By Kurt Seifried (kurt@seifried.org)

Unlike traditional horror films where the good guys pull together at the last minute and blow up/burn or otherwise deal with the zombies attacking them, there’s not going to be a happy ending to this one. For a number of reasons various strategies to deal with this problem haven’t or won’t work. This is obvious if you look at the stats: the number of infected machines keeps rising steadily, and the researchers keep coming up with new discoveries that have little to no affect on the problem. Much like the film Dr. Strangelove, we’re at the point of no return; we may as well yell and twirl our hats around for all the good it’ll do us.

The zombie problem is unique in that it plays on virtually every major weakness in information security, including human nature, user interfaces, patch management and technology, law and jurisdiction and scale to name a few. In retrospect this was virtually inevitable – the attackers have steadily evolved online, finding successful reproductive strategies that hone their effectiveness and lead to ever more effective attacks. Combined with the economic incentive [1], the most successful attacks earn attackers the most money, reinforcing this Darwinian evolution of the security landscape into a very dangerous and disease ridden environment.

One: a sustainable reward for successful attacks

As mentioned above, attacks on computers now earn attackers money. In past years most attacks were motivated by the desire to gain bragging rights, or to damage or embarrass an individual or organization the attacker was at odds with. These reasons however are not very sustainable – chances are people grow up at some point or stop caring. However when you put money in the equation you suddenly make it possible for people to make a living (in some cases a very good living) off of attacking systems. Add to this a mixture of bright young people living in a variety of poverty stricken countries with decent infrastructure and computers (for example, Russia), and you end up with an environment that rewards attackers monetarily in a meaningful way.

Two: the scale of the problem

Seriously, the scale of the problem is bigger than big. We’re talking about every single computer on the Internet, ultimately. Pretty much every one of these computers interacts with email, the web, or provides services such as file and print sharing or web. All these services have holes, both known and unknown. On the client side we have users who still consistently open up “postcard.exe” attachments and get their systems infected.

Attackers don’t care about hardened systems. Why would they, if even 1% of the Internet remains vulnerable (and I can guarantee it’s not going to approach 1% anytime soon)? That still leaves a few million hosts to infect. Much like a blue whale:

The blue whale is thought to feed almost exclusively on small, shrimp-like creatures called euphausiids or krill. During the summer feeding season the blue whale gorges itself, consuming an astounding 4 tons (3.6 metric tons) or more each day. [2]

You can get really big by eating a lot of little things. With automated attack tools, bot nets and so on attackers can easily sift through a few million hosts a day.

Three: the problem of jurisdiction and enforcement of laws

While there are laws in most countries regarding computer trespass, misuse of computers, etc., they are difficult to enforce, especially across jurisdictional boundaries. Additionally, many law enforcement agencies can’t be bothered to place expensive resources into what is largely regarded as a victimless crime, unless the victim is sufficiently large or well connected to have political clout that results in law enforcement paying attention to them (e.g., a national lab in the US or a university). If attackers keep their activities outside of the physical jurisdiction (e.g., country or state) that they actually live in, chances are they won’t be the target of an international investigation. (Although it does happen, it’s quite rare.) Victims are left with little recourse even if they know who is responsible.

Four: the problem of individual systems

While many computers are part of well maintained networks (corporations, universities… ok maybe not so much universities) that enforce security policies, most computers are not part of a well maintained network, if indeed any maintenance is done at all. Realistically these systems have little to no hope of being kept up to date (especially if on dialup), and with some running outdated software (I’ve run into people still using Windows 95, connected to the Internet) there will always be a tail end of systems that are prone to infection.

Five: the problem of a constantly vulnerable ecosystem

A.k.a. the “please don’t sneeze on me, if you insist on coming to work when you are sick”

Even if you keep systems up to date religiously with vendor patches there are still periods of time that you will be vulnerable. With Microsoft products this is an especially bad problem. In 2006 the web browser Internet Explorer 6 was “unsafe” for 284 days. Simply put, for the majority of the year there were known attacks that were being used to infect systems in the wild for which Microsoft had not yet released a patch [3]. Just recently (Jan 9, 2007) Microsoft stated that several security patches for Word were not going to be shipped as previously mentioned – issues which are being used to compromise systems [4]. Currently there are a large number of unsolved issues being used in the wild as you can see from this table republished from SANS (see URL below [5])

Finally: Because the attackers play dirty, and the good guys usually play clean

Quite simply put, the bad guys will do whatever it takes to infect systems and take control of them. The good guys are often left with “Can you please patch your machine? It’s sending out an awful lot of spam” and other ineffective measures. The temptation to hijack systems that are already under an attacker’s control is there, but largely (at least to the best of my knowledge) this hasn’t been done by the “good guys.” The idea of writing worms that infect systems and then patch their security flaws, enable automatic updates and install security software like anti-virus programs, has been discussed but again, the good guys start talking about liability and the idea usually dies. The ironic thing is that the bad guys have already started doing this; numerous malware and spyware packages will remove their competition, or install anti-virus products in order to make sure that the infected machine stays under their control and is not hijacked by someone else. Chances are as these attacks become more virulent it will become more and more difficult (if not outright impossible) for the good guys to clean a system off, short of formatting and reinstalling everything.

Conclusion:

We’re up the creek without a paddle. So why worry?

[1] http://www.readwriteweb.com/archives/hacking_20.php

[2] http://www.acsonline.org/factpack/bluewhl.htm

[3] http://www.theregister.co.uk/2007/01/05/ie_unsafe/

[4] http://www.eweek.com/article2/0,1895,2081067,00.asp

[5] http://isc.sans.org/diary.html?storyid=1940

Related posts:

1. The Most Important Thing in Security is Responsibility
2. Bind 9.4.0 to address DNS reflection/amplification attacks by default
3. Looking for things to worry about?
4. Unified Threat Management - Friend or Foe?
5. Macbook wireless device driver insecurities allow remote compromise

Posted by Kurt.Seifried on Friday, January 12th, 2007, at 8:00 am, and filed under Future Forecast, That Old Problem.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.