFFer OverFlOws and rOOTkiTs
BOUNCER by CoreTrace™
Defeats Cybercriminals
Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu—
a buffer overflow provides the way in and a rootkit provides the way to stay in,
and invite some friends in too—and while an endpoint won’t get fries with that,
if it is not protected with Endpoint Security v2.0, it may get Trojans, keyloggers,
backdoors, installation routines, network sniffers, etc., (do be concerned with
what may be hiding in that etc.). The best part, and why this technique is so
popular, is that an endpoint is not aware that it has ingested anything.
Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra +
The Invisible Man—the best defense is a good offense was never more apropos.
Not only is it difficult to know that a rootkit has control of an endpoint, even if
known, it is not easily removed. The key to not allowing a rootkit to establish
itself in an endpoint, is to not allow a rootkit to establish itself in an endpoint—
just say no. The only way to do that is with Endpoint Security v2.0.
cOnTenTs
1 Overview
1 2008 FOrward: TOrnadO warning in eFFecT
Inside the Cybercrime Tornado
Seeding The Clouds
Endpoint Security v1.0 vs. v2.0: who’ll Stop the Rain?
6 cybercrime aT-a-glance
Cybercrime Tools and Techniques
Cybercrime Levels of Threat
11 buFFer OverFlOw + rOOTkiT
access Vector: Buffer Overflow used to Inject Code
Payload: Rootkit used to Obtain and Retain Control
12 endpOinT securiTy v2.0
Endpoint Security v1.0 vs. v2.0
BOUNCER by CoreTrace™
15 summary
Ju
ne
20
08
CoreTrace Corporation
6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730
512-592-4100 | sales@coretrace.com | www.coretrace.com
2. BOUNCER by CoreTrace™
Overview
The road sign from information highway to Internet, computer geeks to script kiddies,
“
hackers to cybercriminals, worms to rootkits, bragging rights to offshore accounts,
and just recently, malware to malware‑as‑a‑service, points in a very clear direction— Have you ever
from caché to cash—from v1.0 to v2.0, follow the money…and hold on to your Hats. taken a moment
to realize that the
This paper reviews the nature of cybercrime focusing on two sophisticated threats whose
primary reason the
popular malicious combination—buffer overflow + rootkit—requires the immediate attention of
information security
IT security departments.
industry even exists
Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu—a buffer overflow is because a noted
provides the way in and a rootkit provides the way to stay in, and invite some friends in too— lack of pedantic
and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, people both in
it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be the RFC world of
concerned with what may be hiding in that etc.). The best part, and why this technique is so the 1980s and the
popular, is that an endpoint is not aware that it has ingested anything. software
engineering world
Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man—
up until the
the best defense is a good offense was never more apropos. Not only is it difficult to know
mid 1990s?
that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not
Yes, there was
allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an
actually a time
endpoint—just say no. Currently, the only way to do that is with Endpoint Security v2.0.
where people
This paper contrasts Endpoint Security v1.0 with Endpoint Security v2.0, and discusses why did not consider
Endpoint Security v1.0’s centre cannot hold. Also discussed are Endpoint Security v2.0’s the unexpected
three core tenets—control what you know, control at the lowest possible level, and control consequence of
transparently—that were leveraged to deliver BOUNCER by CoreTrace™, a unique v2.0 an unbounded
revolutionary 180°‑shifted approach to endpoint security. With BOUNCER‑secured endpoints, strcpy().(3)
an IT security department can have complete confidence that when, not if, a rootkit attempts
– Jeff Nathan
to establish itself on their endpoint, this zero‑day threat has zero time‑to‑live, as BOUNCER Arbor Networks
delivers the first knockout punch.(1)
2008 FOrward: TOrnadO warning in eFFecT
The criminal energy that permeates the Internet cloud has caused a steady rain of profit for the
cybercrime industry since just before the turn of the millennium; however, all indications are that
the Internet cloud is poised to turn into a supercell “with billions of dollars of revenue seeming to
appear from out of nowhere”(2) and be funneled into the cybercriminals’ offshore accounts. The
“
cybercrime industry is heading inside the tornado of hypergrowth and will enjoy huge profits at
the world’s expense. Loved by some,
hated by others,
Unfortunately, the majority of the endpoint security industry that is in a position to stop the
rootkits can be
unprecedented cybercrime deluge of cash visible on the horizon (i.e., Endpoint Security v1.0
considered as
antivirus blacklist vendors) is too busy cashing in on the mutually-assured-to-be-profitable
the holy grail
cyber arms race that they are in with the cybercrime industry to need to upgrade their
of backdoors:
weapons systems to Endpoint Security v2.0. The cyber arms race is a lucrative, never ending
stealthy, little,
cat‑and‑mouse game of virus release followed by antivirus update with dizzying rounds of races
close to hardware,
to the zero-day-threat finish line. Due to Endpoint Security v1.0’s reactive blacklisting strategy,
ingenious, vicious…
it is running the cybercriminal’s race, so getting to the finish line first is simply not possible.(3)(4) Their control over a
computer locally or
remotely make them
the best choice for
an attacker.(4)
(1) BOUNCER‑secured endpoints include PCs, servers, and embedded systems.
(2) Geoffrey A. Moore; Inside the Tornado; Harper‑Business; 2005; p 5. – Mxatone and IvanLeFou
Phrack Magazine
(3) Jeff Nathan; It’s Our Party & We’ll Cry If We Want To…; Arbor Networks; August 9, 2006.
(http://asert.arbornetworks.com/2006/08/it%e2%80%99s‑our‑party‑well‑cry‑if‑we‑want‑to/)
(4) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65;
April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article)
Combating Buffer Overflows and Rootkits 1
3. BOUNCER by CoreTrace™
INsIdE ThE CyBERCRImE TORNadO
It’s the Wild West…and east, and north, and south—cybercrime is inherently global and
tantalizingly lucrative. A virtual frontier of opportunity targets combined with low barriers to entry,
“ …chief security
officer at
low risk of capture and conviction, and high earning potential is the risk/reward scenario that is British Telecom’s
fueling the cybercrime industry’s explosive growth rate. global financial
services division…
The cybercrime business model has matured and borrowing the language from Geoffrey Moore’s
tells us that as long
best‑selling business‑strategy books—Crossing the Chasm and Inside the Tornado—it has
as the risk of getting
crossed the chasm and is headed inside the tornado characterized by hypergrowth.(5) Read the
caught is so low
excerpt below from Inside the Tornado in the context of the cybercrime juggernaut, does any
and the reward so
of it sound familiar?
great, the number of
“Such are the market forces generated by discontinuous innovations, or what more attacks is bound to
recently have been termed paradigm shifts…For a long time, although much is keep climbing.
written about the new paradigm, little of economic significance happens…But…there He calls this
comes a flash point of change when the entire marketplace…shifts its allegiance “the mathematics
from the old architecture to the new. of toast,” as in
companies who
“This sequence of events unleashes a vortex of market demand. Infrastructure, to aren’t prepared for
be useful, must be standard and global, so once the market moves to switch out an influx of attacks
the old for the new, it wants to complete this transition as rapidly as possible. All the are pretty much
pent‑up interest in the product is thus converted into a massive purchasing binge… toast.(8)
Companies grow at hypergrowth rates, with billions of dollars of revenue seeming to
appear from out of nowhere. – The Wall Street Journal
Business Technology Blog
“Nowhere has the tornado touched down more often in the past quarter-century
than in the computer and electronics industry…New products, designed to the new
performance vectors, incorporate software that simply blows away the old reference
points…
“…showing how companies can align themselves with these forces to win market
“ The AFCC
recently traced a
leadership positions, we shall see a disconcerting pattern assert itself repeatedly: new service…
offering access
The winning strategy does not just change as we move
to a bullet-proof
from stage to stage, it actually reverses the prior strategy.
hosting server
“That is, the very behaviors that make a company successful at the outset of the with a built-in
mainstream market cause failure inside the tornado and must be abandoned. And Zeus trojan
similarly what makes companies successful in the tornado causes failure and must administration panel
be abandoned once that phase of hypergrowth is past. In other words, it is not just and infection tools...
the strategies themselves that are cause for note but also the need to abandon each the service includes
one in succession and embrace its opposite that proves challenging.”(6) all of the required
stages in a single
Reversing Strategies package, so you
It is interesting to note that the cybercrime industry’s leap across the chasm was symbolically just have to pay
marked in February 2008 by the disbanding of the infamous, old school VXer (virus writer) for the service,
group 29A. So if we are not in Kansas anymore, then where are we?—put another way, if then access the
“29A has left the building!”(7) who are its current tenants? newly hired
Zeus trojan server,
“The shutters are being pulled down on old school virus writers’ group 29A.(8)(9) create infection
points and start
collecting data…
mirroring legitimate
(5) Geoffrey A. Moore; Crossing the Chasm; HarperCollins; 2002; and Inside the Tornado; HarperCollins; 2004. security vendor
(6) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; pp 4–5 and 10. offerings—
(7) VirusBuster/29A’s departing words posted on home page of 29A Labs; February 2008. security-as-a-service…
(This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. malware-as-a-service.(9)
http://vx.org.ua/29a/main.html)
(8) The Wallstreet Journal Business Technology Blog; Electronic Crime Really Does Pay; November 2, 2007. – Andrew Hendry
(http://blogs.wsj.com/biztech/2007/11/02/electronic-crime-really-does-pay/trackback/) PC World
(9) Andrew Hendry; Wannabe Hackers Can Now Rent‑a‑Botnet; PC World; May 15, 2008.
(http://www.pcworld.com/businesscenter/article/145931/wannabe_hackers_can_now_rentabotnet.html)
Combating Buffer Overflows and Rootkits 2
4. BOUNCER by CoreTrace™
“29A, hexadecimal for 666, is an underground VXer collective known for creating the
first Win 2000 virus, the first 64bit virus, and early examples of mobile malware that
infected devices such as PDAs.
“ If you dig a bit on
AV world, you will
“…other less well known VXer groups are dying the death, a development symptomatic discover AVers are
of changes in the malware market. Profit has replaced mischief, intellectual curiosity, not a happy family…
or a desire to make a name for yourself as the motive for creating malware. in some cases they
hate more other
“Traditional virus writers have drifted away from the scene to be replaced by more AVers than VXers…
shadowy coders creating sophisticated Trojans aimed at turning an illicit profit. Less known are
Enforcement action against virus writers has acted as a further disincentive for the fights for the
hobbyists, at least. conquer of the AV
“Instead of getting proof of concept malware from the likes of 29A, we’re dealing with market between
the Storm Worm Trojan and other sophisticated “professionally developed” botnet companies…there is
clients.”(10) a new fight in the AV
world: The number
By any measure, the cybercrime industry has crossed the chasm from v1.0 to v2.0—combating of detected virii
v2.0 cyberattacks with a v1.0 arsenal is Maginot-line strategy that will never lead back to Kansas. war!…“my product
The road map back to Kansas is provided by Geoffrey Moore: “The winning strategy does not detects the 100%
just change as we move from stage to stage, it actually reverses the prior strategy.”(11) of virii”…If that’s
not a trick…what’s
As the VXers crossed the chasm, following behind, as always, were the AVers (antivirus
it?…It means that
researchers) weighed down from Endpoint Security v1.0 (a reactive, inherently flawed,
from a collection
ineffective, and bloated blacklisting strategy). What is required to defeat cybercriminals is a
of 7,000 source
“reversal of the prior strategy”—a unique v2.0 revolutionary 180°-shifted approach to endpoint
codes, you could
security.
create an antivirus
What is required is BOUNCER by CoreTrace™, the Endpoint Security v2.0 solution that cut with 12,000 - 14,000
the zero-day-threat finish line Gordian knot. signatures. Then you
run…similar virus
constructions kits
sEEdINg ThE ClOUds and you reach 20,000
Buffer overflow + rootkit is a handy combination for a v2.0 cybercriminal—a buffer overflow signatures. You only
provides the way into an endpoint and a rootkit provides the way to stay in an endpoint for as need to inflate the
long as possible. A rootkit’s ability to mask its presence and its activities, makes it very difficult numbers a bit and…
to detect, thereby maximizing profit for each established rootkit and providing excellent ROI for TAAAAACHAN!!!!!!!
v2.0 cybercriminal businesses. You have a top eleet
antivirus! Pathetic
Buffer Overflows but that’s what it’s
happening.(12)
Buffer overflow vulnerabilities exist because software code is written without input validation on
every instance and method of input into the software application. Code injection uses software – VirusBuster/29A
errors to inject code into programs already running on an endpoint. The most common method 29A Labs
“
of code injection, and one of the most difficult to stop, is via buffer overflow where code is
injected at the end of a legitimate buffer to run whatever the cybercrime business wants. A buffer overflow
is the result of
Rootkits
stuffing more data
Rootkits are a collection of tools and utilities that allow a cybercriminal to hide the presence into a buffer than
of a rootkit and all of its activities, as well as provide a way to keep a backdoor open to the it can handle. How
system for return visits. The extent and nature of activities a rootkit is able to perform and can this often
hide depend on the type of rootkit. There are many types of rootkits including user‑mode, found programming
kernel‑mode, kernel‑mode data structure manipulation, and process hijacking. While all rootkits error can be taken
are problematic, kernel‑based rootkits are especially insidious.(12)(13) advantage to
execute arbitrary
(10) John Leyden; Infamous malware group calls it quits; Channel Register; March 7, 2008.
(http://www.channelregister.co.uk/2008/03/07/29a_rip/) code?…Writing an
(11) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; p 5. Exploit (or how to
(12) VirusBuster/29A; The number of detected virii war; 29A Labs; zines; Issue 4; 2001. mung the stack)…(13)
(This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website.
http://vx.netlux.org/29a/29a‑4/29a‑4.232) – Aleph One
Phrack Magazine
(13) Aleph One; Smashing The Stack For Fun And Profit; Phrack Magazine; Issue 49; November 8, 1996.
(http://www.phrack.com/issues.html?issue=49&id=14#article)
Combating Buffer Overflows and Rootkits 3
5. BOUNCER by CoreTrace™
ENdpOINT sECURITy v1.0 vs. v2.0: WhO’ll sTOp ThE RaIN?
Cybercriminals are well armed and well motivated, so how can an organization protect itself?
“ Today’s threats
are created by a
Businesses invested $9.4 billion in IT security software in 2007;(14) clearly, increased spending commercial malware
on ineffective Endpoint Security v1.0 products will not stop the cybercrime tornado. industry which
has developed
Endpoint Security v1.0 quickly and which
Endpoint Security v1.0 strategy has been to identify malware and keep it out (i.e., blacklisting). has access to
In this zero‑day‑threat world, blacklisting’s reactive strategy (it is dependent on timely signature some billion-dollar
updates) is inherently flawed and no amount of multi-layering or heuristics can save it. In effect, resources…
blacklisting surrenders control to the cybercriminals, handing them the first-strike advantage. Some vendors have
Moreover, if the first strike is delivered by a stealth bomber (buffer overflow code injection) that switched…to daily,
happens to drop a kernel-based-rootkit payload, Endpoint Security v1.0 technology is unaware or even half-hourly
that an attack has occurred and the compromised system is literally open for business. updates…The
average size of the
Endpoint Security v2.0 signature databases
has at least doubled
Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending
and in some cases
the IT network—by necessity, that is Endpoint Security v2.0 whose revolutionary 180°‑shifted
tripled within the
approach starts by turning v1.0 blacklisting on its head and proceeds from there.
last 18 months.
Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there. The trend seems
Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting), to be clear:
so even if malware gains access to a system, it cannot execute and is neutralized— more updates and
that’s the short answer. For security reasons, the details in the execution of that strategy more signatures,
are as important as adopting the strategy. and with them
longer scan times,
Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the
higher memory
lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0
consumption,
solution, the security features shown in Table 1 must be present.
higher false positive
Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges rates and the like.(15)
one list for another. While a whitelist‑based solution is superior to a blacklist‑based solution
– Andreas Marx
because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist av‑test.org
of fingerprints customized for each endpoint; thereby, limiting the entries to programs
installed on each endpoint vs. a centralized database of all programs. Additionally, a true
Endpoint Security v2.0 solution automatically generates the customized whitelist for each
endpoint in a controlled environment to ensure that it is not compromised. Further, a true
Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not
place a burden on the IT administrative staff.
The specious solution that has merely exchanged one list for another is only a 90°-shifted
solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all-
let’s‑hope‑the‑list‑isn’t‑hacked centralized database of all authorized programs that somehow
“
has to be mapped to each specific endpoint.
Even if the
Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or technology used
else the weight of this solution and attendant administrative burden and security risks will come by rootkits are
crashing down on your CPUs and valuable IT staff.(15)(16) more and more
sophisticated,
the underground
community is still
developing POCs
to improve current
techniques.(16)
(14) Gartner; Press Release: Gartner Predicts Worldwide Security Software Revenue to Grow 11 Percent in 2008; – Mxatone and IvanLeFou
April 22, 2008. (http://www.gartner.com/it/page.jsp?id=653407) Phrack Magazine
(15) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008.
(http://www.av-test.org/down/papers/2008-02_vb_comment.pdf)
(16) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65;
April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article)
Combating Buffer Overflows and Rootkits 4
6. BOUNCER by CoreTrace™
Table 1. Endpoint Security v2.0: Security Features
control
“ …review on
Windows Vista
From the only included ‘pure’
control loWeSt control
anti-virus programs.
Security FeatureS What you KnoW PoSSible level tranSParently
The tools were last
h Only authorized programs allowed to execute updated and frozen
h Authorized programs fingerprinted to on 2 October 2007.
create a unique three-factor integrity check To our surprise,
the detection rate
h File digest (SHA-1 hash)
h File location (pathname) of inactive samples
h File size reached just 90%
on average, even
h Whitelist of fingerprints customized for
though most of the
each endpoint—entries limited rootkits used were
to programs installed on an endpoint
released during
h Automatically generates customized
whitelist in a controlled environment 2005 and 2006.
Only four of the six
h Ease-of-use whitelist updating procedure installed rootkits
could be detected
h Digital certificates used for authentication by an average tool
h Enforcement from within the kernel and the cleaning rate
was even lower with
h Entry points to the OS securely wrapped 54%.(17)
h Prevents direct kernel memory
read and write from user space – Andreas Marx and
Maik Morgenstern
h Monitors and reacts to memory av‑test.org
modification
h Provides a complete IPsec infrastructure
(17)
“ The greatest
strength of
BOUNCER’s
technology is that it
protects unpatched
vulnerabilities
from exploitation,
effectively
neutralizing
zero-day threats.
(17) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal;
Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf)
Combating Buffer Overflows and Rootkits 5
7. BOUNCER by CoreTrace™
cybercrime aT-a-glance
The supercell cloud that will spawn the tornado of hypergrowth and huge profits for the cybercrime
industry contains all of the cybercrime business segments. Cybercriminals target specific
organizations at times; however, they are opportunists and collect rainfall whenever and wherever
“
Just like legitimate
businesses,
they can. Table 2 provides an at‑a‑glance view of some of their activities.(18)(19)(20)(21)(22)(23)(24)(25) cyber criminals
today are trying to
Table 2. Cybercrime at-a-glance put themselves
h AV-Test.org(18) 2005 2006 2007 front-and-center
on millions of
h MD5-unique malware samples 333,000 972,000 5,490,000
computer screens.
h Unique AV updates in 45 AV products 111,566 134,484 148,869 “The attackers are
h Total size of AV updates in 45 AV products 520 GB 1.0 TB 1.6 TB now following the
same path that
h Chances of becoming a cybervictim (19)
h 1 in 4 US citizens (2007)
businesses have,
h Cybercriminal chances of getting convicted (20) h 1 in 7,000, although it could be as low as in trying to
1 in 600,000 advertise
themselves in their
h Identity fraud victims(21) h 8.4 million US citizens (2007)
own special way on
h Total fraud of $50 billion the more popular
h Victims spend 25 hours (avg.) to Web sites,” says
resolve case Tom Liston, who
h Identity theft cost to consumers(21) h $49.3 billion (2007) works with SANS
and businesses Internet Storm
Center…They’re
h Stolen identity value to cybercriminal(19) h $14–$18 per identity (2006) doing exactly what
h Newly activated zombies (22)
h 355,000 per day (1Q 2008) every business tries
to do, which is to
h Spam levels of all e-mail(22) h 60%-94% (1Q 2008) find innovative
ways get themselves
h Spam sent from zombies(23) h 80% (1Q 2008)
out in front of as
h Botnet uses(23) h #1 Use: Sending spam many eyeballs as
h #2 Use: DDoS attack possible…(25)
h Other ways to make money: sell or – Martha Neil
lease botnet ABA Journal
h Top spam-sending countries (24) United States 33.03%
12 Months View (06/03/07–06/03/08) Russian Federation 5.64%
Germany 5.47%
United Kingdom 4.29%
China 3.78%
Other 47.79%
(18) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008.
(http://www.av-test.org/down/papers/2008-02_vb_comment.pdf)
(19) www.consumerreports.org; Net threats: Why going online remains risky; September 2007.
(http://www.consumerreports.org/cro/electronics‑computers/computers/internet‑and‑other‑services/net‑threats‑9‑07/
overview/0709_net_ov.htm)
(20) Ben Worthen; Laws Go Soft on Hackers; The Wall Street Journal Business Technology Blog; February 22, 2008.
(http://blogs.wsj.com/biztech/2008/02/22/laws‑go‑soft‑on‑hackers/trackback/)
(21) Javelin Strategy and Research; Press Release: Group Imagines ‘Ideal’ Credit Card; May 27, 2007.
(http://www.javelinstrategy.com/2008/05/27/group‑imagines‑ideal‑credit‑card/)
(22) Commtouch Software; Q1 2008 Email Threats Trend Report: Zombies Depend on the Kindness (and IT Resources)
of Others; April 7, 2008. (http://www.commtouch.com/site/Resources/documentation_center.asp)
(23) Vitaly Kamluk; The botnet business; viruslist.com; May 13, 2008.
(http://www.viruslist.com/en/analysis?pubid=204792003)
(24) Commtouch Software; Top Spam‑Sending Countries; 12 Months View; June 3, 2008.
(http://www.commtouch.com/Site/ResearchLab/statistics.asp)
(25) Martha Neil; Cyber Crime Does, Increasingly, Pay; ABA Journal; December 20, 2007.
(http://www.abajournal.com/news/cybe_crime_does_increasingly_pay/)
Combating Buffer Overflows and Rootkits 6
8. BOUNCER by CoreTrace™
CyBERCRImE TOOls aNd TEChNIqUEs
Cybercrime is a global industry with low start‑up costs and, ironically, unless typing into a
web form is considered a computer skill, no computer skills are necessary. Cybercriminals form
a well integrated community that shares and trades information, and they have many tools and “ If you make these
steps the NT
techniques at their disposal that are discussed below.
box is opened
„ Writing Viruses—A brilliant virus writer can make a decent living working at home and for everyone…
selling new malicious tools online to the highest bidder. Even the less brilliant virus writers Even if you don’t
can earn a living. There are many places on the web where cybercriminals post source plan to write NT
code for new viruses for other people to use. There is no law against doing so, which viruses at least
means that anyone can download source code for a virus, modify it, and then send it out to add to your babes
do its work. Analysis of widely circulated viruses of the past five years shows that sections a code for adding
of them were copied from earlier viruses. SeDebugPrivilege
to Everyone. Then it
„ Discovering Vulnerabilities—Cybercriminals research diligently to find new ways to
makes for another
break into endpoints, particularly those running Windows®. Discovering vulnerabilities is
viruses easier to
rewarding because they can auction new exploits on the Internet (see Figure 1).
infect the machine
- remember your
fellow coders too
:))).(26)
– Ratter/29A
29A Labs
Figure 1. Vulnerabilities are for sale on the Internet
„ Developing Software—Cybercriminals run software development businesses for software
products such as collections of exploits for breaking into endpoints and utilities to use
once access is gained (such as remote control capabilities and keyloggers). They sell the
software online using the same marketing and customer support techniques as mainstream
software companies, such as segmentation into software editions, and offering product
support and product upgrades (see Figure 2).(26)
(26) Rattner/29A; Gaining passwords; 29A Labs; zines; Issue 6; 2002. (This URL is for informational purposes;
we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑6/29a‑6.225)
Combating Buffer Overflows and Rootkits 7
9. BOUNCER by CoreTrace™
“
That’s how the
war between
rk[rootkit]-makers
and anti-rk-junkies
began, trying to
find the best way,
the best area, for
hooking critical
operating system
features…In the
wild the rk are used
most of the time for
lame mail spamming
or botnets.(28)
– Mxatone and IvanLeFou
Phrack Magazine
Figure 2. Professionally marketed malware kits are for sale on the Internet
„ Build Attack Environments—Script kiddies are teenagers without the engineering talent
to carry out sophisticated attacks, but who can acquire powerful software tools online and
buy the capability to assemble attack environments. To get started, all that is needed is a
comprehensive hacker software development kit (SDK) that costs about $320 (see Figure 3)
and a few viruses to sprinkle into the Internet. Virus source code can be downloaded for
free, but specific viruses that are guaranteed to get past Endpoint Security v1.0 products
“
A notorious malware
gang that rented out
like McAfee® Active VirusScan®, Norton Antivirus, Kaspersky® Anti‑Virus, etc., are for sale botnets by the hour
on the Internet (see Figure 4). With a budget of $1,000 to $5,000, Trojans are available that has resurfaced after
are purposely built to steal credit card data and e-mail it to a specific address. being knocked off
line two months ago
“It’s comforting to know, should you want to become a Black Hat, that the by a rival band of
barriers to entering the trade are much lower now. It’s true that you’ll never criminals…The gang
become a “legendary Black Hat” if you can’t cut a little C++ code. Nevertheless, came to prominence
out there on the Internet there are web sites where you can buy fully functional by renting out a
software for launching exploits that others have written for you. Yes, there are botnet that fellow
indeed hacker‑devoted software products freely available for purchase by online criminals
anyone capable of installing software. $200 or so should buy you something could use to install
useful (including updates).”(27)(28)(29) and maintain their
malware. In October,
it boasted more
than 35,000 infected
machines…Prices
ranged from $110 to
$220 per thousand
infections depending
on where they were
located. The group
was taken offline in
January following
a DDoS attack by a
rival gang wielding a
Barracuda botnet.(29)
Figure 3. Malware SDKs are for sale on the Internet – Dan Goodin
Channel Register
(27) Robin Bloor; 10 reasons why the Black Hats have us outgunned; The Register; June 13, 2007.
(http://www.theregister.co.uk/2007/06/13/black_hat_list/)
(28) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65;
April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article)
(29) Dan Gooding; Rent‑a‑bot gang rises from the DDoS ashes; Channel Register; March 13, 2008.
(http://www.channelregister.co.uk/2008/03/13/loadscc_rises_again/)
Combating Buffer Overflows and Rootkits 8
10. BOUNCER by CoreTrace™
Figure 4. Malware to avoid detection by specific Endpoint Security v1.0 vendors
is for sale on the Internet
„ Assemble or Rent Botnets—Cybercriminals assemble botnets (i.e., networks of
compromised endpoints) to amass a huge amount of highly distributed power to use in
their activities. If they assemble a large number of endpoints, they can rent them out for
about $0.20 per endpoint per day. Remarkably, botnets of more than one million endpoints
have been assembled.
Botnets are not without maintenance though, as owners discover and clean compromised
endpoints, the botnet needs replenishment. The cybercriminals use the botnet to send out
Trojan viruses that open a backdoor into an endpoint allowing the cybercriminal’s scanning
software to gain access and add it to the botnet.
The botnet industry is well‑developed offering low start‑up costs and easy implementation.
“
Botnets are now a turnkey business with one‑stop‑shopping for all the essentials:
bot software; anonymous hosting services to set up a command and control (C&C) center bro this are
(complete with support and a guarantee that log files are inaccessible to law enforcement); from my spam…
and ready-to-use botnets. Additionally, the software installation of a C&C center only super fresh…
requires the new entrepreneur to fill in a few form fields. I will spam more...
spammed like hell…
„ Spamming—There are a host of different spam scams: from phishing for financial used 7 remote
information, to 411 lottery scams, to the share tip scam, to direct ads for pharmaceuticals, desktops and
insurance, and porn (e‑mail addresses from replies received are sold as sales leads). 13 smpt servers…
Spamming is illegal in many countries, but spamming operations cannot be easily or 5 root…sent
reliably traced, so this commercial arrangement persists. over 1.3 million
„ Running Websites—Cybercrime‑run websites may provide Trojans in the guise of free emails.(30)
computer games or pornography, or malware disguised as music or video files; or may
– Thomas Claburn
directly attempt to infect an endpoint upon access (known as drive‑by download). Some InformationWeek
websites are spoof sites pretending to be banks or retailers. Cybercrime businesses drive
traffic to their websites through mass e-mail campaigns, or by changing information in
an endpoint’s browser, or by invading domain name servers and altering their reference
information.
„ Stealing Identities—What’s a cybercriminal to do with a stolen file of thousands of credit
card records? Rather than try to exploit it on their own, cybercriminals sell the data for
around $14–$18 per credit card record or around $500 if the PIN number is also obtained.
In addition to selling credit card information, cybercriminals sell data from US Social
Security cards, birth certificates, bills/invoices, and driver’s licenses—all of which can be
used to set up fraudulent bank accounts.(30)
(30) Thomas Claburn; International Cybercrime Ring Busted; InformationWeek; May 19, 2008.
(http://www.informationweek.com/story/showArticle.jhtml?articleID=207801060)
Combating Buffer Overflows and Rootkits 9
11. BOUNCER by CoreTrace™
„ Providing Independent Contracting/Consulting Services—Legitimate businesses hire
cybercriminals to damage the competition. There is no way to tell whether a virus attack
“
or a denial of service (DoS) attack has a third-party sponsor, but if intellectual property
is stolen, a competitor may be the sponsor. The Russian Business Network is the most Malware is
famous cybercriminal business and it is for hire; it is rumored that its software engineering becoming more and
expertise is so great that governments hire its services. more complex every
On the other side of the fence, there are ethical‑hacker consultancies that are hired to day. The number of
attack a network to test its security level. Banks regularly hire ethical hackers, known as newly discovered
white‑hat hackers, to fortify their security, but few other organizations do. malware samples
is skyrocketing, but
„ Covering Their Tracks—The only link that ties a cybercriminal to an attack is communication that’s not the only
from an endpoint that they own to their botnets, so if they communicate via public WiFi challenge for the
they are very difficult to trace. Furthermore, cybercriminals prefer to attack on foreign soil AV industry. In most
because they are much less likely to get caught, as it is very difficult for national police cases, we’re looking
forces to work together even if evidence surfaces of who is behind specific attacks. at malware that is
built in a modular
„ Banking Offshore—Cyberextortion pays well and typically offshore accounts in the
way, with plug-ins
Cayman Islands are used to pass the money through. Ransom fees paid to end a DoS
that support new
attack typically range from $10,000 to $50,000 depending on the size of the company
features such as
under attack.
hiding the malware’s
presence from the
CyBERCRIME LEVELS OF ThREaT user and from AV
products. While it
There are three cybercrime threat levels that IT security measures need to address: is easy for a good
background noise, opportunistic attacks, and focused attacks. While companies need to combat signature-driven
background noise, the real threats are opportunistic attacks and focused attacks. product to find
Background Noise a known sample
that has not yet
Background noise is the aggregation of all automated attempts by cybercriminals to gain been activated,
access to endpoints across the world; subverting hundreds to thousands of endpoints daily. it is becoming
When an endpoint connects to the Internet, an attempt to gain access to it happens in seconds. increasingly
Cybercriminals have scanners that scan the Internet in specific address ranges looking for challenging to
known access points such as compromised endpoints (i.e., endpoints with open backdoors detect the sample
created by a virus) to add to their botnet. Consequently, some endpoints belong to more than once it is running
one botnet. and trying to
hide itself and
Opportunistic attacks other malicious
Just like all other IT managers, a cybercriminal tries to maintain a nonvolatile, reliable network, components. On the
or in this case botnet, and a cybercriminal will put great effort into making network penetration Windows platform
difficult to detect. the hidden objects
usually include
The endpoints subverted through background‑noise activities may include a business endpoint services and
that is valuable to a cybercriminal if it has resources such as high‑bandwidth Internet connections. processes, registry
The goal is to take control of resources and use compromised endpoints as spam generators, keys and values, as
or rent them out, or set up transient websites on them. Instances of cybercriminals running well as directories
spam broadcast sessions overnight from corporate endpoints when the company’s network is and files.(31)
less active have gone undiscovered for months.
– Andreas Marx and
A cybercriminal may load a keylogger on a compromised endpoint to catch a password from Maik Morgenstern
the keyboard and use it to rifle the local e-mail file for e-mail addresses or use the local search av‑test.org
capability to locate personal financial information.
There is an increase in establishing rootkits on compromised endpoints because it is a
cybercriminal’s most reliable means of retaining control of an endpoint even after attempts
have been made to clean it of all malware.(31)
(31) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal;
Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf)
Combating Buffer Overflows and Rootkits 10
12. BOUNCER by CoreTrace™
Focused attacks
Focused attacks are clearly the worst threat. In a focused attack, cybercriminals are targeting
a specific IT network with the intent to cause disruptive damage, steal data, compromise
intellectual property, or perpetrate some kind of fraud. An additional aspect of focused attacks
is that the cybercriminal will take their time and slowly compromise systems, resulting in an
“
attack that is extremely hard to detect.
In fact, the
Commonly in focused attacks, cybercriminals have the inside help of a malicious insider
malicious insider
that may provide information on security products and how the IT network is configured, or
sounds like some
provide passwords, or open a backdoor into the network. Because few organizations keep
sort of bogeyman to
comprehensive endpoint‑activity logs, it’s hard to prove whether a malicious insider was
hear these security
involved in an attack; however, it is probable in cases where the cybercriminals know exactly
pros talk about it.
how to pull off a sophisticated computer fraud or exactly which data files to steal.
But lest you think
the threat is more
buFFer OverFlOw + rOOTkiT imagined than real,
consider that
Buffer overflow + rootkit is a very popular malicious combination that is providing sustained among companies
revenue steams for the cybercrime industry and it is fueling the cybercrime industry’s that experienced a
hypergrowth stage inside the tornado. data breach in 2006,
23% said the
culprit was an
aCCESS VECTOR: BuFFER OVERFLOw uSED TO INjECT CODE insider, according
to a survey by
Code injection uses software errors to inject code into programs already running on an endpoint.
the Computing
The most common method of code injection and the one of the most difficult to stop is via
Technology Industry
buffer overflow where code is injected at the end of a legitimate buffer to run a cybercriminal’s
Alliance.(32)
programs.
– Ben Worthen
Programs define memory areas called buffers that are used to accept data from a user or The Wall Street Journal
another program. Buffers are defined to have a specific size. For example, a name field may Business Technology Blog
permit 30 characters so 30 bytes of memory are provided. Ideally, if more data is sent to the
program then it should reject everything after the first 30 characters. Unfortunately, most
programmers do not bother to write their programs that way and just accept whatever is sent.
To achieve a buffer overflow, cybercriminals add specialized program code called shellcode to
the end of the 30 characters and the endpoint will execute the shellcode that was written to the
end of the legitimate buffer.
All it takes is trial and error to discover if a program is vulnerable to buffer overflow—the
cybercriminal tests to see what happens when a large amount of information is sent to the
buffer. Many buffer overflow defects have been found in the Windows operating system (OS)
by cybercriminals simply experimenting with the software. Buffer overflow vulnerabilities are
even easier to find if the cybercriminal can get the program source code allowing them to easily
check every instance where the program accepts input.
Another common method of exploiting buffer overflows is to analyze the patches released
by OS and application vendors. This process has become so automated that when Microsoft
releases security patches on Patch Tuesday (providing the less sophisticated virus developers
with a pointer saying hack me here!) the cybercriminals exploit unpatched systems on
Hack Wednesday.(32)
PayLOaD: ROOTKIT uSED TO OBTaIN aND RETaIN CONTROL
Once access to an endpoint is gained, cybercriminals install a rootkit to take control of an
endpoint and to retain control so they can load the software needed to carry out their schemes
at their convenience. Rootkits are either kernel‑based or non‑kernel‑based.
(32) Ben Worthen, Data Breach of the Day: Britney Spears Edition; The Wall Street Journal Business Technology Blog;
March 17, 2008. (http://blogs.wsj.com/biztech/2008/03/17/data-breach-of-the-day-britney-spears-edition/trackback/)
Combating Buffer Overflows and Rootkits 11
13. BOUNCER by CoreTrace™
Kernel‑based rootkits operate in the kernel and have the highest level of privilege
(i.e., full administrator, or root) allowing the cybercriminal to define and change access rights
and permissions to cover up traces of their activities, making kernel-based rootkits very difficult
to detect once installed. For example, with this level of privilege the cybercriminal can hide the
“
rootkit from endpoint utilities that list files and provide information about running processes, and
they can also hide other programs they plant on the endpoint. Strategic Alliances?
Bring ‘em on, we
Non‑kernel‑based rootkits operate in user space and usually have the same privilege level as love ‘em!...So they
that of the user credentials used to install it. want to combine
Some rootkits are known and can be detected by a scanning program; however, this defense their engines...That’s
does not work for a newly written rootkit. Typically, established rootkits are detected by a file a great idea! This
comparison between a suspect endpoint and a clean endpoint with full administrator rights; will be much more
however, this is difficult to organize and difficult to carry out while endpoints are running. tougher to defeat....
That’s right guys.
1 + 1 = 1 in this
endpOinT securiTy v2.0 case ;-) Stopped
laughing yet? Ok…
Cybercriminals are well armed, well skilled, and well motivated, so how can an organization these antivirus
protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the engines combined
majority of cyberattacks can be stopped dead in their tracks if the right approach is taken can result in a really
defending the IT network—that is, Endpoint Security v2.0. difficult to beat
antivirus product,
but there is also a
ENdpOINT sECURITy v1.0 vs. v2.0 positive side for us,
Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, virus authors. This
security patches, and personal firewalls (all of which slow performance and add significant “Strategic Alliance”
cost to network operations) can’t defeat today’s known rootkit threats or unknown threats also means that in
(i.e., zero-day attacks from malware, rootkits, and buffer overflows)—let alone tomorrow’s. the future we do
have to concentrate
Endpoint Security v2.0 is proactive, whitelist‑based, provides enforcement from within the on one product less!
kernel, and it is predicated on three core tenets: Yes, they are right
„ Control what you know. in respect that it is
harder to beat this
„ Control at the lowest possible level. combined product,
but it will certainly
„ Control transparently.
take less time than
testing your virus
BOUNCER By CORETRaCE™ on 2 completely
different products,
BOUNCER by CoreTrace™ takes a revolutionary 180°-shifted approach to endpoint security let alone the fact
providing a unique Endpoint Security v2.0 solution that defeats today’s, tomorrow’s, next year’s… that it costs you
known and unknown threats—finally, efficiently, effectively, BOUNCER stops the madness. a lot more time to
BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities write retro
listed below for PCs, servers, and embedded systems. structures against
2 antivirus products
„ Preventing unauthorized programs and processes from running. instead of one.
„ Preventing rootkit establishment. Afterthought:
Should we also take
„ Stopping code injected via buffer overflow from running and stopping further memory action and form
corruption. “Strategic Alliances”
other groups?(33)
„ Preventing system configuration modification by staff members, malicious insiders, and
malicious outsiders. – Rajaat/29A
29A Labs
„ Securing the endpoint transparently to end users.
„ Providing ease‑of‑use to the operational staff.(33)
(33) Rajaat/29A; Strategic Alliances? Bring ‘em on, we love ‘em!; 29A Labs; zines; Issue 2; 1998.
(This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website.
http://vx.netlux.org/29a/29a-2/29a-2.2_a)
Combating Buffer Overflows and Rootkits 12
14. BOUNCER by CoreTrace™
Core Tenet #1—Control what you Know
Control what you know—what else can you control? Blacklists are pursuing the flawed strategy
“ This article is about
recent exposures of
of trying to control that which is unknowable, and, as a result, are locked in a zero‑day‑threat race many kernel level
they can never win and being paid well for it. Conversely, controlling what you know—that is, vulnerabilities and
controlling the authorized applications used by an endpoint so that you can be indifferent to the advances in their
rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime. exploitation which
leads to trusted
BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses
(oops safe) and
to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized
robust exploits…
program’s fingerprint is comprised of the triple play of the following integrity checks: file digest
to prove kernel land
(SHA-1 hash), file location (pathname), and file size.
vulnerabilities
When an unauthorized program tries to load (e.g., a virus from an e‑mail attachment, a program such as
copied on an endpoint by an authorized user, or a program copied on an endpoint through stack overflows and
a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast integer conditions
majority of threats, including preventing Trojans from overwriting authorized files. can be exploited
and lead to total
The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities
control over the
from exploitation, effectively neutralizing zero‑day threats. If a vulnerability is unpatched and
system, no matter
exploited, the malicious program or injected code is stopped anyway, so zero‑day threats
how strict your
become a thing of the past. Hack Wednesday goes away and there is time to test all patches
user land
before they are deployed—if they are deployed at all.
(i.e., privilege
BOUNCER’s leveraging of control what you know results in significant IT cost savings. separation) or even
IT departments that use BOUNCER can say goodbye to the following and say hello to a little kernel land (i.e.,
sanity: chroot, systrace,
securelevel)
„ Zero‑day threats. enforcements are…
„ Malware, trojans, viruses/worms, bots, keyloggers, adware, and spyware. I also…contribute
to the newly raised
„ Reactive security patching (patch for features you need on your schedule and have time concepts (greets to
to fully test patches). Gera) of fail-safe
„ Chronic signature updating. and reusable
exploitation code
„ Technology stacks, pattern matching, and behavioral heuristics (including the impact of generation.(34)
false positives and prolonged learning periods typical of behavioral solutions).
– Sinan “noir” Eren
Core Tenet #2—Control at the Lowest Possible Level Phrack Magazine
Most sophisticated attacks are targeted at the kernel; therefore, that is where the battle
lies (only security software that functions in the kernel can reliably deliver the controls that
IT requires).
BOUNCER loads into the kernel very early and performs the following functions:
“ Userland
applications are
„ Allocates resources only to authorized applications. usually executed in
ring3. The kernel on
„ Locks down the process table and keeps track of pointers. the other hand is
BOUNCER leverages control at the lowest possible level to defeat the following threats: executed in the most
privileged mode,
„ Rootkit establishment. ring0. This grants the
kernel full access to
„ Injected code via buffer overflow (even in authorized applications).
all CPU registers, all
„ System configuration modification by staff members, malicious insiders, and malicious parts of the hardware
outsiders. and the memory.
With no question
„ Direct kernel memory read and write from user space.(34)(35) is this the mode of
choice to do start
some hacking.(35)
(34) Sinan “noir” Eren; Smashing The Kernel Stack For Fun And Profit; Phrack Magazine; Issue 60; December 28, 2002.
(http://www.phrack.com/issues.html?issue=60&id=6#article)
– kad
(35) kad; Handling Interrupt Descriptor Table for fun and profit; Phrack Magazine; Issue 59; July 28, 2002. Phrack Magazine
(http://www.phrack.com/issues.html?issue=59&id=4#article)
Combating Buffer Overflows and Rootkits 13