DDOS, Botnets and Worms…Oh My!

The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.”  In response to this we would like to present solutions for protecting networks and systems from external attacks such as what happened with the MoD.  In addition, we will provide a quick run-down of various security practices which, when not followed, can leave doors open for malicious actors attempting to gain access to internal networks, not only for the MoD but any organization or personal user.

The attack which was launched against the MoD was a DDoS attack.  DDoS stands for Distributed Denial of Service and is launched by what is referred to as a bot network or “botnet.”  A botnet consists of a group of compromised systems which have been infected by a malware implant, or “bot.” The implant will beacon back to a central controller and receive further commands by the person running the botnet or a “Bot Herder.”  In the case of a DDOS attack, every bot will send large amounts of network traffic in the direction of one particular server.  A web server will often have limits as to how many simultaneous conversations it can have with another system.  Therefore, when tens of thousands of infected systems begin a conversation with the same server, the flood of traffic will block legitimate users from being able to communicate with the web server. If continued, this can overload the server and potentially crash it.  It’s like trying to shake hands with 100 people at once.  A high level approach to preventing DDOS attacks would be to utilize redundant systems which could absorb some of the connection load in the case of an attack or heavy traffic, while still keeping the web site available to legitimate users.

Internal security is tricky, however when it comes to an organization such as the MoD, whose external network protection is most likely stronger than their internal network protection, the key is physical security. Physical security is not just guarding the entrances to the building but making sure that employees are following operational security practices every day.  This includes things like:

  • Not keeping passwords written on post-it notes on desks or monitors
  • Locking the computer when the current user steps away
  • Logging off at the end of the day
  • Following the organizations internet policy
  • Not revealing any login credentials to anyone. If it is absolutely necessary to share login information, ensure that it is sent via encrypted channels or if face-to-face with the recipient, in a location where other people will not overhear.

The other aspect of physical security would be dealing with the actual hardware, while most organizations and government agencies do have building and office policies on security, it can be easy for an employee who didn’t read the policies to introduce something dangerous onto the companies network.  For example, in 2008, the United States Department of Defense internal network was infected with a worm known as “Agent.BTZ.”  This worm was introduced into the network by a service member who plugged an infected USB drive into one of the DoD computers which instantly infected the system. The Worm had the capability to provide backdoor access to systems located on the internal network to remote attackers. It also had the capability to steal documents and upload them to a remote server. This lead to the DoD banning all personal re-writable storage media.   While it may seem like a harsh policy, sensitive organizations such as the DoD or the MoD require it for the continued protection of sensitive information.

These security practices are not only useful for organizations and businesses but also the average user at home:

  • If you are at home and you have guests over, regardless of whether you trust them or not, be sure to lock your system or shut it down.
  • If using a laptop in public places, be sure to lock the system and secure the actual laptop in a bag or backpack on you; do not leave it out in the open or on the passenger’s seat of your vehicle while you are not in it.
  • An extra security measure for laptops is to also encrypt portions of your hard drive using encryption software like TrueCrypt.
  • Whenever you decide to plug in removable storage media, like a USB drive, owned and used by someone other than yourself, be sure to disable the auto-run feature on your system.  This will prevent malware on the media from executing automatically. Then scan the drive with an Anti-Malware/Anti-virus application to ensure that it’s clean.

Remember, you could have the world’s best firewall installed but the use of malware infected media and a lack of physical security education and prudence can bypass all other security measures.

References:

  1. Under Worm Assault, Military Bans Disks, USB Drives.  Wired, Nov 19 2008
  2. SOCA Shuts Down Website After Cyber-Attack. The Guardian, 2 May 2012

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.