Definitions:

Kernel – The main part of the operating system that is typically responsible for memory, task, process and disk management. Essentially the brains of a computer system.

device driver – A program that controls a device on a computer system. The disk drive, CD driver, mouse and keyboard are all examples of devices controlled by a device driver.

Digital Rights Management (DRM)– A system that attempts to protect copyrighted digital information traveling across a network e.g. the internet.

Bot net – A collection of computers that have been compromised by one or more attackers that can be collectively controlled. Often used to carry out DDOS attackes.

DDOS – Distributed Denial of Service attack. An attack where many computers are used to create too many requests for a particular web address and keep other, legitimate traffic from accessing the site.

Adware – One or more programs that actively delivers advertising content to a computer user with the user initiating contact e.g. browsing the internet with a web browser.

ActiveX – Microsoft technology that allows execution of programs in a web browser.

Loadable Kernel Modules (LKM) – A technology for Linux where device drivers are loaded in by the kernel instead of being compiled into the kernel.

Malware – Any piece of software that an end user would consider harmful to their system. Negative behaviors can include damaging a computer or simply reducing its efficiency.

Sniffer – A piece of software on a user s system that monitor s network traffic and/or user input/output from the computer system.

BIOS -- In computing, stands for basic input/output system. BIOS refers to the software code run by a computer when first powered on. The primary function of BIOS is to prepare the machine so other software programs stored on various media (such as hard drives, floppies, and CDs) can load, execute, and assume control of the computer.

Spam zombie -- A computer attached to the Internet that has been compromised by a hacker, used extensively to send e-mail spam.

Hot site -- Hot site is a physical location where an organization may continue computer operations in the case of major disruption.

DDOS -- Distributed Denial of Service attack. An attack on other computer systems by several thousand computers (usually part of a bot net) with the aim of shutting out other, legitimate traffic from the site.

Section 1: The problem of rootkits

Computers have been one of the boons of the modern age. They allow us to do many of the tasks we previously did by hand in a more efficient and much less error-prone way. And they have allowed us to communicate with each other in new and fabulous ways – websites, blogs, instant-messaging and IP telephony being among a few examples.

Unfortunately, the second that the first two computers were hooked together so they could communicate, security became an issue. With the rise of networking, there also came a rise in security problems. Viruses and attempts to compromise computer systems remotely started to become commonplace.

To counter this, companies began to offer their services to secure computer systems. Thus came anti-virus and firewall vendors who help keep our computer systems clean and in running condition. And ever since there has been an arms race between the two groups – the criminals trying to get their malicious software onto other computer systems and the security vendors trying to detect it and remove it before it causes damage.

In the middle of this cyber arms race is an attack technique that has made life extraordinarily difficult for security vendors. It is a technique that hides what an attacker is doing to a computer system in such a way that the computer’s owner may never figure out that someone else is running his or her machine. The technique is called “rooting” a system and at the heart of it is a software package called a rootkit.

A rootkit is a suite of one or more programs that allows a third party to hide files and activities from the administrator of a computer system. It is often delivered by an intruder taking advantage of one or more known vulnerabilities on a particular computing platform to deliver and install the rootkit.

The original intent of rootkits (circa 1996) appears to have centered simply on hiding programs that would allow an attacker to “sniff” or spy on traffic to and from a computer system. They earned the name “rootkits” because they were pretty much exclusively used on Unix-type computer systems where the top-level account that has full access to the system is called “root”. Thus to “root” a system means you had obtained full control of it.[#_edn1 [1]]

However, in the last few years the attacks have grown in sophistication and the targets have changed. Home users (especially users of Microsoft Windows family of operating systems) are now the primary target. Not only are attackers trying to harvest information from the target computer systems, but they take over the systems to make them part of a “bot net”. These “bot nets” are then used to extort money from businesses by threatening to make a DDOS attack against their corporate websites unless they pay money.

Even some well-known and respected companies have recently used rootkits as a way to enforce their own DRM policies or to keep end-users from eliminating ad-ware.

Rootkits are known to exist for all major operating system platforms. And they have several levels of sophistication, although all types are dangerous if a system administrator is not wary[#_edn2 [2]]:

The earliest type of rootkits consist of replacement programs for commonly used administrative programs on the computer system. The replacement programs hide the activity of the actual payload from the system administrator. These kits are almost exclusive the Unix/Linux family of operating systems.

The next generation of kits use “hooks” to redirect calls to kernel functions to their own particular version of the function. They are more difficult to detect because they have moved a level closer to the kernel. A cousin to this type of rootkit is a library kit that subverts non-system calls from regular applications.

Then attackers figured out how to go even deeper into the system to modify dynamic data structures in the kernel itself. They are very difficult to detect and usually can only be spotted by using heuristics that analyze statistical patterns of memory usage.

The latest and greatest of rootkits are now aiming to subvert the memory of other applications on the system so they cannot see what is going on. This would effectively hide the rootkit from any AV scanning. This type of rootkit was the subject of a paper at the Blackhat conference in Las Vegas this last summer.

Section 2: Assess current vulnerabilities

* Windows vulnerabilities (2k/2k3/XP/64-bit)

Windows is by all accounts the most popular operating system on the planet. Depending upon whose marketing department you ask, it is estimated that Windows has over 90% of the home computer (laptop and desktop) market share. It is therefore the biggest target around.

Unfortunately, it has some of the biggest security holes as well. Almost everyone running Windows at home runs it as the top-level or root account “Administrator” or as an account in the “Administrator” group. Indeed, many programs for the operating system will not install or run correctly if they are not installed from an account with top-level permissions.

Windows rootkits primarily consist of the second and third generation types that subvert the OS kernel through device drivers. They will either install new versions of the device drivers on the system to “hook” and divert regular operating system calls to their own code or they will “patch” their own code into existing device drivers. With the elevated permissions that most Windows users run under, it is trivial to install this type of rootkit once you get the user to run it on the system.

There are multiple vectors by which rootkits get installed on Windows. One common way is to use web-page links to get the attacker to run an ActiveX control or some other bit of binary code. When the user clicks on the links, the rootkit and payload are installed on the computer just like any other installable piece of software.

Windows also has a tight integration of all of many of its subsystems, e.g. image processing, that can be exploited to run arbitrary code on the system with top-level permissions. Such was the case with a vulnerability found last year in Microsoft Windows OS where a user could exploit a buffer overrun in the Windows image handling software to execute arbitrary code on a user’s system. So a malicious website could have redirected a user to a particular web page with a bad JPEG on it and then compromised the system[#_edn3 [3]].

Another attack vector is through system level applications such as SQL Server 2000. The so-called SQL Slammer worm caused a lot of mayhem in 2003 by exploiting a buffer-overflow vulnerability to turn each system into a virus generating machine. A more delicate use of this exploit would have been to surreptitiously install a payload to monitor information on the system.

And just this year (October, 2005) there were the first reported rootkit infections of systems through instant messaging software. The rootkits get installed when the attacker convinces the IM target to click on a link in their IM client to launch the install program[#_edn4 [4]].

And if all the illegal vectors were not enough, rootkits can also come from organizations you would expect to be upstanding citizens. Earlier year Sony used a rootkit to enforce DRM on people’s computer systems. They installed and hid several pieces of software intended to stop people from abusively copying the music they purchased.

However, it only took a couple of days before people started realizing they could use this “benign” rootkit for other activities such as hiding their malware or hiding cheat programs for the popular online role-playing game World of Warcraft[#_edn5 [5]].

* Linux/Unix/OSX vulnerabilities

The other major family of operating systems consists of Linux, Unix and OSX. Together they form an extended family by virtue of having the same basic heritage and in the basic design of their kernels. They will collectively be referred to as *Nix systems hereafter.

Linux and Unix systems tend to be less vulnerable than Windows systems for several reasons. They are not as widely deployed, which means less exposure to attacks. Where they are deployed, they are often (with the exception of OSX) deployed by people with superior knowledge of computers. Their users are encouraged by the system to not logon as “root” and therefore it is less easy for software to be installed by a casual mistake from a user. And, finally, they may not support dynamically loaded device driver modules for the kernel, which removes an entire class of vulnerabilities[#_edn6 [6]].

On the other hand, they are often used for mission-critical roles and, therefore, could be much more valuable targets for an attacker to subvert. And, at least in the case of Linux, the source code is freely available for attackers to examine for vulnerabilities.

Attacks on *Nix machines tend to be different than those on Windows. Since users are encouraged to not run as “root”, so even if they were to click on a malicious website that attempted to execute code on their system, chances are they would not have sufficient permissions to install anything particularly harmful.

Instead, attacks on the *Nix systems tend to revolve around remote attacks through services with known vulnerabilities and through gaining access to the system via an account with a weak password and then using known vulnerabilities with system commands to elevate their privileges to that of the root account. Often attacks will use these exploits to open up an SSH terminal session and start installing their payloads.

An example of one of these attacks was a Solaris (Unix) vulnerability reported by CERT March 30, 2001 where buffer overflow attack in snmpXdmid allowed an attacker to post a rootkit on the system. This rootkit added new versions of the ps, netstat, ls and find commands so that it could hide its activities. To control the system and communicate, it added a root priviledge telnet and ssh session on the system to facilitate remote control, as well as an IRC proxy. Last, but not least, it installed a packet sniffer to monitor traffic. The system logs were altered to hide the compromise[#_edn7 [7]].

One type of vulnerability that plagues the *Nix systems in much the same way Windows is plagued by driver rootkits involves technology called Loadable Kernel Modules (LKM). Although LKM can be used for many purposes, they often are allowed so that new device drivers don’t need to be compiled into the *Nix operating system kernel. However, this vulnerability can be mostly mitigated by compiling the *Nix kernel with LKM turned off[#_edn8 [8]].

One last note about vulnerabilities in the *Nix systems: there appear to be no known rootkits for OSX systems in the wild. A rootkit was recently made for OSX as a proof-of-concept, but it could not practically be spread from system to system. It should be noted, though, that OSX is based of a Unix variant called FreeBSD and any rootkit written for that system could also bring down OSX[#_edn9 [9]].

Section 3: Assess possible losses in the event of an attack:

As can be seen in the previous section, all modern computer systems have several ways they can be compromised with a rootkit. But what are the consequences of having your computer system “rooted”?

The effects range from the traumatizing, but relatively harmless, identity theft for individual home users to a coordinated cyber assault on critical governmental or enterprise computer systems. In this section we will discuss the losses for home and enterprise users separately since they each have different goals for how to use a computer and different stakes to lose when they get compromised.

Stealing private information and identity theft: This includes stealing of credit card information, bank account information, social security numbers, software license activation keys, etc., and using the stolen identity for profit or clandestine activities. A user’s personal correspondence could be stolen and the user could be blackmailed for it.

A rootkit can be used to hide several common techniques, such as installing a key-logger to capture input from the keyboard or a packet sniffer to monitor traffic to and from the server. According to some estimates 80 to 90 percent of computers are infected with spy ware and with the assumption that fifteen percent of these users transfer identity related information there are over twenty six million people that are likely victims of identity theft[#_edn10 [10]]. Another estimate by UW professor Steven Gribble, says between 75 and 80 percent of computers had spy ware one time or another[#_edn11 [11]].

Although major credit cards provide zero liability in the event credit cards are compromised, it could still be a hassle for the consumer. Consumers could spend a lot of time trying to pursue the issue with the credit card company, have to wait for a week or two for a new card, reset their automatic payments and have their credit history wiped out[#_edn12 [12]].

Less commonly, identity theft is used to enable illegal immigration, terrorism, espionage or changing identity permanently. It may also be a means of blackmail, especially if medical privacy or political privacy has been breached, and revealing the activities undertaken by the thief under the name of the victim would have serious consequences like loss of job or marriage. A wide range of crimes such as false application for credit cards, fraudulent withdrawal from bank accounts and obtaining goods and privileges could result from identity theft[#_edn13 [13]].

Stolen social security numbers could be used by illegal immigrants to find jobs and obtain other services which could cause serious problems for the victim[#_edn14 [14]]. And identity theft could be a source of funding for terrorist groups. Terrorists could use stolen information to pay for their operations as well and create false identities[#_edn15 [15]].

Turning the home user’s computers into zombie for unethical/criminal activity: Once a user’s computer has been infected, an attacker can use this machine as a spam zombie. These machines under the control of the attacker can also be used to launch Distributed denial of service attacks. Thus the attacker can preserve her anonymity at the expense of the unsuspecting home user.

According to Newsweek (November 7, 2005) an incredible 60% of all spam is estimated to come from so-called zombie computers. These are usually home PCs hijacked without the owners knowledge. A consumer education site says "The widespread use of zombie computers to commit crimes over the Internet presents a very real danger to law-abiding computer users"[#_edn16 [16]]. The cost to the users is inconvenience due to sluggish Internet connection and slowing down of overall computer performance. It could also be costs in terms of time spent in researching a solution[#_edn17 [17]].

Loss of time/money/confidence: If a user knows that her system can not be trusted or is not convenient to use anymore then she has to spend the time in taking remedial measures. This includes buying new hardware/software or seeking professional help. Some estimates put 445 million pounds in the UK in lost time, productivity and in computer repairs[#_edn18 [18]]. Another outcome is feeling of vulnerability and loss of confidence, these have grave implications on e-Commerce and will be discussed with respect to costs for the enterprise.

Enterprise and Governmental Systems:

All of the above also impact the corporate world, as most of the employees and customers of any corporation are also home users. The possible losses for corporate users would cover a wide range depending on the size, location, revenue and nature of business of the organization. Information corruption or theft from rootkits could threaten life, property, goodwill, and revenue amongst a host of things.

For safety critical information systems such as those that control nuclear power plants and air traffic control systems, failure to respond at an optimum level could endanger lives, a particularly favorite outcome for terrorist organizations. The results of failure in non-safety related systems include the possibility that the data will be corrupted or stolen or services will be unavailable. These are serious outcomes but may not be perceived to be as serious as those associated with safety critical systems. Financial consequences are also grave and can be quantified, and its impact on the bottom line calculated. Losses may be divided into direct costs, indirect costs and failure costs.

Direct costs: Direct costs include purchasing, installing, and administering security measures that can be unambiguously associated with loss prevention. These include purchase of products such as firewalls and anti virus software, rootkit detection kits etc. Another direct cost is the maintenance of hot sites. Direct costs vary widely depending on the requirements of the corporation or governmental entity. Specialized groups usually have the most demanding requirements e.g. the U.S. military.

However other institutions such as banking, nuclear facilities and air traffic control systems also have stringent security requirements. Some sources put the Federal information security spending at $6.1 billion this year and projected to grow by 20 percent over the next five years[#_edn19 [19]].

Studies also indicate that information security in the Air Traffic Control Systems is weak and vulnerable[#_edn20 [20]]. About 8 percent of all crashes have resulted from Other Human Error that includes Air Traffic Control error[#_edn21 [21]]. An active series of attacks could push that number up significantly and/or paralyze the U.S. transportation infrastructure.

Corporations are also increasing their security budget to counter an increased threat from cyber attacks.

(http://www.computerworld.com/securitytopics/security/story/0,10801,81261,00.html)

[gmusick: Good examples, but need to pull some numbers here and discuss this a little bit. Just a couple of sentences are needed to flesh this out.]

Indirect costs: These are the costs associated with loss prevention but are less obvious. Additional security measures can affect system performance, employee morale, or retraining requirements and are in addition to direct costs.

One example is the implementation of software changes to improve security in order to mitigate the risk of attack. An indirect cost could be the time spent installing a new technology and working out any of the glitches. The introduction of security improvements increases the system complexity. Changes to complex systems, leads to the introduction of bugs and thereby increases the cost of system maintenance and troubleshooting.

Another element that adds to the indirect cost is the hassle factor. Increased security controls, will force corporate end users to take additional steps to log in and access information as well as follow elaborate security policies and procedures. Making the users use ten different passwords for logging onto different systems, and having to change each of them once a month would reduce the productivity of most users. Another important indirect cost is loss of reputation or customer trust.

A Federal Trade Commission consumer survey placed the number of Americans victimized by identity thieves at 10 million in 2003, with consumers losing $5 billion and businesses $48 billion.

(http://www.usatoday.com/tech/news/computersecurity/2005-11-02-cybercrime-online-accounts_x.htm)

The news about widespread security breaches has hurt consumer confidence.

(http://www.infoworld.com/article/05/07/01/27OPsecadvise_1.html)

A Gartner research report suggests fewer people are buying online because of security concerns.

(http://news.zdnet.co.uk/internet/security/0,39020375,39205460,00.htm)

Cyber crimes in which confidentiality is violated cause a measurable negative impact on stock market value (5%)

(http://www.optimizemag.com/article/showArticle.jhtml?articleId=18700435&pgno=4)

[gmusick: Good examples, but need to pull some numbers here and discuss this a little bit. Just a couple of sentences are needed to flesh this out.]

Failure Costs: Failure costs arise when an attack occurs with a consequent loss of service. These include downtime of computers, servers and network. Another cost is inability to fulfill business partner obligations e.g. if Delphi’s purchasing system is brought down for several days, GM can’t order parts and could run out of equipment to build cars with.

For organizations like drug development companies, failure costs could mean inability to meet federal compliance regulations while filling for patents and drug approval for e.g. the biotech company I work for has to make some websites available to the FDA. These websites have huge amounts of supporting documentation for a drug. If the FDA is needs any information about this drug or is doing an audit and the web site is down then alternate methods of sending this information by humans and telephone is more costly and time consuming. Non-compliance could result in stiff penalties e.g. Abbott Laboratories was made to pay over $100 million.

(http://www.managingautomation.com/maonline/magazine/read/3522)

Computer viruses caused an estimated $13 billion in damage in 2001, according to American International Group’s eBusiness Risk Solutions.

(http://www.iii.org/media/hottopics/insurance/computer/)

Operating system differences:

Windows: Windows is the most widely used operating system and most of the users are not technical (which is the reason for using windows). There are many known rootkits such as NullSys, NTCap, and WinlogonHijack. When a home user’s system has been compromised it will lead to theft of information. Even if a home user is alerted to fact that something is amiss (by seeing weird ads and system crashes) the user may not have the expertise or willingness to take remedial measures. This favorable situation for the attacker will allow her to abuse the victim’s machine for extended periods of time.

For corporate users systems will be better protected with firewalls, latest patches etc. However when corporate machines especially production ones get affected there are serious losses. Production systems need to be redeployed rapidly. If the IT personnel managing the system has kept well documented and automated installation procedures then they might be able to turn around and reinstall the system within a short span of time. On the other hand if this process is not smooth it could lead to potential losses of revenue. A positive outcome may be the sacking of incompetent personnel and improvement in proactive procedures to deal with similar occurrences in the future.

UNIX/LINUX: The losses for users of LINUX/UNIX operating systems may be less than Windows for the two possible reasons

• These systems are subject to much less attacks compared to Windows as they comprise a tiny fraction of Windows deployments
• The users of these systems are more tech savvy

[gmusick: This part seems like you started to discuss Windows costs vs. *Nix costs, but then changed your mind and started discussion vulnerabilities…which are already covered in section 2. We should either flesh out this as Windows costs vs. *Nix costs or get rid of it.]

References

• http://www.ouah.org/examples_rootkit.html (Linux Trojan rootkit)
• http://www.tengu.be/index.php?option=com_content&task=blogcategory&id=22&Itemid=43 (Linux sniffer rootkit)
• http://www.phrack.org (Hacker magazine)
• http://www.rootkit.com (Online rootkit magazine)
• Hacking Exposed by Stuart McClure, Joel Scambray, George Kurtz
• Exploiting Software by Greg Hoglund, Gary McGraw
• Forensic Discovery by Dan Farmer, Wietse Venema
• http://www.hardwaresecrets.com/article/40 (CIH Chernobyl virus)