Leave no trace: Understanding attackers' motives

Rootkits: Subverting the Windows Kernel Greg Hoglund & James Butler 324 pages; $44.99 Addison-Wesley Professional

A back door in a computer is a secret way to get access. Back doors have been popularized in many Hollywood movies as a secret password or method for getting access to a highly secure computer system. But back doors are not just for the silver screen -- they are very real, and can be used for stealing data, monitoring users, and launching attacks deep into computer networks.

An attacker might leave a back door on a computer for many reasons. Breaking into a computer system is hard work, so once an attacker succeeds, she will want to keep the ground she has gained. She may also want to use the compromised computer to launch additional attacks deeper into the network.

A major reason attackers penetrate computers is to gather intelligence. To gather intelligence, the attacker will want to monitor keystrokes, observe behavior over time, sniff packets from the network, and exfiltrate data from the target. All of this requires establishing a back door of some kind. The attacker will want to leave software running on the target system that can perform intelligence gathering.

Attackers also penetrate computers to destroy them, in which case the attacker might leave a logic bomb on the computer, which she has set to destroy the computer at a specific time. While the bomb waits, it needs to stay undetected. Even if the attacker does not require subsequent back door access to the system, this is a case where software is left behind and it must remain undetected.

More information Visit our resource center for more tips and advice on hacking tools and techniques  Download Chapter 1 from Rootkits: Subverting the Windows Kernel Read more book excerpts, chapters and reviews What's on your bookshelf? Share your favorite titles with the editor

The Role of Stealth
To remain undetected, a back door program must use stealth. Unfortunately, most publicly available "hacker" back door programs aren't terribly stealthy. Many things can go wrong. This is mostly because the developers want to build everything including the proverbial kitchen sink into a back door program. For example, take a look at the Back Orifice or NetBus programs. These back door programs sport impressive lists of features, some as foolish as ejecting your CD-ROM tray. This is fun for office humor, but not a function that would be used in a professional attack operation. If the attacker is not careful, she may reveal her presence on the network, and the whole operation may sour. Because of this, professional attack operations usually require specific and automated back door programs -- programs that do only one thing and nothing else. This provides assurance of consistent results.

If computer operators suspect that their computer or network has been penetrated, they may perform forensic discovery, looking for unusual activity or back door programs. The best way to counter forensics is with stealth: If no attack is suspected, then no forensics are likely to be applied to the system. Attackers may use stealth in different ways. Some may simply try to step lightly by keeping network traffic to a minimum and avoiding storing files on the hard drive. Others may store files but employ obfuscation techniques that make forensics more difficult. If stealth is used properly, forensics will never be applied to a compromised system, because the intrusion will not have been detected. Even if an attack is suspected and forensics end up being used a good stealth attack will store data in obfuscated ways to escape detection.

When Stealth Doesn't Matter
Sometimes an attacker doesn't need to be stealthy. For instance, if the attacker wants to penetrate a computer only long enough to steal something, such as an e-mail spool, perhaps she doesn't care if the attack is eventually detected.

Another time when stealth is not required is when the attacker simply wants to crash the target computer. For example, perhaps the target computer is controlling an anti-aircraft system. In this case, stealth is not a concern -- just crashing the system is enough to achieve the objective. In most cases, a computer crash will be obvious (and disturbing) to the victim. If this is the kind of attack you want to learn more about, this book will not help you.

Now that you have a basic understanding of attackers' motives, we'll spend the rest of this chapter discussing rootkits in general, including some background on the subject as well as how rootkits work.

Read the rest of Chapter 1 from Rootkits: Subverting the Windows Kernel

BROWSE BY TAG Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Network Intrusion Prevention (IPS),   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary