Security News > 2004 > June > Catching a Virus Writer

Catching a Virus Writer
2004-06-03 07:30

http://www.securityfocus.com/columnists/246 By Kelly Martin Jun 02 2004 Like a sneeze in a crowded subway, it's hard to find the human source of the latest viral infection. On the Internet it's not much different. The people who write these nasty little programs and release them into the wild almost never get caught. Why? The answer is easy, but it's also a sort of technical nemesis: there's simply no way to track these people down. The current approach to catching virus writers isn't working. Code analysis and disassembly provides clues about the author, but it's not enough. Virus writers boast of their accomplishments in private bulletin boards, yet only the most vocal and arrogant few will get caught. Even with logs, IP addresses and private access, it's still near impossible to track them down. Law enforcement agencies in every country are clearly ill-equipped to deal with the myriad of technical hurdles required to track virus authors down, and so they turn to a few elite security consultants, some working as threat analysts at the major A/V vendors for help. They can usually narrow down the source of a virus to having been released in a geographic part of the world, but the rest is a mere packet in the bitstream. Add Microsoft's new $250,000 bounty into the mix and at first glance, you'd think we're right on track. Not a chance! There are simply too many ways to be anonymous on the Internet, and more so today than ever before. You don't even need to spoof IP addresses these days; there are too many ways to have perfect stealth, starting with an untraceable MAC address on a borrowed IP address, linked into a wireless router down the street which has access logging disabled? and you tunnel through countless proxies and compromised zombies until you reach the desired launch point. Someone who does not wish to be caught (and knows what they're doing), cannot be caught. With wireless, it become a physical battle between a million victims and one guy walking down the street. Why WiFi? WiFi has exploded. Welcome to the truly anonymous Internet. There is no easier way to slip on and off the Internet now without being noticed than on an unsecured 802.11x wireless network in a coffee shop, under a tree in Central Park, at a library or even just leaked through the walls of the apartment next door. North America, and indeed the rest of the world, already has an incredible number of wireless devices that are effectively free, unsecured, and readily available to anyone - to such an extent that it's more difficult to avoid these sprawling networks than it is to connect to them. My Mac with embedded g-band happily connects to just about any network it can find, and it appears there are literally a hundred wireless Access Points within a short walking distance downtown. There are a mind-boggling number of wireless access points now, and only the ubiquity of these devices is new: while four or five years ago I may have been the first on my block with WiFi, now there are so many devices I have to worry about interference. More than that, there are a mind-boggling number of wireless access point that are not Secure by Default, out of the box - just like the machine owned by your average Microsoft Windows user. But even if they were, it wouldn't matter. I live in a sparsely-populated area, at least for a major metropolitan city. Yet without even leaving the couch of my living room, I can "borrow" someone else's Internet connection, mask my MAC address and have complete stealth on the Internet. It would be difficult, if not impossible, to prove it was me. If I wanted to be a bit smarter about things, however, I'd walk to the park and get my access from there... less likely that the police come knocking on my door. Or I'd drive down to the coffee shop, and setup a launch from there. Or better still: point my homemade antenna (made out of a soup and used according to the exacting laws of wavelengths and physics) and bounce it off a digital satellite dish, extending my network's range by up to 2km. In other words, I could literally get my Internet access by simply pointing my directional antenna towards metropolitan downtown. I have no malicious intent, however. I'm generally not searching for these insecure networks, they just appear all on their own. When I'm not publishing articles on SecurityFocus, I go for coffee at a shop at the bottom of our building. There is free wireless Internet access available, sure -- though I'm not sure if it's actually provided by the coffee shop, or if it's coming from an office next door, or below me, or above me -- the service has never been advertised. Instead, one day I just opened up my Mac with OS X, and it was there (broadcasting itself, with no security). Most Windows machines, by default, similarly connect to the strongest local signal without discretion, and voila. I check the connection, and can instantly surf the web. SSH works fine, and thus secure (and dynamic) SSH tunnels are possible. And secure email, through port 993, is possible as well. Web access, like usual, is in the clear (except when using SSL and then it too, is secure). No security whatsoever. It's wide open. I drink my coffee and imagine opening up a can of worms... or rather, imagine someone logging onto his bot network through IRC, sitting anonymously in some coffees shop, drinking espresso and launching DDoS (distributed denial-of-service) attacks. If I fudge my MAC address and make up a fake one, it will be impossible for anyone to know it's me. I'll change the apparent MAC address again tomorrow and maybe I'll sit in a different coffee shop, too. Free but insecure networks What I'm trying to get at is this "promiscuity" of wireless networks has already made security on the Internet redundant - a virus writer using this technology could never be tracked down. There are hundreds of access points within my five kilometer radius, and the number is growing every day. Having had 802.11x access myself for a long time, the technology and its weaknesses are hardly new - what's new is the proliferation of access points, the vast majority of which are freely available for personal use. Even a robustly secured wireless access point can be cracked in a matter of hours. The extreme, industrial-strength security using LDAP and/or RADIUS and rotating keys is possible, but not for the faint of heart. In other words, for tens of thousands of access points across the country and around the globe, their security is already irrelevant. For someone searching for a novel launch point for their virus, you might still be the next in line. Salon published an interesting (and entertaining) article by Micah Joel (requires free day pass) about the opening up access points and its legal implications: no security, broadcast the SSID, and turn logging off. Encourage people, in fact, to use the free connection. With no way to know who has used your Internet connection, there's no way that you could be held liable for inappropriate (or illegal) use. You'd be just like everyone else who took it out of the box, and plugged it in. While this theory has yet to be help up in court, at least here in Canada, a precedent is waiting to be set. It's already everywhere. Don't believe me? CNN published an article recently only confirming what many of us already knew: the insecurity of wireless networks has become extreme. Of course, it would be just as easy to launch a virus from an Internet café in many other parts of the world, like Asia and India where anonymous access is given for a dollar an hour. And then there are the libraries, colleges, user groups and other institutions everywhere else that, once again, provide a bastion of easy, cheap anonymity. Let me now be clear about my motivations: while I do not have the skills to write a virus myself, there are many, many people out there who do. Writing it and sharing code is one thing; launching it into the wild is another thing altogether. Similarly, technical stealth is now very easy, so we're left to rely on the social component of a coder leaving his mark, showing some arrogance, and perhaps doing some public code sharing, that will ultimately do the virus writer in. The only way they might be caught is if one of their inner-circle friends squeal on them - and then traditional law enforcement steps in, grabs all the electronic equipment, and the forensics start. Then once the informant is linked to the virus world as well, the blue cloud of Microsoft's $250,000 bounty again fades into the mist. Virus writers can launch their dubious malcode from just about anywhere in the world, a form of cyber-terrorism that cannot be stopped. The promiscuity of the Internet is here. Kelly Martin is the content editor for SecurityFocus. _________________________________________ ISN mailing list Sponsored by: OSVDB.org


News URL

http://www.securityfocus.com/columnists/246