Endpoint Protection

Introduction

Efficiency and automation: one can argue that they are two of the most valuable by-products of any technology. There is little doubt that the electronic tools of today allow us to get more done in less time. We use software to eliminate tedious work, reduce man-hours, and sift through mounds of data in seconds. Crackers, as we know, are smart... and lazy. It should come as no surprise then that they too, have employed technology to reduce their workload. The result? A type of malicious code known as autorooters, programs designed to automatically scan and attack target computers at blistering speeds.

A successful autorooter will give crackers what they want: complete control of a target machine with little effort, fast. Scanning networks for vulnerable machines, gaining unauthorized administrative access, installing backdoors, all the tricks of the trade, can all be achieved at the click of a button. In this article we'll explore the concepts behind autorooters and what can be done to defend against them.

What Does an Autorooter Do?

The term "autorooter" is based on security lingo for successfully cracking and gaining privileged access to a machine. The act, known as "rooting" a system, originates from the name of the administrative account on a Unix box - "root". The "auto" prefix stems from the fact that these devices essentially package, or automate, the cracking process from start to finish. They can be designed to scan a network for vulnerable machines or attack everything they come across. Once a machine is successfully compromised, or rooted, any type of malicious code can be installed and configured: data might be captured (using a tool known as a sniffer), Web pages defaced, servers installed. Some autorooters are finished after sending the results back to the cracker, others may install zombies that await further instructions from the attacker, such as IRC-controlled denial of service slaves.

Who Uses Autorooters?

While many automated network scanning tools may be used for legitimate as well as illegitimate purposes, this is not the case with autorooters, which are generally used by crackers, a name attributed to hackers with malicious intentions. What's particularly troubling about autorooters is the skill level of those who most often employ them.

Although, normally written by knowledgeable programmers, autorooters are often used by a type known as "script kiddies". Script kiddies are held in great disdain by the security community because they have very little coding ability but can inflict considerable damage through the use of simple point-and-click hacking tools. Such users rarely understand how or why an exploit works, but they get results because they have the time and resources to scan thousands of machines and are oblivious to the ramifications. A script kiddie needs only to download an autorooter, enter a net block or range of IP addresses and turn it loose. They don't need to know how their malicious tools function, they only know they work. For script kiddies, it's point, click, and crack.

Why are Autorooters Dangerous?

In order to understand the threat posed by these dangerous tools, we need to outline the process they replaced. First, crackers would have needed a scanning tool, such as Nmap, to explore a large range of machines. Next, they would review all of this data, looking for specific ports, operating systems or servers to generate a list of potential targets. At this point, an exploit would be needed to compromise the targets remotely. Running the exploit on each machine would yield some successful cracks. Later each device would need to be configured for the cracker's use: malicious code installed, log files tweaked, backdoors setup. To further compromise the new private networks within reach, the process would be repeated.

It wasn't rocket science, but the steps demanded time, patience, organization and a basic understanding of what was taking place. Autorooters changed all of that. A cracker no longer needs to manually scan machines or review port and OS information. The legwork is eliminated. Rather, they merely "aim" the autorooter at a range of potential targets, i.e. 198.162.0.0 - 192.168.255.255. Every network device within that address space will be inspected within a short amount of time. All data will be sorted automatically by the autorooter, which will then launch attacks against all potentially vulnerable machines. Once successful, the autorooter can "clean" the log files to eliminate traces of itself and prepare the system as it was configured to do by the author.

The implications are frightening for professionals and home users alike. Now, a novice cracker can hit dozens of machines in minutes, simply playing the odds. If one in a hundred machines is vulnerable, a relatively quick scan of any address block yields a plethora of victims. Most troubling is the fact that entire networks, if caught without the proper patches, can be harvested by a single autorooter. This can occur because the autorooter, much like a worm, often attacks the surrounding network of its victim. If a firewall is configured improperly, a public server, cracked by an autorooter, can quickly begin attacking machines on the private network.

Evolution of the Autorooter Autorooters can be thought of as advanced versions, or combinations, of some rather traditional types of malicious code, such as:

• Exploits - Small pieces of code that take advantage of a specific flaw or bug in a piece of software (a vulnerability) to gain privileged access to a machine or network. Buffer overflows are the basis for many exploits.
• Rootkit - A tool that allows intruders to illicitly obtain administrator-level access to a computer or computer network. Once a cracker finds a victim, the rootkit is used to perform specific tasks such as erasing logs and installing backdoors. It "prepares" the machine for a cracker to perform view, alter, or steal data, or perform other malicious functions.
• Trojan - A compromised or tainted file which, when executed by a privileged user on a target machine, installs malicious code on the machine. Often used to replace valid system binaries and can prep a system similar to a rootkit.
• Virus - A piece of malicious code included with a valid file that infects the file and then replicates itself on a target machine. Normally reaches a system by piggybacking a valid file via e-mail or disk. A virus can inflict damage on a target machine by corrupting data, wiping out data, or otherwise making data unavailable.
• Worm - An automated program which attempts to spread via the network by infecting every vulnerable host within reach. This is a very popular method of spreading an autorooter.

Autorooters have evolved from each of the above and combines different characteristics and methodologies from each of them. The exploit itself is the foundation, as it is what is manipulated to actually gain access to a target machine. Once access has been gained, the rootkit deploys the malicious payload on the victim. Upon installation, the malicious code can set about inflicting damage. The autorooter can actually "poison" its target and the surrounding network like a virus, trojan or worm. It might be designed to spread via multiple methods such as e-mail, a carefully crafted java-script executed by those who visit an infected server or by simply crawling the network looking for more victims. A programmer could code an autorooter to merely crack the machines it scans, or could very easily add in worm-like propagation techniques, allowing for multi--generational replication. Add to this the fact that targets may be culled from massive, automated scans and the autorooter represents a vicious new breed of cracking tool.

A Super Exploit?

The term "super exploit" refers to an exploit or attack that could, theoretically, traverse the Internet in a very short time. While it might seem far fetched, autorooters are turning this scary notion into a reality. How so? While it is unlikely that one specific attack could affect the majority of machines on the Internet, due in part to the diversity of configurations, if designed to pursue a specific exploit, such as one of several DNS exploits, or if a flaw was exposed in a very popular service, such as the Microsoft Unicode vulnerabilities, an autorooter could spread at a frightening rate. Why? As mentioned above, autorooters can be instructed to propagate. Once "released", they may be very difficult to contain. A single compromised server can rapidly become many, each of which become cracking tools themselves. An exponential rate of return follows.

Adding to this problem is the advanced nature of these programs. Worms such as Nimda were designed to take advantage of multiple exploits and spread via different methods. Thousands of servers can fall victim in hours, clogging Internet traffic and wreaking havoc on networks around the world. While a "super exploit" has not yet been seen, many security professionals fear that it could happen. The appearance of Nimda in September, 2001, gave credence to these fears.

Many administrators and security experts unhappily recall September 18, 2001, the day Nimda exploded. I noticed the first log entries twenty minutes after I sat down for the morning. Within hours, hundreds of different machines were hitting my servers every few minutes. Months later, administrators continued to see Nimda HTTP requests every day. While not an autorooter in the strictest sense, Nimda produced similar results. As a worm, its main goal was to spread. But imagine Nimda built with an even more malicious intent, perhaps the goal of silently monitoring network traffic, or waiting to participate in a distributed denial of service attack, directed to begin by scanning your network. Something to keep in mind is that these tools are relatively new and raw - in some ways they're still just an idea. At the moment - any of the readily available autorooters are likely basic and clunky -perhaps just a step above traditional rootkits. And the "features" vary, since they were likely tailored to the needs of whoever wrote it. But in the future, that might not be the case. It would be trivial to code the capabilities to spread onto surrounding networks - as well as virtually any other post-crack activity. So, there is a very good chance we will see more advanced versions, with different traits, slipping into the public sector. As Nimda illustrated, when that happens, security administrators will be well-advised to have adequate defences in place.

The Defense

The best methods to protect oneself from autorooters are rooted (no pun intended) in basic security strategies, such as:

• Firewalls - A properly configured firewall filtering both inbound and outbound traffic can work wonders. These devices can be used to prevent and contain the spread of an autorooter.
• Intrusion detection systems - Although they cannot directly prevent the spread of an autorooter, they can alert an IT staff of both incoming and outgoing autorooter signatures. This warning time can help to minimize damages, identify and disconnect infected machines, and patch systems.
• Disabled services - Removing and disabling unnecessary services is a crucial defense. Since most autorooters spread via compromised network services, this simple step is very effective. If a machine is not be used as a server - disable everything.
• Anti-virus techniques - Workstation users need to employ standard antivirus measures since autorooters can spread via e-mail and Web scripts. Modern anti-virus programs can be used to detect and prevent such attempts.
• Updated patches - Another simple, but critical requirement. The success of autorooters depends on wide spread vulnerabilities. If a system is regularly patched, it's unlikely that an autorooter using anything greater than a zero-day exploit will succeed. This step is even more important for network administrators. If the machines under your control are vulnerable to a specific exploit, an autorooter could rip through the network in seconds.
• Incident response - If one of your machines is hit, please act responsibly and remove it from the network. The longer it remains active and on-line, the more machines it can in turn attack.

Conclusion

Autorooters are a new and very serious threat to network security. Crackers of all skill levels, especially those in pursuit of quantity and not quality, are sure to use them in the future. These tools will, unfortunately, become more refined, efficient, thorough and easier to use. The underground community is advancing rapidly. They are truly working smarter, not harder. Security and IT professionals must respond. Since autorooters combine the elements of several traditional threats, we need to ensure that robust security standards are in place. These fundamental precautions, combined with a security community that works together and actively anticipates such issues, can help thwart the spread of these dangerous attack techniques.

Matthew Tanase, CISSP (tanase@qaddisin.com), is President of Qaddisin, (http://www.qaddisin.com) a network security company based in St. Louis. His company provides nationwide consulting services for several organizations. Additionally, he produces The Security Blog (http://blog.qaddisin.com), a daily weblog dedicated to security.

Related Reading

Always On, Always Vulnerable: Securing Broadband Connections - article on the fundamental security precautions for broadband users.

Detecting and Removing Malicious Code - article outlining the techniques used to repair a cracked machine.

SecurityFocus Virus InFocus Archive - multiple articles on virii and worms.

Project Honeynet autorooter analysis - a detailed look at an actual autorooter.

Security Focus ARIS - SecurityFocus DeepSight Threat Management and early attack warning system. Very useful service for detecting and tracking outbreaks of autorooters.