Leave no trace: Understanding attackers' motives

Rootkits: Subverting the Windows Kernel Greg Hoglund & James Butler 324 pages; $44.99 Addison-Wesley Professional

A back door in a computer is a secret way to get access. Back doors have been popularized in many Hollywood movies as a secret password or method for getting access to a highly secure computer system. But back doors are not just for the silver screen -- they are very real, and can be used for stealing data, monitoring users, and launching attacks deep into computer networks.

An attacker might leave a back door on a computer for many reasons. Breaking into a computer system is hard work, so once an attacker succeeds, she will want to keep the ground she has gained. She may also want to use the compromised computer to launch additional attacks deeper into the network.

A major reason attackers penetrate computers is to gather intelligence. To gather intelligence, the attacker will want to monitor keystrokes, observe behavior over time, sniff packets from the network, and exfiltrate data from the target. All of this requires establishing a back door of some kind. The attacker will want to leave software running on the target system that can perform intelligence gathering.

Attackers also penetrate computers to destroy them, in which case the attacker might leave a logic bomb on the computer, which she has set to destroy the computer at a specific time. While the bomb waits, it needs to stay undetected. Even if the attacker does not require subsequent back door access to the system, this is a case where software is left behind and it must remain undetected.

More information Visit our resource center for more tips and advice on hacking tools and techniques  Download Chapter 1 from Rootkits: Subverting the Windows Kernel Read more book excerpts, chapters and reviews What's on your bookshelf? Share your favorite titles with the editor

The Role of Stealth
To remain undetected, a back door program must use stealth. Unfortunately, most publicly available "hacker" back door programs aren't terribly stealthy. Many things can go wrong. This is mostly because the developers want to build everything including the proverbial kitchen sink into a back door program. For example, take a look at the Back Orifice or NetBus programs. These back door programs sport impressive lists of features, some as foolish as ejecting your CD-ROM tray. This is fun for office humor, but not a function that would be used in a professional attack operation. If the attacker is not careful, she may reveal her presence on the network, and the whole operation may sour. Because of this, professional attack operations usually require specific and automated back door programs -- programs that do only one thing and nothing else. This provides assurance of consistent results.

If computer operators suspect that their computer or network has been penetrated, they may perform forensic discovery, looking for unusual activity or back door programs. The best way to counter forensics is with stealth: If no attack is suspected, then no forensics are likely to be applied to the system. Attackers may use stealth in different ways. Some may simply try to step lightly by keeping network traffic to a minimum and avoiding storing files on the hard drive. Others may store files but employ obfuscation techniques that make forensics more difficult. If stealth is used properly, forensics will never be applied to a compromised system, because the intrusion will not have been detected. Even if an attack is suspected and forensics end up being used a good stealth attack will store data in obfuscated ways to escape detection.

When Stealth Doesn't Matter
Sometimes an attacker doesn't need to be stealthy. For instance, if the attacker wants to penetrate a computer only long enough to steal something, such as an e-mail spool, perhaps she doesn't care if the attack is eventually detected.

Another time when stealth is not required is when the attacker simply wants to crash the target computer. For example, perhaps the target computer is controlling an anti-aircraft system. In this case, stealth is not a concern -- just crashing the system is enough to achieve the objective. In most cases, a computer crash will be obvious (and disturbing) to the victim. If this is the kind of attack you want to learn more about, this book will not help you.

Now that you have a basic understanding of attackers' motives, we'll spend the rest of this chapter discussing rootkits in general, including some background on the subject as well as how rootkits work.

Read the rest of Chapter 1 from Rootkits: Subverting the Windows Kernel

Sound Off! -   Post your comments |  See others' comments (1)

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Juniper UAC to deliver Shavlik patch management technology What kinds of network packet data can be extracted from Snort IDS? Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Interop: Vendors update software, demonstrate new security features McAfee launches IPS for 10g networks, but is IT ready? Microsoft NAP-TNC compatibility won't speed adoption, users say Network Intrusion Prevention (IPS) Research Rootkits Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Microsoft PatchGuard: Locking down the kernel, or locking out security? New Storm attack exploits April Fool's Day Microsoft acquires rootkit detection vendor vPro: Making the case for network security on a chip New rootkit threatens Windows users Have vendors secretly placed rootkits on USB thumb drives? How Russia became a malware hornet's nest Cybercriminals employ toolkits in rising numbers to steal data

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary