Security Whitepaper: Seeds may already be sown for worse attacks

The massive denial of service attacks launched last week served as a loud wake-up call to the computer security community. Despite warnings provided by the Computer Emergency Response Team (CERT) at Carnegie Mellon University last November, the distributed denial of service (DDOS) attacks took virtually everyone by surprise. The attacks seemed to be specifically aimed at economic disruption, hitting e-commerce and financial sites, as well as the second most visited web site in the world: Yahoo!

As law enforcement authorities are starting to confirm, some of the attacks originated from hacked servers residing on ISPs and universities, which were ideal launching points because they had ample computing power and were connected to high-speed networks. These two attributes are necessary to create the huge number of network packets required to match and overwhelm a target web server.

Unfortunately, since subverted servers were used in the attack, it's quite possible that the target servers may now be subverted as well. The possibility is all the more plausible because the chaos caused by the "fire and smoke" would provide an ideal diversion for someone to silently slip into the backyard and change a door lock. This means that the next big attack could originate from Yahoo!, Buy.com, or E*TRADE. The 1988 Morris Internet Worm shows how subtle and insidious tampered files were often detected only after the immediate threat of denial of service had passed.

Here's how that scenario might unfold the next time around. The hacker begins by finding some grappling hook into the target server, usually a network service (such as the web server process) that has some exploitable bug. This grappling hook provides the attacker with the ability to gain administrative privileges, just like the server operator, while staying below the radar screen -- all this transpires without alerting the server owner.

To subvert the server, the attacker can use an attack toolkit, also known as a "root kit," downloadable from hacker sites on the Internet. This toolkit contains software that replaces system programs that control critical server operations. These tampered programs hide any traces of the attacker and provide backdoors for future entry. In short, these programs serve to blind the rightful server owner and degrade the owner's ability to respond, stacking the deck in favor of the attacker. In hacker parlance, this server is now "owned." At this point, the server could be used as a launching point for a DDOS attack against another site.

The technique of compromising servers with backdoors and trojan horse programs is not new. In fact, it has changed little over the past 20 years and CERT has long warned IT managers of this danger. The SANS Institute, a training organization for IT professionals, has recently launched its laudable Trojan Hunt initiative to raise awareness and rally a viable defense. They note that finding compromised servers remains an arcane art, but it is clear that these subverted servers represent a real danger to the Internet community-at-large.

The bottom line is that IT managers must work diligently to keep critical servers online in the face of DDOS attacks. They must also make sure that these servers remain free of tampering and backdoors. Ensuring that their corporate servers are not used as launching points to attack other Internet sites is a community responsibility, just as home-owners must take reasonable measures to prevent accidents and mishaps on bordering sidewalks.

CERT provides a set of best practices to reduce the risk of compromise. For more than eight years, defensive tools such as Tripwire have been recommended to provide confidence that servers will remain free of unauthorized file tampering. These tools serve as force multipliers for IT managers to better their odds of defense against attack.

The availability of these tools is especially timely now, as the Internet threat environment grows increasingly hostile and IT managers are pressured to deploy e-commerce sites on ever-speedier time schedules. The need for vigilance in the IT community has always been acute, but it will become even more important as attacks get more sophisticated.

Just because recent Web site attacks have abated does not mean that the threat has gone away. The DDOS attacks are a wake-up call: if the underlying problems are not remedied, worse crises are inevitable. We have survived the attack. Now it's time to carefully inventory our situation to ensure that the seeds for even more devastating attacks have not already been sown.

Gene Kim is the chief technology officer and co-founder of Tripwire(tm), Inc., a Portland, Oregon-based company that specializes in software for system security and policy compliance. Kim co-authored the Tripwire file integrity assessment software technology in 1992 while at Purdue University with Dr. Gene Spafford. He is widely published on computer security, operating systems, and networking, and is a frequent speaker at industry conferences. More information about Tripwire can be found at www.tripwiresecurity.com.