The Mother Board forums. Free tech support, motherboard ID, and more.
It is currently Sat Dec 15, 2018 1:17 am

All times are UTC - 8 hours

Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Mon Oct 09, 2006 9:42 am 
Black Belt 3rd Degree
Black Belt 3rd Degree

Joined: Wed Nov 10, 2004 7:42 pm
Posts: 3844
Location: Oklahoma City, OK

If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighbourhood.

And while that may not be happening to your home, it probably is happening to any PC you connect to the net.

An investigation by the BBC News website has established the scale of the dangers facing the average net user.

Using a computer acting as a so-called "honeypot" the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day.

Attack traffic

Honeypots are forensic tools that have become indispensable to computer security experts monitoring online crime. They are used to gather statistics about popular attacks, to grab copies of malicious programs that carry out the attacks and to get a detailed understanding of how these attacks work.

To the malicious programs scouring the web these honeypots look like any other PC. But in the background the machines use a variety of forensic tools to log what happens to them.

Perhaps one indicator of how useful these tools have become is seen in the fact that the most sophisticated attackers make their malicious programs able to recognise when they have trespassed on a honeypot.

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.

VMWare is useful as it makes it easy to pause the "virtual" PC or roll it back to an earlier configuration. This proved essential when recovering from an infection.

This guest machine, once armed with some forensic software, became the honeypot.

When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them. The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it.

The majority of these incidents were merely nuisances. Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file.

Serious Trouble

However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003. The bugs swamp net connections as they search for fresh victims and make host machines unstable.

They have not been wiped out because they scan the net so thoroughly that they can always find another vulnerable machine to leap to and use as a host while they search for new places to visit.

Their impact is limited now because Windows is now sold with its firewall turned on and the patch against them installed. Recently Microsoft said it was cleaning up hundreds of PCs hit by these machines every day.

Many of these worms were launched from different PCs on the network of a French home net service firm but others were from machines as far away as China.

There were also many attempts to probe the BBC honeypot to see how vulnerable it was. Hijacked machines in Brazil as well as at the Indiana offices of a public accounting and consulting firm carried out "port scans" on the BBC honeypot to see if it could get a response that would reveal how vulnerable it was.

Via the honeypot we could see these machines sending test data in sequence to the ports, or virtual doors to the net, that the PC had open.

Windows is the favourite target of malicious and criminal hackers
More rarely, once a day on average, came net attacks that tried to subvert the honeypot to put it under the control of a malicious hacker.

Again these attacks came from all over the world - many clearly from hijacked machines. The BBC honeypot was attacked by a PC at a Chinese aid organisation, a server in Taiwan and many machines in Latin America.

Via the forensic tools installed on the honeypot we could see the booby-trapped data packets these bugs were trying to make our target machine digest.

By using carefully crafted packets of data, attackers hope to make the PC run commands that hand control of it to someone else.

Via this route many malicious hackers recruit machines for use in what is known as a botnet. This is simply a large number of hijacked machines under the remote control of a malicious hacker.

Botnets are popular with hi-tech criminals because they can be put to so many different uses. The slaves or bots in a botnet can be used to send out spam or phishing e-mails.

They can become the seeding network for a new virus outbreak or act as a distributed data storage system for all kinds of illegal data. Spammers, phishing gangs and others often rent a botnet to use for their own ends.

Often once a machine has fallen under someone else's control, a keylogger will be installed to capture information about everything that the real owner does - such as login to their online bank account.

This stolen information is often sold as few of those that steal it have the criminal connections to launder stolen cash.

On Tuesday we recount what happened when we let the BBC honeypot get infected with spyware, adware, viruses and other malicious programs.

"You cant hug your family with Nuclear Arms"

Asus F2A85-V Pro
AMD A10-5800K APU @ 4.5GHz
8GB G. Skill 1866
550w PSU
Hyper 212 Evo

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 8 hours

Who is online

Users browsing this forum: trendictionbot [Bot] and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group