Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Department of Homeland Security's Border Screening System Victim of Windows Virus

  • Subject: Re: Department of Homeland Security's Border Screening System Victim of Windows Virus
  • From: "Rex Ballard" <rex.ballard@xxxxxxxxx>
  • Date: 4 Nov 2006 07:59:26 -0800
  • Complaints-to: groups-abuse@google.com
  • In-reply-to: <1835580.2NFsIa7hiu@schestowitz.com>
  • Injection-info: e3g2000cwe.googlegroups.com; posting-host=67.80.98.116; posting-account=W7I-5gwAAACdjXtgBZS0v1SA93ztSMgH
  • Newsgroups: comp.os.linux.advocacy
  • Organization: http://groups.google.com
  • References: <1835580.2NFsIa7hiu@schestowitz.com>
  • User-agent: G2/1.0
  • Xref: news.mcc.ac.uk comp.os.linux.advocacy:1177377
Roy Schestowitz wrote:
> How a virus crashed Homeland Security
>
> ,----[ Quote ]
> | The Zotob worm used using a vulnerability in Windows 2000's Plug and
> | Play service to attack vulnerable machines.
> `----
>
> http://www.theregister.co.uk/2006/11/03/zotob_dhs_outbreak/

http://www.theregister.co.uk/2006/09/13/zotob_perps_jailed/

http://www.theregister.co.uk/2005/08/30/zotob_arrests_follow-up/

So we have some new favorites
BotZor and
Zotob


Even though the details are sketchy, it looks like this virus made the
mistake of hitting a honeypot *nix system, which allowed the feds to
trace it back to it's origins.

And it looks like this one was a terrorist virus, designed to carefully
target specific computers, and then disable them.

>From the description, it looks like they purchased a certificate from a
CA using a stolen credit card, which they used to enable signed
Active-X controls using SSL.

Hard to get much more out of this, but appearantly Microsoft offered a
patch that broke so many other functions that they couldn't deploy it.
(Broke ActiveX controls?).

I wonder how long it would take for DHS to replace the Windows with
Linux on those workstations?

Probably less time than it took to fix all those infected computers and
trace down the perpetrator.


http://www.theregister.co.uk/2005/08/30/zotob_arrests_follow-up/
<quote>
Earlier this month separate groups of hackers released a barrage of
worms in a battle to seize control of Windows PCs that remain
vulnerable to the now infamous Windows Plug-and-Play vulnerability
exploited by Zotob. Fragments of evidence suggest a group called m00p
is creating IRCBot variants that compete with Zotob variants created by
0x90-Team over the control of vulnerable Windows PCs. ®
</quote>


http://www.theregister.co.uk/2005/11/01/october_virus_chart/
<quote>
October saw the biggest increase in virus numbers since anti-virus firm
Sophos began tracking outbreaks in 1988. The security vendor now
identifies and protects against a total of 112,142 viruses, an increase
of 1,685 on September.

There are six variants of the Mytob worm in the October chart, half of
which are new entries," said Carole Theriault, senior security
consultant at Sophos. "The creators of Mytob appear to be a gang of
virus writers called Hellbot. By having several gang members they can
easily issue several different variants in a short space of time." ®
</quote>

<quote>
October top ten virus chart, as compiled by Sophos:

NetSky-P Mytob-GH (new entry) Mytob-EX (new entry) Mytob-AS Mytob-BE
Zafi-D NetSky-D Mytob-C Zafi-B (re-entry) Mytob-ER (new entry)
</quote>

Do any of these actually successfully attack Linux systems?
It doesn't appear to be so.  In fact, it looks like Linux honey pots
have led to the arrest of several of the perpetrators of these viruses.

http://www.theregister.co.uk/2005/11/04/suspected_bot_master_busted/
<quote>
n what prosecutors have labeled the first case of its kind in the
nation, a federal grand jury charged Jeanson James Ancheta with 17
counts of conspiracy and computer crime stemming from his alleged
profitable use of bot nets. Over nearly a year, Ancheta allegedly used
automated software to infect Windows systems, advertised and sold
access to the compromised PCs, and used the software to perpetrate
click fraud, garnering tens of thousands of dollars in affiliate fees,
according to a 58-page indictment released on Thursday.
</quote>

http://www.securityfocus.com/brief/19
<quote>
he Netherlands' National Prosecution Service told a court on Thursday
that three suspects arrested earlier this month controlled some 1.5
million computers as part of a worldwide bot net, not 100,000 as first
thought, stated an Associated Press report.
</quote>

http://www.securityfocus.com/brief/338
<quote>
A number of bot herders have been arrested this year, but some
researchers believe that the arrests are having little impact. One
security firm, Arbor Networks, found that bot nets are typically
short-lived--less than a third last more than a day. Most ISPs quickly
take down the Internet relay chat servers that act as the connection
point between a bot net and its controller. While bot clients are
usually compromised Windows computers, the command and control servers
are most often--about 85 percent of the time--Linux or Unix machines,
Arbor found.
</quote>


Can any of our friendly WinTrolls find some successful attacks on Linux
or UNIX?

The only ones I can think of are the Morris Worm, in 1987, a program
designed to map the uucp network had a timing glitch and ran amok,
taking down nearly all VAX powered BSD Unix and AT&T SysV UNIX systems
in less than 2 hours.

The hole was identified by the author to put up a non-defense which
resulted in a conviction and established court precedent for laws
against unauthorized computer access.

The Lyon virus was a successful exploit that took control of
misconfigured machines, 8,000 machines were successfully attacked, and
about 1/3 of those were one hosting farm.  Specifically, it had
/etc/hosts/hosts.equiv set to *.  I think these were even early
slackware systems that provided 3 standard "sample" user IDs, including
"satan", "snake", and "adam?".  The passwords were the same.  In
addition the default at startup was to have no password on the root
account, and then to prompt for a password.  As a result, it was
possible for a Linux user, logged on as root, to access vulnerable PC
as root.

On the other hand, Linux and UNIX machines used for routing and mail
forwarding often allow the law enforcement authorities to trace mail
and bots back to their perpetrators.

Honeypot Linux systems allow the perp to think he has captured a
Windows bot computer, and then when the bot makes the outbound
connections, these connections are logged, since damage can easily be
limited to just a small group of files (the WINE, Crossover, or VM
environment), it's pretty easy to capture all of the inbound and
outbound traffice and log it.

Moral,
Mess with a Windows system, you get rich, and maybe even famous.
Mess with a Linux system - go to jail.


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index