Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/17/2006
06:00 PM
50%
50%

Holy_father Delivers Rootkits To The Masses

The futility of today's model for antivirus protection is fairly obvious. Plug one hole in the dike and another will sprout. Pretty soon, you're running out of fingers and toes to hold back the flood. It gets worse. Attackers without the skill to create their own malicious hacks can outsource their dirty business to others who will write the code for them and then offer services that keep these rootkits from being detected. It's the virtual version of Spy vs. Spy, with many black hats claiming t

The futility of today's model for antivirus protection is fairly obvious. Plug one hole in the dike and another will sprout. Pretty soon, you're running out of fingers and toes to hold back the flood. It gets worse. Attackers without the skill to create their own malicious hacks can outsource their dirty business to others who will write the code for them and then offer services that keep these rootkits from being detected. It's the virtual version of Spy vs. Spy, with many black hats claiming that they're giving the technology world exactly what it needs -- tough love.One of the most prominent rootkit suppliers is the Hacker Defender site, which I learned about during an interview with Herbert Thompson, Ph.D., chief security strategist for Security Innovation Inc., a Boston-based provider of application security services. Worse than simply selling rootkits to the masses, Hacker Defender also offers anti-detection services that will help ensure that its rootkits aren't detected by antivirus and other malware-prevention software.

These third-party rootkits could be used by an employee who is about to leave an organization or someone who thinks they will be fired and would love to keep control within a network, Thompson told me. "Some of this is illegal, some isn't, depending upon what country you live in," he added. "Many of the auction sites that trade in zero-day vulnerabilities benefit from unclear and inconsistent laws." If there's no law against renting out botnets in Russia, then it's difficult for the U.S. to prosecute an attack launched from within the country, or even to collaborate with international law enforcement. "The legal community is still trying to catch up with the implications of the cyber universe," he said.

It's incredibly difficult for law enforcement to gather evidence against someone selling hacks or botnets, unless they slip up somehow. "If they are doing it from their house, they are traceable; but what about if they're doing business from kiosks or libraries?" Thompson asks.

When I asked Thompson how a site trying so hard to protect its identity (the person running the site refers to himself only as Holy_father) could collect for its services, he told me that the answer is E-gold. Excuse me? He told me about one West Indies company, E-gold Ltd., that doesn't possess any national currency of any nation and has no bank accounts. "They don't trade in any sovereign currency, so they avoid the scrutiny of the Secret Service," Thompson says.

Like most tech pros who make a living selling security to defend against attacks, Thompson couldn't give me a good explanation of why someone would trade in malicious code, other than to make money. Of course, if you're that skilled a programmer, there are lots of ways to make money. I decided to bless myself and E-mail Holy-father.

To my surprise, he actually got back to me within a few hours. Holy-father's command of the English language confirms for me that he's not based in the U.S., but he has little difficulty articulating his desire to push the antivirus community to do a better job of designing its software. HF claims that it's because of his work -- he launched the site in 2002 -- that so many people even know what a rootkit is. Of course, he had a lot of help from Sony.

HF's contention is that antivirus companies benefit from keeping their customers just one step ahead of the next big malware attack. This keeps their customers coming back for more and renewing their subscriptions to antivirus database services. If the antivirus companies were to create "something incredible, [a] great AI engine that would beat all other companies on the market and take 95% of the market," they would run the risk of having that program reverse-engineered by the competition and quickly lose their advantage, HF wrote me. In other words, why bother to invest the time and money creating a revolutionary anti-malware engine when companies are willing to pay to upgrade regularly? Sounds to me like he's accusing the software market of complacency. I suppose he wouldn't be the first.

Not surprisingly, antivirus companies take umbrage with HF's assertions. The Hacker Defender site certainly makes it easier for a person without a high level of programming skills to get his hands on a sophisticated rootkit, says Ed English, Trend Micro's chief anti-spyware technologist. But, since Hacker Defender's code and intentions are out in the open, it gives companies like Trend Micro the ability to track this activity. "Publishing these rootkits publicly is one way to do this, but they also can directly contact a vendor," if they have a criticism of that vendor's software. English says. Hackers who claim to be trying to help improve IT security by threatening it tend to display such passive-aggressive tendencies.

The chess match between the white hats and black hats will continue for the foreseeable future. Either way, IT pros can't pretend these threats don't exist. "The first time a CIO goes to a site such as Hacker Defender, it's a big wake-up call," Thompson told me. "But if you're not aware that these groups exist, it's hard to defend against them." Company executives are realizing that even if a disgruntled former employee doesn't have the skill to attack their IT systems, they can outsource.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12346
PUBLISHED: 2019-06-24
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.
CVE-2014-9699
PUBLISHED: 2019-06-24
The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server.
CVE-2019-7231
PUBLISHED: 2019-06-24
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that termi...
CVE-2017-17945
PUBLISHED: 2019-06-24
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
CVE-2019-10271
PUBLISHED: 2019-06-24
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. ...