The silent war - combat evolved: Hacker Personas

Okay, yes, I admit - I'm a little too excited about Halo 2 (note to XBox geeks out there, schedule your vacation NOW for around the launch of Halo 2 in November and make sure your XB live account is paid and up to date), but that is a fitting title for my 2nd post in what looks to be a series of posts on security, hacking and Windows incident response.

A couple weeks ago I put out a call for papers, asking you all what it is you want to know and the overwhelming response I got was 'we don't know what we don't know, teach us what we don't know and then we can tell you what we want to know more about' . . . fair enough, looks like we'll have to start at the beginning (which is good, more for me to blog about! :) )

"Information warfare" is a term I think about every day.  It is very much an applicable term for *businesses* (warfare, it's not just for governments anymore <G>) to use when talking about their role in *defending* their computer networks.  Whether you as an IT admin, CxO or front-line engineer realize it or not, you are at war with 'the miscreants' every day . . . the 'miscreants' as you will come to find out are a sub-culture of people scattered around the globe that want to hack your machine and use you as a free hosting provider for their stolen movies, pr0n, warez and other assorted things.  There are all different kinds of miscreants with all different kinds of skills, just as there are all different kinds of admins . . .

What I'm going to present to you in my next few posts is the current 'security landscape' as I see it for Windows as a platform.  If you've attended any of my presentations you may instantly recognize this as the first 45 minutes or so of my 'Securing Windows Networks' deck - but in written format. :)

To start painting the security landscape, we must first talk about the key players (i.e. 'us vs. them').
I'm going to use the politically incorrect term 'hacker' a lot in this post and I'm not really interested in being all PC and sensitive when addressing the 'hackers vs. crackers' crowd who may feel 'hackers have a bad rap' and that it's 'crackers who are bad, hackers are *really* good, no really we mean it'.  Whatever.  You can try and sell that all day long but I'm not buying it and if you're offended that I'm going to paint 'hackers' as bad people you can stop reading now.  What it comes down to, at the end of the day, is if you knowingly compromise a remote machine for purposes of ill-repute (which I'll discuss below), you are a *miscreant* who should probably be punished . . . since you probably used 'hacker tools' to accomplish your goals of 'exploring remote networks' I'm going to put you in the 'Miscreant' family and 'Hacker' genus (remember the whole Kingdom, Phylum, thing from school?).  There are all sorts of miscreants, virus and worm authors are 'Miscreant' family and 'Malware author' genus.  I could go on and on, but you get the idea.

So without further ado I give to you my 'Hacker Personas' . . . these are based on my pesonal experience over the last 2 years working with Microsoft customers who have suffered security intrusions / incidents in their environment.  The percentages given below are my 'gut feeling' based on what I see escalated to my team, the PSS Security team, inside of Microsoft.  I'm going to talk about who “they” are, why “they” are hacking you, the skills they have, the tools they use etc.  This will give you a good feel for what the security landscape is right now for Windows networks and who you should be worried about and what you should focus on.

Hacker Personas
Picture if you will 3 slightly overlapping circles . . . these represent the 3 species of hacker you will find on the Internet and some will obviously have overlapping skill sets through extensive in-breeding in late-night IRC channels that blur the lines between species. :)


Family: Miscreant
Genus: Hacker
Species: Lamer

This species is by FAR the most common on the Internet and accounts for, conservatively 75% of all computer intrusions.

Motive:  They want to use you as a free hoster for all of their pr0n, movies, warez, ISO images etc.  You've got low latency, high bandwidth and a lot of storage.  They don't desire to be discovered, but they compromise machines in such numbers its of no consequence to them if you discover their intrusion and pull the plug, they've got thousands more of your machines or others like yours all over.

Method:  They use 'spreaders', 'bots' and well-known and sometimes very old exploits.  Spreaders are multi-threaded Win32 console applications that take a range of IP addresses as input and produce a range of compromised hosts as output (i.e. hosts that have been, in automated fashion compromised and had FTP backdoors and IRC clients installed on them ready to receive the daily feed of movies, pr0n, and warez from the miscreant who comrpomised you).  'Bots' are automated worms that propagate using well-known exploits and/or the venerable NetBIOS protocol by targetting your admin shares and repeatedly guessing admin account names and password combo's until it gets on, dictionary-style.

Abilities:  This species usually hangs around in packs called 'crews'.  They may have a 'coder', a 'cracker', a 'ripper' etc.  The crew is broken down into roles based on skills.  The 'coder' probably has limitted HLL capabilities (some C++, VB, Python, Delphi etc.) . . . the 'ripper' may be their media guy who specializes in putting stuff in highly compressed format like DivX or MPEG4 . . . the cracker may be responsible for cracking serial numbers or obtaining them etc.

Payload:  Through the use of their automated scan'n'sploit tools (i.e. spreaders) they will usually create a new service on your machine like the 'TCP/IP Service' or the 'NT System Security' service that's cleverly hidden in plain-site for all to see.  This service is really an FTP backdoor maybe running from c:\recycler or c:\winnt\system32\spool (even if you installed to c:\windows).  Your antivirus software which you rely on for 'security' doesn't catch this because it's really a copy of Serv-U FTP or ioFTPD which are legitimate applications.  Sadly, most modern FTP servers are extensible, allowing the miscreants to customize / modify the FTP server making it into a full featured backdoor vs. a simple FTP server of the last century.  If you're *lucky* the A/V software will pick up on one of these custom-coded DLL's that get loaded inside the FTP servers process space - but more than likely they won't unless someone from my team submits it to the A/V vendors for consideration and inclusion in the next round of signature updates.


Family: Miscreant
Genus: Hacker
Species: Skilled

This species is less common, but it's population is growing dramatically and I expect by the end of the year for 60% or more of all Windows intrusions to have been accomplished by this quickly spreading species.  Right now I'd peg them conservatively at 24% of all intrusions.

Motive:  Interestingly their motives are often the same as the lamers; they want to use you as a free hosting provider with which to swap movies, and pr0n etc.  In addition though, they may also wish to swap exploits and other assorted malware or use your machine as a sort of 'sleeper' agent from which they can stage attacks (this is a much more aggressive, more war-like species than the 'lamer' which may account for their rising numbers <G>). Since they *usually* hack with more recent exploits and in much smaller numbers, they have much less desire to be discovered and thus resort to "active protection technologies" such as rootkits to hide their presence from administrators.  For those who aren't familair with rootkits I will cover this in depth in my next post on the evolution of malware.  Long story short:  Rootkits for Windows 'hide' stuff . . . stuff you as an admin would normally want and expect to see like processes, folders, files, registry entries, network connections etc.  Rootkits hide stuff by modifying the operating system in either user-mode, kernel-mode or both.  We are getting to a point where more than 50% of our hacking cases now have rootkits installed and the number is rising.  If your IR team hasn't heard about them or played with them, you've probably already lost the battle (especially if your IR toolkit isn't equipped to detect them).

Method:  These folks will scan your machine remotely to identify what you are vulnerable too using network scanners, and vulnerability scanners written for the purpose.  They probably know the patch status of your machine better than you do and will be quick to exploit the PCT vulnerability patched in MS04-011 if you haven't patched it yet (Download.Ject anyone?).

Abilities:  This species has advanced HLL skills (C++ etc.) and may even have remedial ASM skills for working out issues with shell-code that doesn't quite work right when they go to run it against you.

Payload:   They have similar payloads to the lamers, they'll drop custom FTP servers or backdoors on your machine, but they'll put them in a more sophisticated place like "c:\system volume information" which by default only the SYSTEM account has access too.  In addition they will actively hide their backdoor service / process / files / folders and spoof the amount of free space your system thinks it has (we had one customer with 12GB of free space on an 8GB drive . . . think about it) using a rootkit, probably Hacker Defender or other popular widely available rootkis.  In addition you may find other 'hacker' tools on the system like password dumpers, network sniffers, key stroke loggers etc. designed to expand influence and guarantee access in the unlikely event you catch on to them and start changing passwords (since you never identified how they got on your box in the first place).


Family: Miscreant
Genus: Hacker
Species: Advanced

And now we have arrived at my favorite species:  The advanced species accounting for what I *hope* is less than 1% of all intrusions.  I've only had 2 cases involving this species in 2 years.  These are the genetically engineered mutant hackers grown in government labs around the world.  Our government has them, so does China's, and Russia's and the Koreans etc.  These are the hackers that the term 'Information warfare' was coined to describe.  These are the super-elite, the best of the best.  The ones that don't work for the governments of the world are probably a lot wealthier now and working for organized crime gangs and their efforts rarely make the news even though some of erected web sites advertising their skills, their service, salary requirements etc.

Motive:  They want your money / secret / sensitive data

Method:  These are the folks with the best '0-day' exploits that can be used as needed against a variety of operating systems (not just Windows).

Abilities:  From what I've seen, advanced HLL and advanced ASM.

Payload:  Ransome note.  Sophisticated rootkit / reverse shell backdoor.
This is where you can start to tell them apart - the payload used by this species is not easily identifiable as a 'popular' freely downloadable rootkit like Hacker Defender or Aphex Rootkit 2003.  It's all custom code that none of the A/V vendors recognize or have seen before.  The 'backdoor' may actually be a 'reverse door', or a reverse-shell that is shovelled back out of your network to the IP address / port of the attackers choice (since you probably aren't doing any sort of egress filtering in your DMZ this will work just fine).  The reverse-shell may be implemented as a single DLL that gets loaded in every process on the machine from the winnt\system32 directory.  It may or may not be hidden by a rootkit on the file system and in memory.  How many IR people reading this are going to be able to find a single new DLL added to their system and loaded in every process when they go looking for the source of the 'suspicious' network connection they just saw?  You'll know if it's organized crime vs. a foreign government based on who YOU are <G> and whether or not your president or VP or CxO or CSO gets an extortion letter in their 'private' hotmail account from the attacker, probably containing their domain logon cred's as 'proof' that they mean business.  I once submitted a specimen like this to the AV vendors.  It was entitled 'rasaccs.dll' and it was in the system32 directory.  If you right-clicked and did 'properties' to read the PE header information you got what looked like legitimate 'Microsoft' strings complete with version information and a product name etc.  More than one A/V vendor immediately wrote back to me with 'this is a legitimate Microsoft DLL' to which I sent them the link to our DLL help database and encouraged them to do a little more digging (I do have *some* skills after-all and can spot malware when I see it).

Okay - so this has been another rather lengthy post . . . my next installment will be entitled:
The silent war - combat evolved: Admin Personas

In that post, I'm going to give all you admins out their the same treatment I give the miscreants above - you will get stacked and ranked according to your skill set and we'll see who's getting 'pwnt' ('leet (733t) speak for '0wn3d' which is 733t speak for 'owned') by the bad guys and who's not.
After that you'll be ready for "Malware Evolution - The Rise of the Wormbotdoorkits" . . . after you're done reading this you'll start to realize why your organizations IR toolkit (if you even have one) isn't up to snuff . . . and then I'll talk about W.O.L.F. (Windows On-line Forensics) and some of the work we're doing here at Microsoft in PSS to rise to the challenge posed to us by the miscreants and you'll see that sometimes you're the mouse, and sometimes you're the cat . . . . err WOLF. :)