Threats to Come

Expect attacks on SNMP and wireless infrastructure, and supersize DoS.

Attention, security managers. Stephen Northcutt has a warning for you: Within six months, a worm will likely appear on your network and begin targeting your networks SNMP vulnerabilities. Start patching now.

How does Northcutt, principal incident handler for The SANS Institute and former chief of Information Warfare at the Department of Defenses Ballistic Missile Defense Organization, in Alexandria, Va., know this? Its quite simple: Hes been analyzing attack patterns and noticing several SNMP vulnerability announcements, some as recent as last month. Its only a matter of time, said Northcutt, in Kapaa, Hawaii, before malicious attackers unleash an SNMP worm into the wild.

"With all these attacks weve seen, none of them have been based on anything that hadnt already been announced to the security community," Northcutt said. "People have a really good chance to fix their problems before the attacks happen. If we could just work on that one fundamental of fixing a known problem, then were under less risk by far."

As the pace of security attacks escalates and as the stakes rise, security managers will need not only to respond quickly but also to anticipate where the next worm, virus or DoS (denial-of-service) assault will strike, experts say. By analyzing patterns of major attacks and announced patches, for example, security managers could have easily avoided last years Code Red II and Nimda worms. Using similar techniques, experts such as Northcutt say security managers during the next year should gird for larger DoS attacks involving many more compromised systems, attacks on WLANs (wireless LANs), and worms and viruses that use sophisticated blends of techniques for accessing targeted systems as well as multiple payloads.

Security managers have already begun to see more sophisticated threats that combine multiple attack techniques. The blending of viruses, worms and traditional hacking techniques was shown in the Nimda and Code Red worms, which used multiple methods and techniques to spread and replicate themselves. In addition, they exposed known vulnerabilities and had multiple payloads.

Nimda, for example, had different methods of infection. It acted as a mass mailer, replicating itself on vulnerable Web sites. But it also tried to download itself onto machines whose users visited infected Web sites. Security professionals should expect to see more such multifaceted attacks and should expect such attacks to jump eventually to WLANs and devices, experts said.

One of the easiest ways to predict where an attack will next hit is to look for recent vulnerability announcements. "When someone finds a vulnerability, you tend to see some kind of exploit against it not too far in the future," said Marty Lindner, team leader of incident handling at CERT, in Pittsburgh. "The Internet is a huge playground, and that attackers will get faster and better at following up is just the nature of the beast at this point."

That pattern is why experts such as Northcutt are looking warily at SNMP. A vulnerability was announced Feb. 12 in SNMP, a ubiquitous protocol running on everything from switches and routers to workstations and servers. While patches have been released by software vendors including Microsoft Corp. and Cisco Systems Inc., Lindner and Northcutt both said the best that can be hoped for is that whatever worm appears wont cause too much disruption. The fact remains however, that attackers have begun probing for SNMP vulnerabilities.

"Exploit tools based on these vulnerabilities are already starting to appear," said SANS Northcutt. "SNMP agents are so common, youll find them in heating ventilation systems, printers, even battery backup systems. People are quick to patch, but there is still the potential for some sort of seriously widespread attack."

Another prime target, based on the recent publication of seven vulnerabilities, is the PHP scripting language. PHP has flaws that crackers could use to run arbitrary code on vulnerable servers.

The vulnerabilities, which are all buffer overflows, mainly affect Apache Web servers, of which there are more than 10 million in production worldwide today, according to Web survey company Netcraft Ltd., of Bath, England. While the PHP team has released an updated version of the language that fixes the security problems, experts say there will always be some boxes that arent patched.

Experts say they expect to see a new class of more powerful DoS attacks mounted with many more compromised systems. While hackers used a relatively small number of coordinated systems to knock and out of service in February 2000, SANS has recently seen evidence of large numbers of compromised systems—100 times the number used in attacks last year—being employed in coordinated DoS attacks.

Employing Internet Relay Chat with encryption as a command and control mechanism, attackers are allegedly using compromised systems to scan Department of Defense networks. Next, said Northcutt, they could be expected to hit major ISPs such as WorldCom Inc. and Cable and Wireless plc.

In fact, ISP Cloud Nine Communications Ltd., of Basingstroke, England, in January was forced to close its operations following such a DoS attack. The attack reportedly crippled the ISPs entire network to the point that rebuilding it was out of the question. The network has since been acquired by Zetnet Services Inc., of Shetland Isles, England.

"To be able to affect an ISP means youre affecting gigabytes of bandwidth. ... That is 100 times greater than we have seen in the past," Northcutt said. "What are these people going to do with their shiny new toys? What can you do with 15,000 or 10,000 or, in one case, 30,000 [compromised] computers? The answer is you can do just about anything you want to."

Aside from technologies being targeted, security experts are seeing a major shift in the motivations behind attacks. More are economically motivated, not just designed to send a political or personal statement.

Alan Paller, director of research at SANS, in Bethesda, Md., said there has been a movement toward the systematic exploitation of multiple vulnerabilities (using methods similar to Nimda) to steal health records and other private information. Last year, 35 percent of enterprises responding to the Computer Security Institute and FBIs 2001 Computer Crime and Security Survey reported $378 million in financial losses.

Its possible, said Paller, that the next step will be an increase in attacks on infrastructure. In October 2001, a man was sent to prison after being convicted of hacking into a waste management system in Maroochy Shire in Australia. He caused millions of gallons of raw sewage to spill into local parks and rivers and onto the grounds of a Hyatt Regency Hotel.

"Were seeing an intersection between terrorists focusing on infrastructure and their use of Internet-based attacks to do so," Paller said.

So what should security managers do to protect their organizations? Experts say its quite simple: Get back to the basics. Verify that all backups are completed, keep up with patches, and shut down all open ports.

And remember: Technology needs to be led by business strategy. Enterprises need to determine what their minimum acceptable level of security is and have strong procedures in place to ensure they meet those standards.

"The average individual cant watch out for [everybody] because thats just not the way it works," Lindner said. "The Internet is a big playground, and there are people who want something to play with. Ensure that an intruder, whether theyre a highly motivated attacker or a script kiddie, has a difficult time penetrating your defenses."

Also in this Special Report

  • Ignorance: The Hackers Best Friend
  • Security Roundtable
  • Here Be Dragons: Web Services Risks
  • Trail of Destruction: The History of the Virus
  • Community Builds Security: Labs Answers Your Security Questions
  • WLAN Hardening Checklist
  • Application Hardening Checklist
  • Operating System Hardening Tips