Catching a Virus Writer

[InfoSec News <isn () c4i org>]

http://www.securityfocus.com/columnists/246

By Kelly Martin 
Jun 02 2004 

Like a sneeze in a crowded subway, it's hard to find the human source
of the latest viral infection. On the Internet it's not much
different. The people who write these nasty little programs and
release them into the wild almost never get caught. Why? The answer is
easy, but it's also a sort of technical nemesis: there's simply no way
to track these people down.

The current approach to catching virus writers isn't working. Code
analysis and disassembly provides clues about the author, but it's not
enough. Virus writers boast of their accomplishments in private
bulletin boards, yet only the most vocal and arrogant few will get
caught. Even with logs, IP addresses and private access, it's still
near impossible to track them down.

Law enforcement agencies in every country are clearly ill-equipped to
deal with the myriad of technical hurdles required to track virus
authors down, and so they turn to a few elite security consultants,
some working as threat analysts at the major A/V vendors for help.  
They can usually narrow down the source of a virus to having been
released in a geographic part of the world, but the rest is a mere
packet in the bitstream.

Add Microsoft's new $250,000 bounty into the mix and at first glance,
you'd think we're right on track. Not a chance! There are simply too
many ways to be anonymous on the Internet, and more so today than ever
before. You don't even need to spoof IP addresses these days; there
are too many ways to have perfect stealth, starting with an
untraceable MAC address on a borrowed IP address, linked into a
wireless router down the street which has access logging disabled? and
you tunnel through countless proxies and compromised zombies until you
reach the desired launch point. Someone who does not wish to be caught
(and knows what they're doing), cannot be caught. With wireless, it
become a physical battle between a million victims and one guy walking
down the street.


Why WiFi?

WiFi has exploded. Welcome to the truly anonymous Internet. There is
no easier way to slip on and off the Internet now without being
noticed than on an unsecured 802.11x wireless network in a coffee
shop, under a tree in Central Park, at a library or even just leaked
through the walls of the apartment next door. North America, and
indeed the rest of the world, already has an incredible number of
wireless devices that are effectively free, unsecured, and readily
available to anyone - to such an extent that it's more difficult to
avoid these sprawling networks than it is to connect to them. My Mac
with embedded g-band happily connects to just about any network it can
find, and it appears there are literally a hundred wireless Access
Points within a short walking distance downtown.

There are a mind-boggling number of wireless access points now, and
only the ubiquity of these devices is new: while four or five years
ago I may have been the first on my block with WiFi, now there are so
many devices I have to worry about interference.

More than that, there are a mind-boggling number of wireless access
point that are not Secure by Default, out of the box - just like the
machine owned by your average Microsoft Windows user. But even if they
were, it wouldn't matter.

I live in a sparsely-populated area, at least for a major metropolitan
city. Yet without even leaving the couch of my living room, I can
"borrow" someone else's Internet connection, mask my MAC address and
have complete stealth on the Internet. It would be difficult, if not
impossible, to prove it was me.

If I wanted to be a bit smarter about things, however, I'd walk to the
park and get my access from there... less likely that the police come
knocking on my door. Or I'd drive down to the coffee shop, and setup a
launch from there. Or better still: point my homemade antenna (made
out of a soup and used according to the exacting laws of wavelengths
and physics) and bounce it off a digital satellite dish, extending my
network's range by up to 2km. In other words, I could literally get my
Internet access by simply pointing my directional antenna towards
metropolitan downtown.

I have no malicious intent, however. I'm generally not searching for
these insecure networks, they just appear all on their own. When I'm
not publishing articles on SecurityFocus, I go for coffee at a shop at
the bottom of our building. There is free wireless Internet access
available, sure -- though I'm not sure if it's actually provided by
the coffee shop, or if it's coming from an office next door, or below
me, or above me -- the service has never been advertised. Instead, one
day I just opened up my Mac with OS X, and it was there (broadcasting
itself, with no security). Most Windows machines, by default,
similarly connect to the strongest local signal without discretion,
and voila.

I check the connection, and can instantly surf the web. SSH works
fine, and thus secure (and dynamic) SSH tunnels are possible. And
secure email, through port 993, is possible as well. Web access, like
usual, is in the clear (except when using SSL and then it too, is
secure). No security whatsoever. It's wide open. I drink my coffee and
imagine opening up a can of worms... or rather, imagine someone
logging onto his bot network through IRC, sitting anonymously in some
coffees shop, drinking espresso and launching DDoS (distributed
denial-of-service) attacks.

If I fudge my MAC address and make up a fake one, it will be
impossible for anyone to know it's me. I'll change the apparent MAC
address again tomorrow and maybe I'll sit in a different coffee shop,
too.


Free but insecure networks

What I'm trying to get at is this "promiscuity" of wireless networks
has already made security on the Internet redundant - a virus writer
using this technology could never be tracked down. There are hundreds
of access points within my five kilometer radius, and the number is
growing every day. Having had 802.11x access myself for a long time,
the technology and its weaknesses are hardly new - what's new is the
proliferation of access points, the vast majority of which are freely
available for personal use.

Even a robustly secured wireless access point can be cracked in a
matter of hours. The extreme, industrial-strength security using LDAP
and/or RADIUS and rotating keys is possible, but not for the faint of
heart. In other words, for tens of thousands of access points across
the country and around the globe, their security is already
irrelevant. For someone searching for a novel launch point for their
virus, you might still be the next in line.

Salon published an interesting (and entertaining) article by Micah
Joel (requires free day pass) about the opening up access points and
its legal implications: no security, broadcast the SSID, and turn
logging off. Encourage people, in fact, to use the free connection.  
With no way to know who has used your Internet connection, there's no
way that you could be held liable for inappropriate (or illegal) use.  
You'd be just like everyone else who took it out of the box, and
plugged it in. While this theory has yet to be help up in court, at
least here in Canada, a precedent is waiting to be set. It's already
everywhere. Don't believe me? CNN published an article recently only
confirming what many of us already knew: the insecurity of wireless
networks has become extreme.

Of course, it would be just as easy to launch a virus from an Internet
café in many other parts of the world, like Asia and India where
anonymous access is given for a dollar an hour. And then there are the
libraries, colleges, user groups and other institutions everywhere
else that, once again, provide a bastion of easy, cheap anonymity.

Let me now be clear about my motivations: while I do not have the
skills to write a virus myself, there are many, many people out there
who do. Writing it and sharing code is one thing; launching it into
the wild is another thing altogether. Similarly, technical stealth is
now very easy, so we're left to rely on the social component of a
coder leaving his mark, showing some arrogance, and perhaps doing some
public code sharing, that will ultimately do the virus writer in. The
only way they might be caught is if one of their inner-circle friends
squeal on them - and then traditional law enforcement steps in, grabs
all the electronic equipment, and the forensics start. Then once the
informant is linked to the virus world as well, the blue cloud of
Microsoft's $250,000 bounty again fades into the mist.

Virus writers can launch their dubious malcode from just about
anywhere in the world, a form of cyber-terrorism that cannot be
stopped. The promiscuity of the Internet is here.
 
 
Kelly Martin is the content editor for SecurityFocus.
 


_________________________________________
ISN mailing list
Sponsored by: OSVDB.org