Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Thursday, November 17, 2005

The Rootkit powered Botnet

"The great internet shakedown has begun, and to coin a phrase, it's clobberin' time."

Quite a statement.

Yet consider what our team has been able to ferret out lately -

* A rather nasty IM virus tracked, jacked and nailed like a punk.
* The "fake" Google Toolbar, traced back to IM and also tracked right back to 2003.
* The notorious IM Rootkit, so hot they covered it twice in two days on Slashdot. Ye Gods.

All signed, sealed and delivered from the crack research team at FaceTime. And, as we have seen from some of this cutting edge (and, I might add, exhaustive!) research, these days it just isn't enough to find a virus, put it on a database and give it a cool name. These days, spyware researchers are finding that only knowing about spyware doesn't work. You need to know where the money goes, who the companies are, money trails, people, names, places and lots more besides. You need to be able to decipher the incredibly complicated economic infrastructure. Of course, it helps that we have someone at FaceTime who specialises in just that field!

In short, you need to approach situations like a digital detective.

And, after further investigation on the AIM rootkit story, we are fairly confident we have located the group behind this thing and have turned the information over to the FBI and other federal agencies.

What is scary here, is the potential for mass damage that we have seen through monitoring this group (based in the Middle East) nearly 24/7. They are slowly but surely building one of those huge botnets we all know and love, spread across the globe and it seems the lockx rootkit was simply the beach-head - the first wave. Naturally, we can only speculate and often researchers have to do just that - a good researcher knows their enemy, and follows a hunch when little evidence is on the table. One might ask if Wayne Porter is going to far in his speculation, but is the outlined scenario really that farfetched?

The definition of a rootkit is fairly fluid - one man's rootkit is another man's trojan. However, in this case the lockx file is the building block for a rather nasty attack, which goes like this:

They spread the lockx rootkit via IM, hidden in with a big pile of advertising software. As I predicted at the time, the Adware stuff was likely just a decoy, to distract from the rootkit that came in the package.

Sure enough, once the first wave of infections had installed, the Adware suddenly got "switched off", and all that was left was the rootkit. Clever, eh? They probably had more than enough rootkits out there by that point anyway. In case you think this is some kind of overblown, scare-tactic jibber jabber, let me say this:

Over 17,000 users were found to be compromised on a single server, and we found lots of those worldwide. When all is said and done, that's a whole lot of infections. And it doesn't take into account the fact that there will likely be other infection servers out there that we haven't spotted yet.

To coin a phrase - ouch.

Now, let's take those 17,000 infected individuals. And then let's put new stuff into our IRC network, where we control the bots and make things go boom. Then let's sever the tie to IM (for a while - we've already distributed the payload, now we can funnel stuff via IRC and cause more headaches for the security guys. Ever changing attack vectors. Lovely).

Now comes the second wave - which has just started to hit.
We spread all new kinds of malware, self-extracting zipfiles, altered file-names, modified infections ripped from other sources of distribution.....and this stuff does all of the below and then some:
  • Can steal your browser auto-complete data which may leak confidential personal information
  • Gain access to Microsoft Outlook Express
  • Open browsers to launch a denial of service attack, and/or
  • Download additional malicious applications
See? Now the attack vector suddenly includes hijacking your email contacts (oh no! Malware spam on the way!), DoS attacks for fun, profit and other nefarious purposes, and (just to put the final nail in the coffin), stealing your stored usernames / passwords / all the other scary stuff that costs money and makes people cry.

With, of course, the added bonus of being able to modify their infections and upload / download stuff on the fly - and with a botnet that large, they probably won't care about using x amount of machines as "guinea pigs" for new infections. And how many of those will be hosed by infections that don't actually do what they're supposed to do? Those machines are like the red-shirt security guys in Star Trek. Utterly expendable.

As you can see, the scale and ambition of this one is truly frightening. It also does not bode well if you subscribe to the “Porterism” kind of future. A mass of Botnets can wreak havoc on a world that is networked like never before - banks, emergency services, vital communications - you get the picture. Especially when you consider that Botnets are now becoming harder and harder to crack, especially with all these mutations all over the place. The fact we think we located the group behind it too really is a one in a million thing - a Herculean task, and our coffee pots / energy drink dispensers were cooking on overdrive.

For more information on what to expect from this thing, check out the official FaceTime press release here.

Stay frosty, kids.

(All you wonderful journalists out there - if you want more information on this, feel free to contact me via the Press Page)

Labels:

posted by paperghost at 10:00 AM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.