WP: Hackers Skip Windows to Embed New Infections

Hackers Skip Windows to Embed New Infections
By Jonathan Krim
Washington Post Staff Writer
Tuesday, July 26, 2005; Page D05


The online security climate continues to deteriorate, as computer hackers are targeting an increasing number of popular programs such as the iTunes music service and software that makes backup copies of data, according to an Internet safety study released yesterday.

Flaws in software that can be exploited by hackers are on the rise, said the report by the SANS Institute of Bethesda, a cyber-security research and education center.

The report, issued quarterly, is unwelcome news for consumers and businesses hoping for relief as software makers such as Microsoft Corp. work to improve the security of the operating systems that power individual machines and computer networks.

Hackers now often bypass operating systems, staying one step ahead in the ongoing cat-and-mouse warfare between those trying to protect computer systems and those trying to infiltrate or damage them.

For example, worms, viruses and spyware can now infect machines when users simply visit certain Web sites, rather than requiring victims to click on a malicious e-mail or file. Individual songs delivered via trusted programs such as the RealNetworks media player or iTunes can be vehicles for malicious code that can cripple machines or open them up to remote control by hackers....


http://www.washingtonpost.com/wp-dyn/content/article/2005/07/25/AR2005072501433.html

kind of acheivement to be able to hack and ruin? I am out of the loop on this.

similar to questions I always have about seemingly mindless vandalism.

A hacker is traditionally defined as someone with an intense passion for technology and desires to learn everything possible about it. This may mean pointing out vulnerabilities, but not exploiting them via trojans and worms, etc.

These people are to hackers as neocons are to republicans.

...who see disrupting and ultimately bringing down the Internet as a stepping stone to disrupting and crashing the world economy. A lot of them actually fit Chimpy's "they hate us because of our freedoms" line. Some of them have no political agenda and simply enjoy causing disruptions.

They range from young "crackers" with vast, intricate knowledge of systems to "script kiddies" who don't really know what they're doing - they simply copy code from more experienced hackers and launch clumsy and blunt attacks.

A lot of them are also working for gangsters in Eastern Europe and Russia, using malware for identity theft and other kinds of fraud.

IMO the only ones who fit that description are the right-wingers themselves. Notice all their issues are to take rights away from people and none are for adding rights.

...but there are other threats to our way of life besides the right wingers. You don't really think it's Freepers who are dumping all of the spam and viruses on your computer every day, right? Do you think the people launching those attacks on your property and privacy respect you or your way of life?

Radicals of all political stripes can be dangerous.

Evident in Republican proposals to amend the Constitution. All GOP proposals restrict what the individual can do, whereas previous amendments (especially the original 10) restrict what the state can do.

The Republicans are always trying to make the US Constitution into some kind of behavior-modification document for US citizens.

Don't get me wrong - I like bashing Republicans. But this thread has nothing to do with them!

I couldn't help but include a response regarding his political party.

But you're right on two accounts: 1) this is not a thread about Republicans; and 2) it is fun to bash Republicans!

It's so friggin' hard to keep a thread here on its original subject without it turning into one more bash of repukes, catholics, boy scouts, or whatever.

I say, bash away at those on their own threads...sometimes after a frustrating day it's just what I need, like hitting a punching bag at the gym...but on unrelated threads, the oversaturation just becomes DU background static. I mean, honestly, there's nothing original about 90% of it. Chanting slogans does not equal original thought. It actually sounds a little like what goes on in fundie churches.

Now where'd I put that fire extinguisher? :-P

My opinions, naturally.

Peace.

I dislike Bush as much as the next DUer, and I believe he should have been impeached a long time ago, but there are some people who honestly believe (no exageration) that Bush is responsible for all of society's ills. It's like a mass hysteria.

If we don't keep things, and current events, in perspective and seek the truth, then nothing will stop us from going over the deep end and truly alienating intelligent, concerned people.

> All GOP proposals restrict what the individual can do, whereas
> previous amendments (especially the original 10) restrict what the
> state can do.

You make a really good point here. If this hasn't been taken to the "frame the debate" group, it should be.


MDN

:spray: :rofl:

Quick... duck and cover!

:freak::eyes:

That mimics some aspects of biophysical processes. It's becoming more clear that viruses are crucial drivers of evolution in organisms, so this hacker research may actually give us insight into gene propagation in ecosystems.

Of course, that's not why most hackers do it. But the technology is seductive and requires a lot of brainpower to develop.

Hackers are paid to compromise systems used to send spam email.

Also, many attacks are now designed to get financial info - credit card numbers, online banking account passwords, etc. These are then used for identity theft.

These Phishing emails make me mad..
And as long as some of them get away easily, it won't stop.
Like this Sasser guy:
http://www.cnn.com/2005/LAW/07/08/sasser.suspended/

"Prosecutors say Jaschan sent the computer worm on the Internet on his 18th birthday, April 29, 2004.

It was blamed for shutting down British Airways flight check-ins, hospitals and government offices in Hong Kong, part of Australia's rail network, Finnish banks, British Coast Guard stations, and millions of other computers worldwide."


Probation and 30 hours of community work, wow really...

If a criminal can do this, he can take over a machine, and use it to launch untraceable spam attacks or extortion attempts.

It's mainly not vandals these days. It's organized criminal gangs.

...and other gangsters in Eastern Europe. Fighting spam in Europe has become very hazardous to your health. It won't be long before individuals who combat malware and spam will begin being targeted in the US.

Crackers and spammers launched an attack against Spamhaus back in 2003. They made it look as though the anti-spam fighters were distributing child porn. It's not a game anymore, by any means.

Russia’s Biggest Spammer Brutally Murdered in Apartment
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=102x1653019

1) Criminal enterprise - Identity theft and credit card fraud - 45%
2) Spammers looking to harvest email addresses - 45%
3) Script kiddies (cracker wannabe's) using tools written by actual crackers so they can be "k00wel". - 3%
4) Vandals with an agenda (political, religious, spite) - 2%
5) Web sites that were not actually cracked, but put together by idiots so poorly that it falls apart and blaming "hackers" keeps people from getting fired - 4%
5) Real crackers from former Soviet block countries with no jobs, lots of free time and a lot of anger - < 1%
6) Clueless intelligence agencies who would be classed as Script Kiddies" except that they get paid for vandalizing French government web sites - <1%

Just my opinion.

smash Halloween pumpkins. It is vandalism, and they get a rush out of it.

In the case of people who do this to computers, two things are going on. Some are just proving they are "smarter" than the big boys (like Microsoft), whereas others are actually doing this for the purpose of theft: theft of sensitive data that can be used to make money, theft of computer power, etc.

Among the ones proving how smart they are, notice that they are almost all adolescent or young adult males--the same people who would smash pumpkins. And since most of them are probably also unpopular geeky types, not only does beating the big boys give them a chance to feel important in their peer group (other young males who like to mess up computers), it also gives them a chance to avenge the innumerable social slights they probably experience in real life.

I suspect the show-off young males are easier to catch, because they do what they do for the sake of being able to brag about it. The ones doing it to make serious money have no reason to brag about their exploits, so they would be harder to catch.

This is one of the most asburdly written articles on computer security I have ever read. It reads like thinly veiled propaganda put out by Microsoft to try to take the heat off the holes in the system that allow this kind of thing to take place and sell its new browser.

You do not "bypass" the operating system, at least not in anywhere near the manner suggested by this. The programs that are avenues of infection run on an operating system. The bit about FireFox is particularly charming in an igorant sort of way, but I won't bother to vent about exactly why because it gets me off the point.

Part of the point the author seems to be trying to make is that exploits not tied explicitly to individual operating systems are being used people to steal information without the person's knowledge, such as the recently fixed security hole in FF that allowed a website to spoof its address so that the browser thought he or she was on a "safe" site when in fact this was not the case.

I'd be willing to bet money without doing any research that the "virus" that attacks from iTunes only work on iTunes for Windows.

Bypassing the OS...they're not dumping viruses into the BIOS these days, lol..

MS propganda indeed...

...but since I dumped Microshaft and switched to Linux, I've had doors shut in my face from all sides. Everyone from salesmen at ISPs to teenagers working at CompUSA have become hostile and dismissive at the mere mention of Linux.

I don't for a second believe that Microsoft bribes teenagers at computer stores to hype their product and trash others, but the monoculture that exists in computing today is amazing.

it sounds like. If you ask salespeople about a product they don't sell (in many industries, not just IT) they will trash it.

...not to mention that a lot of people that work in commercial software development have a misguided of OS/GNU projects and view them as a threat.

It doesn't bother me enough to go back to the dark side, though.

On a related note, I checked again, and the article doesn't bother to mention that one of the new and improved methods of compromising a person's system is through Windows Media files with DRM. (It's actually not new, but it's turning up more often from what I've seen.) You open the file, but before it can play, it has to contact a server on the Internet to get a license. But, wait, it didn't get just a license. It also downloaded and installed a nice trojan.

After reading it a second time, I was even more floored by the ignorance expressed. I'd bet the author consulted some PR person from Microsoft who fed him all the information he got. It warns of dangers in iTunes and Firefox, both competitors for Microsoft products. It implies the OS you have doesn't matter, which indirectly attacks alternative OSs. At the end, it closes with a sales pitch of sorts by mentioning MS's "new" OS and the "more secure" version of IE. That "more secure" version of IE isn't going to be as secure as FF and Opera already are.

This article is a pre-release sales pitch.

Were the same one making the viruses. Now, I'm a bit more convinced of it.

How on earth is MS going to stop a program like iTunes or Firefox that has been infected? This isn't an OS issue. The OS has to give its programs certain abilities to operate. If the program has a vulnerability there isn't a thing the OS can do about it, unless it were to overly cripple every application that runs on it.

Explain to me how Firefox or iTunes gets infected. With your explanation please include a description of what it means for these programs to be infected.

Once you're done, then we'll talk.

A flaw in the software like a buffer overwrite can be used by a hacker or virus to inject executable code into the programs memory area, overwriting existing code. When the program then tries to run the code in the program memory it runs the hack or virus instead. This all takes place between the programs code and the hardware, the OS is hardly involved at all.

When a program's memory has a virus in place of expected code that the program will run at some time then that program can be considered to be infected.

Buffer overwrites are one of the biggest problems. Many of them do exist in MS operating systems, but they are very common in other programs as well. Not that there aren't other kinds of bugs that allow hacks in the same or similar manner.

Since you offered a genuine response, I'll offer a genuine answer. Microsoft has no obligation to prevent problems with particular software applications written for its platform. If they are buggy, that's the problem of the people who wrote it. However, MS does have a responsibility to secure its platform. If an exploit takes advantage of a bug in a program to exploit a flaw in an OS, both developers share the blame.

The buffer overflow is indeed a cross-platform problem because it happens to be an issue involved with C and its derivatives, i.e. it is a problem with a programming language.

Under Unix-ish type systems, security measures can be put in place that prevent the stack from being used for program execution. This cannot be done under Windoze because the OS itself requires the stack to allow program execution. So, in my view, one OS is more exploitable than another, and if I were a malware developer, I would choose the one with more vulnerabilities. As it relates to the article beginning this thread, these exploits are not "bypassing" the operating system. They are using flaws in the operating system that are facilitated by poorly written software.

So, yes, MS is partly to blame for the exploit being exploitable.

A non-executable stack is an extreneous security measure. Not having it isn't a flaw. If all the programs were writen properly it would be a non-issue. Instead it is an extra effort taken by the OS to protect the system. I will agree that this is a good measure and an OS that has it is more secure. I don't think that not having it is reason to blame MS for the attack. The bad code isn't theirs.

The code in MS's operating systems that require executable stacks is an exploitable issue. In addition, many services in the OS are so full of buffer overflow problems that each major service update has included at least one fix for it.

The bad code (and it's not bad code as much as bad programming language implementation) is a mode of exploitation, but not the exploit all by itself. This is why I said the responsibility is shared.

Furthermore, depending on what said code does, if you execute it on a system in which it cannot do any damage to the overall system, you don't really have as much of an issue. Windoze doesn't allow you to isolate code to that level.

OnEdit: Have you ever taken a look at the Windoze APIs and services that are bound to an application when it is running? Are you aware that MS made the decision to tie the C/C++ programming language to these APIs, said programming language, and its derivatives, being the language that has the inherent buffer overflow flaw in it?

5 years ago everything was designed for C/C++ and that goes for Linux as well. Windows newest API is .Net, which is memory safe.

C/C++ comes from a time when the programming language was simple to give the programmers a stronger access to the limited resources (speed) of computers of the time. I just didn't make sense to delegate the responsibility of checking for buffer overwrites to the compilier when the programmer could do it more effeciently on a case by case basis. That makes less sense today, but it takes time for OSs to move on.

"Furthermore, depending on what said code does, if you execute it on a system in which it cannot do any damage to the overall system, you don't really have as much of an issue. Windoze doesn't allow you to isolate code to that level."

I agree completly. Thats an issue of an OS taking extra effort to provide security. An OS that doesn't do that isn't responsible for the eventual exploits. A builder who doesn't install alarm systems isn't responsible for eventual thefts.

and I have to interject...

I am a Systems Software Programmer for a truly secure OS (VMS). No buffer overflows by any application can compromise the entire system. Virii just can't get started in VMS. VMS wasn't even invited back to DEFCON because it's "not hackable".

So, I do hold MS at fault for not building security in from the ground up. You can not "patch on" security as you will never be able to completely secure everything if your OS is not fundamentally secure. Why do I hold MicroSoft accountable? Because they developed Windows long after VMS and even longer than *Nix. They could have learned from the previous OSes and built security in. They chose not to (for convenience, time to market, whatever), so they are responsible for the lack of security and the fact that poor programming can bring down a system. They made the choice, now it's their problem to fix.

Of course, you know that David Cutler designed VMS and then went to Microsoft to design Windows NT.



http://en.wikipedia.org/wiki/History_of_Microsoft_Windows

I was hoping a bona fide professional in this area would step in and say something.

I am not an expert in this area. It's just something I've made it my business to know for the last 20 odd years, which includes picking the brains of some programmer and network specialist friends. But, I sometimes question my own understanding.

I welcome corrections and additions to anything I've said.

VMS is still my favorite OS in most respects, if a bit verbose at times. I've done a lot of Unix work since, and you do get to like the "terseness" because it means fewer keystrokes, but I really did love VMS, everything worked right and these was always a good solution in the OS when you needed it. I still curse Ken Olsen now and then.

It's probably worth adding that one of the reasons for the security of VMS is that it's "closed source", or at least was, I'm not sure of the current status. And one of the reasons for the lesser (but still not bad) security of Unixen is the open source development model which means there is a loosening of control.

And it's probably worth mentioning that a lot of Windoze problems derive from the primacy of marketing in the design and requirements processes. To do a really good OS you have to limit the discussion to OS level issues.

In my view, there is no such thing as "extra effort" in providing security. The fundamental flaw with Windows is that security was not one of the prime considerations as it was initially being built.

Let me backtrack a moment and come at this from another angle. We've gotten sidetracked somewhere, which is partly my fault.

The article referenced in the first post is based in part on a SANS report highlighting the current worst security vulnerabilities. The title of this report claims that hackers are bypassing Windows to take advantage of these exploits. My complaint with this premise, as already mentioned, is that these exploits are fundamental to the Windows operating system itself. My evidence for this is in fact contained in the SANS report itself.

All but two of the highlighted vulnerabilities are exclusive to applications that run on the Windows operating system. One of the remainder is a cross-platform application, namely Firefox. Interestingly, this is the only application to which the premise of the story could possibly apply. Some of those vulnerabilities have to do with things like spoofing URLs, a JAVAscript problem, and similar issues. Other Firefox issues involve code execution in a *Windows* environment. Another of the vulnerable applications is iTunes prior to version 4.8, and I must admit I'm not familiar enough with this application to know whether this is Windows specific or not. The details of the vulnerability do not say. Finally, a vulnerability was discovered in Mac OS X 10.4.1 and earlier.

With the exception of the JAVA problem and possibly the problem with iTunes, note the similarities. The problems exist under a Windows environment. How, in anyone's imagination, does this lead to a headline "Hackers skip Windows ..."?

This isn't my area so googling SANS won't answer the question I have, which is whether SANS is a shill for Microsoft and the other corporate players. Are you familiar with this group?

I read their reports, but I don't have any insight into who or what backs their work. Based entirely on those reports, the critique they offer seems to be pretty balanced. Of the top 20 worst vulnerabilities they highlight in their latest report, Microsoft owns 6 of them. Others are directly related to non-MS products developed to address a flaw in MS's own products, notably the OS, backups, and network connectivity control. One specific flaw, that SANS currently rates as the worst security threat, involves a non-MS product, but one that in turn relies on Microsoft Exchange to do its work. The exploit involves this interaction. Many of these exploits do not exist on, for example, a GNU/Linux system, which demolishes the premise of the story.

I should add that the problem with this article is not the individual details mentioning various exploits in software that lead to identity theft and the like. As noted, these problems have little to do with the OS. SANS is quite clearly correct on that point. The problem with the article is its editorial direction and the implicit conclusions offered, the worst of which is the title. The programs themselves are not being "hacked" in the sense the author means, and they themselves are not "infected" with anything. The whole thing implies that viruses, trojans, worms, etc. are showing up on people's computers that are not OS specific, and this is simply not the case. But note that SANS doesn't say that. The author (and editor) of this article implies it.

I have my suspicions regarding a MS influence on this article because of those implications and the way it is written. The author is taking good information and presenting it in a very bad way. Of course, it could be that MS had no influence whatsoever except on the mind of the author. That author could simply be an over-zealous MS "fanboy" in need of a story idea.

There is no mention of an alternative OS or a program being hacked across different OSs. Instead I see this paragraph:

"The report, issued quarterly, is unwelcome news for consumers and businesses hoping for relief as software makers such as Microsoft Corp. work to improve the security of the operating systems that power individual machines and computer networks."

To me, the article seems to be saying fixes in the MS OS won't stop the problems.

I don't recall saying alternative OSs were mentioned.

I did note that suggesting that viruses, trojans, etc. were "bypassing" OSs is an implicit attack on alternative OSs.

This is the line I was mainly replying to.

"The whole thing implies that viruses, trojans, worms, etc. are showing up on people's computers that are not OS specific."

I just don't see that implication in the article. Its not explicitly stated that these things aren't happening elsewhere, but that doesn't quite imply that they are since the article isn't talking about other OSs at all.

Which stand for viruses, infections, spyware, trojans and adware.

Unix based systems need administrative permissions and as of yet
have no viruses or trojans.

I think I should get that out to minimize the arguing moot points.

"Hackers now often bypass operating systems,"

Both these comments imply strongly that the problems are not OS specific.

And then there's this gem. "Even programs designed in part as a safer alternative to Microsoft, such as the increasingly popular Web browser Firefox, are being hacked, the report said."

FireFox is not an alternative to "Microsoft." It is an alternative to Microsoft's web browser. The sentence implies "alternatives to Microsoft" in all its forms are no safer than products by Microsoft.

:sarcasm:


Sounds like the writer of this article has an axe to grind for Microsoft

since Microsoft's new OS system VISTA is coming out.

One partition dedicated to FF, the other to T-Bird. :-)

Seriously, your last comment echos my thought exactly.

Sorry, not familiar with this particular acronym.

Intended to spook the herd.

Thanks.

:toast:

I've had NO security issues come up on any of my anti-spyware programs, firewall alerts, virus scanner, or anything else. Whenever I've had to restart my DSL service (SBC--they are horrible!), I usually run HiJack This to clear out the garbage that comes with their software.

When I had these systems AND other MSN products like IE and Microsoft Outlook, these "security" programs went crazy on a daily basis, alerting me to compromises. Not so with Firefox, and frankly, with Thunderbird, I feel safe opening my email inbox again.

So MS can send out all the phony press releases they want. They will never convince me or those I've converted to my way of surfing to switch from FF or TB.

I know and keep up with the vulnerabilities in FireFox, and I find them at least manageable. I don't have the time to keep up with the problems in IE, much less Outlook. FWIW, it's not just FF that deserves praise in this area. Opera and Mozilla Suite, for example, have far fewer issues with which users need to be familiar.

I do occasionally get alerts for potential viruses and trojans, but usually this is because I download something archived as a .RAR or .ZIP, and the offender is packed somewhere in there. No browser can protect against us telling it to do something inherently unsafe, and downloading applications from the Internet can be inherently unsafe, one main reason for the development of virus checkers in the first place.

FF has been so good of late that I've gotten a bit lazy about running my Spyware detection tools. I also tend to use my GNU/Linux installation for web browsing, so that helps too. I did run my spyware utilities just a few minutes ago, and after a month of not checking, still no problems.

That's why nature priviledges diversity...