By Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services
In the previous two posts, we discussed the reuse of malware and host recidivism. In this article, we will focus on how pirated software is making the problem all the worse [piracy proportional to botnet size].
While there are many reasons for unsecure configurations, one of the most compelling reasons has to do with using unlicensed — and hence — unsupported software. Yet I don’t believe it would be an overgeneralization to say that those running pirated software are not overly concerned with the confidentiality and integrity of their systems — at least, not as concerned as they are about the licensing cost of those systems. While this is less of a threat to assets residing in a reputable enterprise environment, it is still a compounding issue that grows the ranks of botnets and adds amplification to DDoS attacks.
Most sites offering pirated media and cracked applications are vertically integrated with organized crime-owned botnets. The re-up process (marginal node = marginal $) is partially funded by recruiting unwitting visitors and asking for a virtual handout. Perhaps it is Lady Gaga today, instead of Britney Spears of 1998 — whatever the reason or taste, the content will be offered, loaded with the same core seed – it will compromise the system that downloads it, have that system phone home and put that system to work.
Users unwilling to pay for licensed operating systems in the first place (or unsophisticated enough to know the difference) are more likely to download other pirated software. In doing so, they are positioning an inferior OS (one that has not been patched or even configured prudently) directly in contact with malware-laden content. Often this is audio and visual media – formats in which myriad additional root level exploits exist.
It is difficult to even fathom how many instances of pirated Windows XP are online. Despite Microsoft’s attempt at an amnesty program three years ago, it is doubtful there has been much reduction in percentage, let alone total number, as of today. Some estimates quote as high as 40% of worldwide software is being pirated. Of the counterpoints listed in this blog against RIAA and enforcement of IP statutes, not a single argument attempts to refute that installing pirated software on a system diminishes its security posture. Perhaps the most ludicrous argument for removal of IP enforcement would be that piracy is “safe” for the user and the internet at large.
To move to a technical direction — if the argument that security and piracy aren’t compatible at an application layer (e.g., sharing pirated DVDs via P2P software), it would even be more ludicrous to make it at the Operating System layer. If the OS is counterfeit — either not eligible or the user is in fear of receiving security updates — there is little chance that it will remain a sovereign host. Once compromised, there is much more of a chance that that the keyboard user (to contrast from the remote r00t user) cannot regain control and hence will be unable to restore the ability to update the host. Even if the system owner wishes to legitimately restore state to a time prior to infestation, it’s often impossible. Most of the Trojan software installed on compromised systems today either poison DNS such that the infected computer is browsing to a non-security site, or it injects itself somewhere in the process of the host trying to patch the OS or load current definitions into the A/V application. Once compromised, access to the handful of sites that could offer the user assistance in cleaning up the rootkit isn’t possible without strong technical skills or intervention of a third party.
Here, recidivism is made worse because an initially compromised system will continue to prevent updates and A/V software from being updated, even if the botmasters are behind bars, the C&C nodes have been turned dark, and the user wants to turn over a new leaf and pay for a legitimate OS license key.
For the reasons above, the botnet problem is not getting any better. The resurgence of Storm/Kraken can be chalked up to reuse of code within isometric parameters where their ancestors existed. The confusion over the name of which botnet has conscripted which node when is much less important than addressing the underlying environmental conditions that allow the continued presence of 10^8 node botnets driven by kids with learner permits.
As a parting allegory — the illusion of IT progress was shattered several years ago when the Conficker botnet spread through LANs in the same manner as the Sasser worm (leading to Bobax and eventually Kraken). Today, the Stuxnet Trojan is spreading to systems riding on the same USB drives that Conficker.C did more than a year back (remember past cries to disable autorun?).
The more the security world changes, the more it stays insane!
For more information, please visit:
- Original Kraken [Damballa, Royal]: http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201307
- Current Kraken [Damballa, Royal]: http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=225701438&cid=RSSfeed_DR_News
- Original Storm [F-Secure Video and Commentary]: http://www.youtube.com/watch?v=kH8cS1AkqiI
- Current Storm [Felix Leder]: https://www.honeynet.org/node/539
- Mariposa Demise; Technical Ability of Mariposa Botmasters [Panda, Defence]: http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=10085
To read the full paper on Kraken, click here.
