Robert Hensing's Blog

Software Security . . . and stuff.

Blogs

The silent war - combat evolved: Hacker Personas

  • Comments 31
  • Likes

Okay, yes, I admit - I'm a little too excited about Halo 2 (note to XBox geeks out there, schedule your vacation NOW for around the launch of Halo 2 in November and make sure your XB live account is paid and up to date), but that is a fitting title for my 2nd post in what looks to be a series of posts on security, hacking and Windows incident response.

A couple weeks ago I put out a call for papers, asking you all what it is you want to know and the overwhelming response I got was 'we don't know what we don't know, teach us what we don't know and then we can tell you what we want to know more about' . . . fair enough, looks like we'll have to start at the beginning (which is good, more for me to blog about! :) )

"Information warfare" is a term I think about every day.  It is very much an applicable term for *businesses* (warfare, it's not just for governments anymore <G>) to use when talking about their role in *defending* their computer networks.  Whether you as an IT admin, CxO or front-line engineer realize it or not, you are at war with 'the miscreants' every day . . . the 'miscreants' as you will come to find out are a sub-culture of people scattered around the globe that want to hack your machine and use you as a free hosting provider for their stolen movies, pr0n, warez and other assorted things.  There are all different kinds of miscreants with all different kinds of skills, just as there are all different kinds of admins . . .

What I'm going to present to you in my next few posts is the current 'security landscape' as I see it for Windows as a platform.  If you've attended any of my presentations you may instantly recognize this as the first 45 minutes or so of my 'Securing Windows Networks' deck - but in written format. :)

To start painting the security landscape, we must first talk about the key players (i.e. 'us vs. them').
I'm going to use the politically incorrect term 'hacker' a lot in this post and I'm not really interested in being all PC and sensitive when addressing the 'hackers vs. crackers' crowd who may feel 'hackers have a bad rap' and that it's 'crackers who are bad, hackers are *really* good, no really we mean it'.  Whatever.  You can try and sell that all day long but I'm not buying it and if you're offended that I'm going to paint 'hackers' as bad people you can stop reading now.  What it comes down to, at the end of the day, is if you knowingly compromise a remote machine for purposes of ill-repute (which I'll discuss below), you are a *miscreant* who should probably be punished . . . since you probably used 'hacker tools' to accomplish your goals of 'exploring remote networks' I'm going to put you in the 'Miscreant' family and 'Hacker' genus (remember the whole Kingdom, Phylum, thing from school?).  There are all sorts of miscreants, virus and worm authors are 'Miscreant' family and 'Malware author' genus.  I could go on and on, but you get the idea.

So without further ado I give to you my 'Hacker Personas' . . . these are based on my pesonal experience over the last 2 years working with Microsoft customers who have suffered security intrusions / incidents in their environment.  The percentages given below are my 'gut feeling' based on what I see escalated to my team, the PSS Security team, inside of Microsoft.  I'm going to talk about who “they” are, why “they” are hacking you, the skills they have, the tools they use etc.  This will give you a good feel for what the security landscape is right now for Windows networks and who you should be worried about and what you should focus on.

Hacker Personas
Picture if you will 3 slightly overlapping circles . . . these represent the 3 species of hacker you will find on the Internet and some will obviously have overlapping skill sets through extensive in-breeding in late-night IRC channels that blur the lines between species. :)


Family:  Miscreant
Genus:   Hacker
Species: Lamer

This species is by FAR the most common on the Internet and accounts for, conservatively 75% of all computer intrusions.

Motive:  They want to use you as a free hoster for all of their pr0n, movies, warez, ISO images etc.  You've got low latency, high bandwidth and a lot of storage.  They don't desire to be discovered, but they compromise machines in such numbers its of no consequence to them if you discover their intrusion and pull the plug, they've got thousands more of your machines or others like yours all over.

Method:  They use 'spreaders', 'bots' and well-known and sometimes very old exploits.  Spreaders are multi-threaded Win32 console applications that take a range of IP addresses as input and produce a range of compromised hosts as output (i.e. hosts that have been, in automated fashion compromised and had FTP backdoors and IRC clients installed on them ready to receive the daily feed of movies, pr0n, and warez from the miscreant who comrpomised you).  'Bots' are automated worms that propagate using well-known exploits and/or the venerable NetBIOS protocol by targetting your admin shares and repeatedly guessing admin account names and password combo's until it gets on, dictionary-style.

Abilities:  This species usually hangs around in packs called 'crews'.  They may have a 'coder', a 'cracker', a 'ripper' etc.  The crew is broken down into roles based on skills.  The 'coder' probably has limitted HLL capabilities (some C++, VB, Python, Delphi etc.) . . . the 'ripper' may be their media guy who specializes in putting stuff in highly compressed format like DivX or MPEG4 . . . the cracker may be responsible for cracking serial numbers or obtaining them etc.

Payload:  Through the use of their automated scan'n'sploit tools (i.e. spreaders) they will usually create a new service on your machine like the 'TCP/IP Service' or the 'NT System Security' service that's cleverly hidden in plain-site for all to see.  This service is really an FTP backdoor maybe running from c:\recycler or c:\winnt\system32\spool (even if you installed to c:\windows).  Your antivirus software which you rely on for 'security' doesn't catch this because it's really a copy of Serv-U FTP or ioFTPD which are legitimate applications.  Sadly, most modern FTP servers are extensible, allowing the miscreants to customize / modify the FTP server making it into a full featured backdoor vs. a simple FTP server of the last century.  If you're *lucky* the A/V software will pick up on one of these custom-coded DLL's that get loaded inside the FTP servers process space - but more than likely they won't unless someone from my team submits it to the A/V vendors for consideration and inclusion in the next round of signature updates.



Family:  Miscreant
Genus:   Hacker
Species: Skilled

This species is less common, but it's population is growing dramatically and I expect by the end of the year for 60% or more of all Windows intrusions to have been accomplished by this quickly spreading species.  Right now I'd peg them conservatively at 24% of all intrusions.

Motive:  Interestingly their motives are often the same as the lamers; they want to use you as a free hosting provider with which to swap movies, and pr0n etc.  In addition though, they may also wish to swap exploits and other assorted malware or use your machine as a sort of 'sleeper' agent from which they can stage attacks (this is a much more aggressive, more war-like species than the 'lamer' which may account for their rising numbers <G>). Since they *usually* hack with more recent exploits and in much smaller numbers, they have much less desire to be discovered and thus resort to "active protection technologies" such as rootkits to hide their presence from administrators.  For those who aren't familair with rootkits I will cover this in depth in my next post on the evolution of malware.  Long story short:  Rootkits for Windows 'hide' stuff . . . stuff you as an admin would normally want and expect to see like processes, folders, files, registry entries, network connections etc.  Rootkits hide stuff by modifying the operating system in either user-mode, kernel-mode or both.  We are getting to a point where more than 50% of our hacking cases now have rootkits installed and the number is rising.  If your IR team hasn't heard about them or played with them, you've probably already lost the battle (especially if your IR toolkit isn't equipped to detect them).

Method:  These folks will scan your machine remotely to identify what you are vulnerable too using network scanners, and vulnerability scanners written for the purpose.  They probably know the patch status of your machine better than you do and will be quick to exploit the PCT vulnerability patched in MS04-011 if you haven't patched it yet (Download.Ject anyone?).

Abilities:  This species has advanced HLL skills (C++ etc.) and may even have remedial ASM skills for working out issues with shell-code that doesn't quite work right when they go to run it against you.

Payload:  They have similar payloads to the lamers, they'll drop custom FTP servers or backdoors on your machine, but they'll put them in a more sophisticated place like "c:\system volume information" which by default only the SYSTEM account has access too.  In addition they will actively hide their backdoor service / process / files / folders and spoof the amount of free space your system thinks it has (we had one customer with 12GB of free space on an 8GB drive . . . think about it) using a rootkit, probably Hacker Defender or other popular widely available rootkis.  In addition you may find other 'hacker' tools on the system like password dumpers, network sniffers, key stroke loggers etc. designed to expand influence and guarantee access in the unlikely event you catch on to them and start changing passwords (since you never identified how they got on your box in the first place).


Family:   Miscreant
Genus:    Hacker
Species:  Advanced

And now we have arrived at my favorite species:  The advanced species accounting for what I *hope* is less than 1% of all intrusions.  I've only had 2 cases involving this species in 2 years.  These are the genetically engineered mutant hackers grown in government labs around the world.  Our government has them, so does China's, and Russia's and the Koreans etc.  These are the hackers that the term 'Information warfare' was coined to describe.  These are the super-elite, the best of the best.  The ones that don't work for the governments of the world are probably a lot wealthier now and working for organized crime gangs and their efforts rarely make the news even though some of erected web sites advertising their skills, their service, salary requirements etc.

Motive:  They want your money / secret / sensitive data

Method:  These are the folks with the best '0-day' exploits that can be used as needed against a variety of operating systems (not just Windows).

Abilities:  From what I've seen, advanced HLL and advanced ASM.

Payload:  Ransome note.  Sophisticated rootkit / reverse shell backdoor.
This is where you can start to tell them apart - the payload used by this species is not easily identifiable as a 'popular' freely downloadable rootkit like Hacker Defender or Aphex Rootkit 2003.  It's all custom code that none of the A/V vendors recognize or have seen before.  The 'backdoor' may actually be a 'reverse door', or a reverse-shell that is shovelled back out of your network to the IP address / port of the attackers choice (since you probably aren't doing any sort of egress filtering in your DMZ this will work just fine).  The reverse-shell may be implemented as a single DLL that gets loaded in every process on the machine from the winnt\system32 directory.  It may or may not be hidden by a rootkit on the file system and in memory.  How many IR people reading this are going to be able to find a single new DLL added to their system and loaded in every process when they go looking for the source of the 'suspicious' network connection they just saw?  You'll know if it's organized crime vs. a foreign government based on who YOU are <G> and whether or not your president or VP or CxO or CSO gets an extortion letter in their 'private' hotmail account from the attacker, probably containing their domain logon cred's as 'proof' that they mean business.  I once submitted a specimen like this to the AV vendors.  It was entitled 'rasaccs.dll' and it was in the system32 directory.  If you right-clicked and did 'properties' to read the PE header information you got what looked like legitimate 'Microsoft' strings complete with version information and a product name etc.  More than one A/V vendor immediately wrote back to me with 'this is a legitimate Microsoft DLL' to which I sent them the link to our DLL help database and encouraged them to do a little more digging (I do have *some* skills after-all and can spot malware when I see it).


Okay - so this has been another rather lengthy post . . . my next installment will be entitled:
The silent war - combat evolved:  Admin Personas

In that post, I'm going to give all you admins out their the same treatment I give the miscreants above - you will get stacked and ranked according to your skill set and we'll see who's getting 'pwnt' ('leet (733t) speak for '0wn3d' which is 733t speak for 'owned') by the bad guys and who's not.
After that you'll be ready for "Malware Evolution - The Rise of the Wormbotdoorkits" . . . after you're done reading this you'll start to realize why your organizations IR toolkit (if you even have one) isn't up to snuff . . . and then I'll talk about W.O.L.F. (Windows On-line Forensics) and some of the work we're doing here at Microsoft in PSS to rise to the challenge posed to us by the miscreants and you'll see that sometimes you're the mouse, and sometimes you're the cat . . . . err WOLF. :)

Comments
  • This commentary was obviously aimed at improving Microsoft's image. ;-) Please remember Bill Gates was nothing more than a hacker in a garage when he started Microsoft. When talking security lets try not to give into the mass (left wing) media's stereo typing of all computers hobbists. Not all hackers are bad and not all Windows' is secure. If you didn't leave the door WIDE open, you wouldn't have to worry about unwanted visitors coming in and foregoing your right to sue on the grounds of tresspassing & breaking and entering. >;-P

  • Q: What's the difference between butt-kissing and brown-nosing?
    A: Depth perception

    Q: What's the difference between a hacker and a 'hobbyist'?
    A: Morals and ethics - both of which hackers demonstrate a lack of but presumably a 'hobbyist' would have.

    This is also largley why I agree that companies (any company) should not hire known / convicted hackers to come in and do anything security related for a company. As a hacker (either known or convicted) you've demonstrated (probably) a lack of morals / ethics that as an IT person I would unsettling were I to grant you the keys to the network and say 'go'. Just because you're good at breaking in to an organization doesn't meant you're good at securing that environment, the skill sets at best are orthogonal. Just because you can shoot a gun and kill someone doesn't make you qualified to become a surgeon to save their life.

    Kevin Mitnick and Ira Winkler debated this very topic at RSA 2003 in San Francisco last year and it was very entertaining. I fall squarely in the Ira Winkler school of philosophy.


    My intent with this post was not to assign blame here, but merely to paint the security landscape for readers who may not know anything about this world I'm attempting to describe. I'm never going to outright assign blame for a problem, I'd rather talk about what the problem is and come up with a solution. It's what I do - I solve problems.

    You seem to think that just because something isn't as secure as it could be, that it's perfectly okay to do whatever you want just because you can. I find that alarming. See my point on morals / ethics.

  • I'm very much enjoying this series of articles and learning a huge amount already. Please keep them coming and feel free to be as politically incorrect as you dam well please!

    One question: you keep referring to "leet speak". I can see the origins in simple numberic substitutions but I can't unserstand the phrase. To make sure I properly understand and enjoy the presentations, please could you say a few words about where this term comes from? (ignore the peels of laughter from all those who are already in the clique, I don't care).

    Thanks,
    --Tim Long

  • How it was explained to me the first time I encountered it (I read the alpha translation right, but figured there was something I missed because what the heck is "eleet"?)

    A) The Kids Don't Spell Right
    B) They Use Alpha Subsitution
    C) They Don't Care If They Don't Spell Right

    LeetSpeek:
    Q: 4re y0u n0t 1337?
    A: j00 will ph34r my 1337 sk1llz! 1 4m 4 1337 H4x0r!

    English Translation:
    Q: Would one say that one's pretty good?
    A: Rather! You should be afraid of my skills. I'm an elite hacker, you know!

    1337 = leet. it began as 31337 == eleet == elite, but got chopped.

  • For more wonderful information on Leet, check Wikipedia:
    http://en.wikipedia.org/wiki/Leet

  • Nice feature that DLL help database, but it would be better if it was actually up to date...

  • Changing the subject to the really important part of your post - the first sentence. I thought you might appreciate this.

    A few weeks ago I got home from work and found my wife checking plane ticket prices online. I noticed that the date range was November 5th to 14th. :-D Two things went through my head - in this order:
    1) She's going to be gone for our 10th anniversary :-(
    2) She's going to be gone when Halo 2 releases :-D

    Even better, since we home school our kids I'm going to have to take the week off to continue their schooling. 8-D Wahoo! I wonder how fast I can their lessons done on the 9th - I bet I'll be able to do it faster than my wife does.

  • Interesting blog.

    Here's one question I've never understood - user X installs his Windows OS from CD and now has a bright, shiny new Windows, with a bunch of known vulnerabilities. Being a conscientious sort he knows that he has to go to Windows Update and sort this out. What's to stop his machine being compromised even as he's doing this?

  • I think you left out a more siginficant group of hackers and motive: Spam.

    There is a big incentive to infiltrate and use machines as mail relays for spam.

  • Regarding what's to stop a virgin Windows XP installation from getting hacked while the user is installing the 40+ post SP0 critical updates for that platform, the answre is 'windows firewall'.

    If the user builds the OS from the CD and enables the windows firewall BEFORE connecting to the Internet and browsing to the Windows Update web site - they have very little to worry about.

  • Maybe the Windows Firewall will help (or another firewall product), but the right answer is to download the latest service pack and hotfixes from a system that is already patched and up to date, burn them to CD and load them on the new machine before plugging it's network connection in.

    I know I have (and I'm sure you have) seen machines get a virus, worm or trojan before you even get a chance to log in the for the first time.

    Phil