Text 22651, 202 rader
Skriven 2006-10-17 09:36:00 av George Vandervort (1:382/8)
Kommentar till text 22648 av Alan Zisman (1:123/789.0)
Ärende: 15 Second WinXP Hacker
==============================
Hello Alan!
Tuesday October 17 2006 09:49, Alan Zisman wrote to CHARLES ANGELICH:
<SNIP>
AZ> Even then, plugging it 'naked' into my broadband connection means
AZ> leaving all the other systems on my home network cut off the Net...
AZ> which would get me in a lot of trouble from the rest of the family.
AZ> (It I plugged the 'borrowed' system into the router like the rest of
AZ> them, it would be taking advantage of the router's NAT protection).
AZ>
AZ> And what's unclear to me in all the stories about 'unprotected online
AZ> Windows system hacked within 15 seconds' stories is what's the
AZ> evidence? Pop up ads? Hijacked home page? Is the system suddenly
AZ> converted into a zombie part of a spam-serving network? (And how does
AZ> anyone know that)?
AZ>
AZ> What I'd need is some way of clearly measuring the contents of the
AZ> system's hard drive and/or System Registry, before and after the
AZ> period of time connected (without anyone browsing to suspicious
AZ> websites) and showing changes.... it's not enough to have a log
AZ> demonstrating that system had been pinged from outside- that's no
AZ> proof that the system had actually been penetrated and hacked.
AZ>
AZ> Any suggestions of a tool that could be used for such a verifiable
AZ> experiment?
AZ>
AZ> Until then, I remain skeptical-- despite the often-repeated claims, I
AZ> haven't heard any non-anecdotal reports of a controlled experiment
AZ> with actual clear details of outcomes.
AZ>
AZ> -+- MT-NewsWatcher/3.5.1 (Intel Mac OS X)
AZ> + Origin: Ad Hoc (1:123/789.0)
=== Cut ===
Tracking down hi-tech crime
By Mark Ward, Sunday, 8 October 2006,
Technology Correspondent, BBC News website
How the trap was sprung
If every hour a burglar turned up at your house and rattled the locks on the
doors and windows to see if he could get in, you might consider moving to a
safer neighbourhood.
And while that may not be happening to your home, it probably is happening to
any PC you connect to the net.
An investigation by the BBC News website has established the scale of the
dangers facing the average net user.
Using a computer acting as a so-called "honeypot" the BBC has been regularly
logging how many potential net-borne attacks hit the average Windows PC every
day.
Attack traffic
Honeypots are forensic tools that have become indispensable to computer
security experts monitoring online crime. They are used to gather statistics
about popular attacks, to grab copies of malicious programs that carry out the
attacks and to get a detailed understanding of how these attacks work.
HI-TECH CRIME PLANS
The BBC News website is running a series of features throughout the week
Tuesday: What did we catch in our honeypot?
Wednesday: Anatomy of a spam e-mail and hackers face to face
Thursday: How to spot a phishing scam
To the malicious programs scouring the web these honeypots look like any other
PC. But in the background the machines use a variety of forensic tools to log
what happens to them.
Perhaps one indicator of how useful these tools have become is seen in the fact
that the most sophisticated attackers make their malicious programs able to
recognise when they have trespassed on a honeypot.
The BBC honeypot was a standard PC running Windows XP Pro that was made as
secure as possible. This ran a software program called VMWare which allows it
to host another "virtual" PC inside the host. Via VMWare we installed an
unprotected version of Windows XP Home configured like any domestic PC.
VMWare is useful as it makes it easy to pause the "virtual" PC or roll it back
to an earlier configuration. This proved essential when recovering from an
infection.
SEVEN HOURS OF ATTACKS
36 warnings that pop-up via Windows Messenger
11 separate visits by Blaster worm
3 separate attacks by Slammer worm
1 attack aimed at Microsoft IIS Server
2-3 "port scans" seeking weak spots in Windows software
Glossary of hi-tech crime
Net safety campaign re-launches
Tips to stay safe online
This guest machine, once armed with some forensic software, became the
honeypot.
When we put this machine online it was, on average, hit by a potential security
assault every 15 minutes. None of these attacks were solicited, merely putting
the machine online was enough to attract them. The fastest an attack struck was
mere seconds and it was never longer than 15 minutes before the honeypot logged
an attempt to subvert it.
The majority of these incidents were merely nuisances. Many were announcements
for fake security products that use vulnerabilities in Windows Messenger to
make their messages pop-up. Others were made to look like security warnings to
trick people into downloading the bogus file.
Serious trouble
However, at least once an hour, on average, the BBC honeypot was hit by an
attack that could leave an unprotected machine unusable or turn it into a
platform for attacking other PCs.
HAVE YOUR SAY
Just like I lock my doors and windows on my house, my PC has appropriate
protection
Arthur, Newbury
Send us your comments
Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of
which first appeared in 2003. The bugs swamp net connections as they search for
fresh victims and make host machines unstable.
They have not been wiped out because they scan the net so thoroughly that they
can always find another vulnerable machine to leap to and use as a host while
they search for new places to visit.
Their impact is limited now because Windows is now sold with its firewall
turned on and the patch against them installed. Recently Microsoft said it was
cleaning up hundreds of PCs hit by these machines every day.
Many of these worms were launched from different PCs on the network of a French
home net service firm but others were from machines as far away as China.
There were also many attempts to probe the BBC honeypot to see how vulnerable
it was. Hijacked machines in Brazil as well as at the Indiana offices of a
public accounting and consulting firm carried out "port scans" on the BBC
honeypot to see if it could get a response that would reveal how vulnerable it
was.
Via the honeypot we could see these machines sending test data in sequence to
the ports, or virtual doors to the net, that the PC had open.
Windows is the favourite target of malicious and criminal hackers
More rarely, once a day on average, came net attacks that tried to subvert the
honeypot to put it under the control of a malicious hacker.
Again these attacks came from all over the world - many clearly from hijacked
machines. The BBC honeypot was attacked by a PC at a Chinese aid organisation,
a server in Taiwan and many machines in Latin America.
Via the forensic tools installed on the honeypot we could see the booby-trapped
data packets these bugs were trying to make our target machine digest.
By using carefully crafted packets of data, attackers hope to make the PC run
commands that hand control of it to someone else.
Via this route many malicious hackers recruit machines for use in what is known
as a botnet. This is simply a large number of hijacked machines under the
remote control of a malicious hacker.
Botnets are popular with hi-tech criminals because they can be put to so many
different uses. The slaves or bots in a botnet can be used to send out spam or
phishing e-mails.
They can become the seeding network for a new virus outbreak or act as a
distributed data storage system for all kinds of illegal data. Spammers,
phishing gangs and others often rent a botnet to use for their own ends.
Often once a machine has fallen under someone else's control, a keylogger will
be installed to capture information about everything that the real owner does -
such as login to their online bank account.
This stolen information is often sold as few of those that steal it have the
criminal connections to launder stolen cash.
On Tuesday we recount what happened when we let the BBC honeypot get infected
with spyware, adware, viruses and other malicious programs.
=== Cut ===
Regards,
George Vandervort
InterNet EMail: georgev@austin.rr.com
Tech Support: http://home.austin.rr.com/llr/spa/
'Using yesterday's software to create tomorrow's problems today'
...Modem: Deterrent to receiving wanted and unwanted calls.
... the Beatles said it best, Obla-Dee, Obla-Daa, Life Goes On...
--- FMail/Win32 1.60
* Origin: Bill Gates does my Windows (FidoNet 1:382/8)
|