Security Laboratory: Methods of Attack Series
These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.
Other Related Articles in Security Laboratory: Methods of Attack Series
Logic Bombs, Trojan Horses, and Trap Doors
May 2nd, 2007
By Stephen Northcutt, Google+
There are many types of malicious code in the wild today. Though they are only a small subset of these, logic bombs, Trojan horses, and trap doors are fairly common.
Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.
UBS PaineWebber system administrator Roger Duronio has been charged with Logic bomb
Former UBS PaineWebber system administrator, Roger Duronio, has been charged with sabotaging company computer systems in an attempt to manipulate its stock price. Duronio placed logic bombs that deleted files on the computers. Duronio has been charged with one count of securities fraud and one count of violation of the Computer Fraud and Abuse Act.
Trojan horses (often just called Trojans) are programs that must be installed or executed by a user to be effective. Often, these are disguised as helpful or entertaining programs which can include operating system patches, Linux packages, or games. Once executed, however, Trojans perform actions the user did not intend such as opening certain ports for later intruder access, replacing certain files with other malicious files, and so on.1
"Assistant U.S. Attorney Mauro Wolfe gave his closing arguments to the jury in U.S. District Court here for more than two hours Monday. He told jurors that Roger Duronio, the defendant in this computer sabotage case, was the man with the motive, the means and the ability to do the crime. And on top of that, copies of the trigger for the logic bomb were found in his home."2 He was sentenced for 8 years.3
Roger Duronio showed all the classic signs of entitlement
Entitlement, railing at a perceived injustice, is known as a "trigger". A trigger, commonly seen in insider attack and espionage cases, is an event that causes an individual to choose to act out betrayal. "Many people, perhaps most people, experience some form of stress that threatens their self-image at some time in their lives. They face serious financial problems combined with an available opportunity for illegal gain; failure to compete effectively with their peers; perceived injustice at the hands of an employer or supervisor; termination from a job under circumstances that prompt resentment; rejection or betrayal by a spouse or other close family member."4
A chilling piece of journalism from Information Week shows this was quite likely to come.
NOTE: This was such a serious breach of faith that Paine Webber changed their name to UBS Wealth Management after the incident.
Logic bombs for good
Some of these techniques can also be used against attackers in a devious sort of way. Administrators sometimes intentionally deploy pseudo flaws, also known as honey tokens, which are things that look vulnerable to attack but really act as alarms or triggers of automatic actions when an intruder attempts to exploit the flaw. Do not confuse the single pseudo flaw with the concept of a pseudo flaw that extends to encompass an entire host or network - often referred to as a honeypot or a honeynet; neither of these terms properly refers to a single pseudo flaw.
Trap doors, also referred to as backdoors, are bits of code embedded in programs by the programmer(s) to quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only sure way.
DEBUG mode Sendmail, the most famous Unix Trap Door
The so called Morris worm took advantage of a common trap door in 1988. Here is a part of that famous account,
The ultimate Trap Door, in the compiler itself
Thompson's paper described a modified version of the Unix C compiler that would:
- Put an invisible backdoor in the Unix login command when compiled and as a twist
- Also add this feature undetectably to future compiler versions upon their compilation as well.
Defending against logic bombs and trap/back doors
According the the Chey Cobb blog,
Indeed it is a tough problem. In the case of Roger Duronio, it is not clear if more money would have helped him despite the fact that he had a supportive supervisor. Of the five types of defense in depth architectures, the hardest to implement, threat vector analysis10, works best against this difficult issue. We have little doubt at this point that UBS Wealth Management has a documented threat of unauthorized modification of code and has determined the vectors that one would have to use to accomplish this. Generally this requires separation of duties so that one person cannot move modified code to a production system; they can, at most, move it to a staging area. In addition, we would not be surprised to find code audits high on the list!
SANS courses that teach how to defend against logic bombs and trap doors include:
- Reverse-Engineering Malware - Hands-On11 - The same principles used to analyze malware work just fine on any code you have in your organization.
- Java Security Auditing12 - If you are programming in Java, this will teach your auditors what to look for so they can find logic bombs and trap doors