If hundreds of thousands of people are still blindly clicking on attachments in their email, is there any hope of mitigating the threat of hundreds of thousands of compromised systems with open backdoors?
There's a myth that should be dispelled in the computer security world, and that is the belief that the growing and pervasive use of computers in the past twenty years has enabled the average person to become functionally computer literate. While most people know how to open a Microsoft Word document, read email and use a browser, far fewer know (or care) about what it takes to secure their computer. That's a major reason why so many hundreds of thousands of drones and bots exist and are under control of black hat folks. Your parents' computer could quite likely be "owned" right now, a compromised bot that's available for misuse by a large group of miscreants - and maybe you won't find out about it until the next time Mom and Dad invite you over for turkey dinner.
The latest big email virus, MyDoom.A, was designed to stop spreading on 12 February, but it has already been mutated to keep it spreading for years. It its short life thus far it has infected hundreds of thousands of machines, perhaps even millions. There are backdoors into those infected systems now, listening on ports between 3127 to 3198. The backdoors have turned these systems into bots available for misuse by any miscreant. MyDoom was not particularly innovative but it was still an impressive demonstration for three reasons: it proved that millions of users are still clicking on virus attachments, its small 22,528 byte footprint is an accolade to efficient code, and most importantly, the mere inclusion of the virus inside of a .zip file was clearly enough for it to bypass many organization's anti-virus scans. Some have heralded MyDoom as the fastest spreading email virus of all time, yet email-bourne viruses have been with us for more than 15 years and there is no end in sight.
Having compromised bots available to anyone who wants to use them, as we commonly see today, is part of the reason why massive DDOS attacks, open SPAM relays and open proxies are available to any pimple-faced kid.
Click on this
If you think MyDoom was effective at building a network of compromised bots, click on this: try a port knocking backdoor on for size. There are multitudes of backdoors out there that are far more sophisticated and stealthy than MyDoom, and port knocking is just one way of several to add a layer of control and stealth. I could send you one of these in email, enclosed in a .zip file, with the subject "hi" and text that reads something along the lines of, "please take a look at this and let me know your thoughts." While the typical SecurityFocus reader, and also the typical power user, would never click on such an attachment, we saw from MyDoom.A that hundreds of thousands of others will.
The great disadvantage to the security community from viruses like MyDoom, besides the obvious waste of massive amounts of bandwidth and the soft cost of lost productivity by millions of users, is that the backdoors are available for exploit by any miscreant with half an ounce of knowledge about malicious scripts. Anyone mildly interested in making use of these backdoors for their own malformed intent can do so with a minimal amount of research. It shouldn't be so easy.
What is a port knocking backdoor? The concept is actually rather simple: it's a typical backdoor into a user's system, of which there are many, but it's one that effectively lays dormant and does not appear to be functioning or listening on any ports until an attacker "knocks" on the door using a special series of events to wake it up. Typical port scans from the Internet reveal nothing. A legitimate port knocking application would often parse firewall logs, waiting for a sequence of logged errors and then spring to life, manipulating firewall rules to open a port. A backdoor generally operates in a similar fashion, but can listen real-time with the need for a firewall. Generally, the process or daemon quietly listens for a sequence of pings (such a hitting ports 100, 109, 101, 101 three times in that sequence, a code of 911 that could be used to bring the backdoor to life), or by using packet type, such as sending SYN requests in a similar predetermined sequence. When the right series of knocks are received, the backdoor opens a TCP port and starts listening. Voila.
Port knocking backdoors allow the virus writer to retain more control. Perhaps this is a good thing, as this would keep control of compromised systems in the hands of very few, instead of being open to misuse by any script junkie on the Internet. Having compromised bots available to anyone who wants to use them, as we commonly see today, is part of the reason why massive DDOS attacks, open SPAM relays and open proxies are available to any pimple-faced kid. So who's responsible?
There is an excellent article from the New York Times by Clive Thompson that profiles several virus writers and clearly makes the distinction between the people who write the malicious code and the individuals who release it into the wild - it's argued that these two are often not the same. Some virus writers claim to write proof-of-concept code for educational purposes only, and then make it available for peer review. In contract, it is said that those who release that code into the wild often find it on a hacker website, and release it with pure malicious intent.
The proof-of-concept defense is an interesting one for a bright, teenaged coder sitting in a dark basement in Singapore, but I am appalled at the lack of responsibility by otherwise clever people. I take issue with the virus writers who write stealthy, tight pieces of virus code that leave backdoors open on thousands of naked systems, available for exploit by any miscreant script-abuser on the Internet. Perhaps if the author of such malicious code took more responsibility for his actions, by not leaving the door wide open, compromised machines wouldn't be so readily available for misuse by people who barely understand how the backdoor even works.
Port knocking is a legitimate security concept that has been discussed on Slashdot recently, and some virus writers have started using it "secure" their own backdoors. Add port knocking capabilities to a backdoor and you get a port knocking backdoor. The power to control these things would be held in the hands of an elite few, instead of any miscreant with malformed intent, as it is today.
The anti-virus panacea?
Most userland backdoors are still be easily discovered by anti-virus software - or not, as we saw with MyDoom.A where once again, simply enclosing the virus in a .zip file was surprisingly effective to avert a scan.
Anti-virus applications are still the crutch required to keep Windows running, and when configured properly they work pretty well. However there is another level possible with backdoors that avert even the best anti-virus software - rootkits and DLL-injection hooks - but we have not yet seen the merger of virulent viruses and this even stealthier type of code. It's coming. For now, backdoors installed in corporate and other managed environment are still difficult to reach and control, as they sit within the confines of strong borders. A simple hardware router for the average home user would also do wonders to make most backdoors virtually inaccessible.
Summing it up
Malicious code is getting more sophisticated, but I can't help wondering at times to what end. The average home user is still double-clicking the virus attachments in his email, and we end up with backdoors into thousands of fully compromised home systems with every major virus. For our plight against the spread of common viruses in the wild, there is still no end in sight. If we cannot prevent the average user from double-clicking the latest virus in his email, how will we ever stop the propagation of more advanced, stealthy code?
Kelly Martin is the content editor for SecurityFocus.