Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series

Logic Bombs, Trojan Horses, and Trap Doors

By Stephen Northcutt, Google+

There are many types of malicious code in the wild today. Though they are only a small subset of these, logic bombs, Trojan horses, and trap doors are fairly common.

Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.

UBS PaineWebber system administrator Roger Duronio has been charged with Logic bomb
Former UBS PaineWebber system administrator, Roger Duronio, has been charged with sabotaging company computer systems in an attempt to manipulate its stock price. Duronio placed logic bombs that deleted files on the computers. Duronio has been charged with one count of securities fraud and one count of violation of the Computer Fraud and Abuse Act.

Trojan Horses
Trojan horses (often just called Trojans) are programs that must be installed or executed by a user to be effective. Often, these are disguised as helpful or entertaining programs which can include operating system patches, Linux packages, or games. Once executed, however, Trojans perform actions the user did not intend such as opening certain ports for later intruder access, replacing certain files with other malicious files, and so on.1

"Assistant U.S. Attorney Mauro Wolfe gave his closing arguments to the jury in U.S. District Court here for more than two hours Monday. He told jurors that Roger Duronio, the defendant in this computer sabotage case, was the man with the motive, the means and the ability to do the crime. And on top of that, copies of the trigger for the logic bomb were found in his home."2 He was sentenced for 8 years.3

Roger Duronio showed all the classic signs of entitlement
Entitlement, railing at a perceived injustice, is known as a "trigger". A trigger, commonly seen in insider attack and espionage cases, is an event that causes an individual to choose to act out betrayal. "Many people, perhaps most people, experience some form of stress that threatens their self-image at some time in their lives. They face serious financial problems combined with an available opportunity for illegal gain; failure to compete effectively with their peers; perceived injustice at the hands of an employer or supervisor; termination from a job under circumstances that prompt resentment; rejection or betrayal by a spouse or other close family member."4

A chilling piece of journalism from Information Week shows this was quite likely to come.

"Wolfe reminded the jury about the testimony of Rajeev Khanna, manager for UBS's Unix Systems Group, at the time of the attack. Khanna had told the jury that Duronio went to him in 2000, saying he had "cash flow problems" and asking for a pay increase. Khanna said he had liked Duronio and went to bat for him, even though it was midyear and an unusual time to ask for, or give out, a pay raise. Khanna got Duronio a $10,000 bump in salary. But Wolfe was quick Monday to remind the jury that Duronio had not been satisfied with it. "It wasn't good enough," Wolfe told the jury. "The seeds were planted. He wasn't happy with what he was taking home."5

NOTE: This was such a serious breach of faith that Paine Webber changed their name to UBS Wealth Management after the incident.

Logic bombs for good

Some of these techniques can also be used against attackers in a devious sort of way. Administrators sometimes intentionally deploy pseudo flaws, also known as honey tokens, which are things that look vulnerable to attack but really act as alarms or triggers of automatic actions when an intruder attempts to exploit the flaw. Do not confuse the single pseudo flaw with the concept of a pseudo flaw that extends to encompass an entire host or network - often referred to as a honeypot or a honeynet; neither of these terms properly refers to a single pseudo flaw.

Trap doors
Trap doors, also referred to as backdoors, are bits of code embedded in programs by the programmer(s) to quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only sure way.

DEBUG mode Sendmail, the most famous Unix Trap Door

The so called Morris worm took advantage of a common trap door in 1988. Here is a part of that famous account,

"Sendmail is the program that provides the SMTP mail service on TCP networks for Berkeley UNIX systems. It uses a simple character-oriented protocol to accept mail from remote sites. One feature of sendmail is that it permits mail to be delivered to processes instead of mailbox files; this can be used with (say) the vacation program to notify senders that you are out of town and are temporarily unable to respond to their mail. Normally this feature is only available to recipients. Unfortunately a little loophole was accidentally created when a couple of earlier security bugs were being fixed - if sendmail is compiled with the DEBUG flag, and the sender at runtime asks that sendmail enter debug mode by sending the debug command, it permits senders to pass in a command sequence instead of a user name for a recipient. Alas, most versions of sendmail are compiled with DEBUG, including the one that Sun sends out in its binary distribution. The worm mimics a remote SMTP connection, feeding in /dev/null as the name of the sender and a carefully crafted string as the recipient. The string sets up a command that deletes the header of the message and passes the body to a command interpreter. The body contains a copy of the worm bootstrap source plus commands to compile and run it. After the worm finishes the protocol and closes the connection to sendmail, the bootstrap will be built on the remote host and the local worm waits for its connection so that it can complete the process of building a new worm."6

The ultimate Trap Door, in the compiler itself
"Ken Thompson's Reflections on Trusting Trust7was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.

Thompson's paper described a modified version of the Unix C compiler that would:
  • Put an invisible backdoor in the Unix login command when compiled and as a twist
  • Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was never released into the wild. It was released to a sibling Bell Labs organization as a test case; they never found the attack."8

Defending against logic bombs and trap/back doors
According the the Chey Cobb blog,

"How can companies defend against such attacks? Some executives may bridle at our answer, but we think it is the right one: by hiring the right people and then treating them right. In other words, this is a people problem and so it needs a human solution. All the technology in the world is not going to prevent an insider, with authorized system access and detailed knowledge of the system, from planting a logic bomb. There are some technologies, such as network surveillance and monitoring programs, that might detect attempts to create logic bombs. Integrity checking software might deflect attacks from logic bombs. Properly enforced software development policies and procedures will make it harder for someone to plant a logic bomb. But the bottom line is that a determined insider is almost impossible to stop."9

Indeed it is a tough problem. In the case of Roger Duronio, it is not clear if more money would have helped him despite the fact that he had a supportive supervisor. Of the five types of defense in depth architectures, the hardest to implement, threat vector analysis10, works best against this difficult issue. We have little doubt at this point that UBS Wealth Management has a documented threat of unauthorized modification of code and has determined the vectors that one would have to use to accomplish this. Generally this requires separation of duties so that one person cannot move modified code to a production system; they can, at most, move it to a staging area. In addition, we would not be surprised to find code audits high on the list!

SANS courses that teach how to defend against logic bombs and trap doors include: