Security Laboratory
- Security Laboratory: Methods of Attack Series
These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.
Methods of Attack - May 2nd, 2007
Logic Bombs, Trojan Horses, and Trap Doors - May 2nd, 2007
Denial of Service - May 10th, 2007
Are Satellites Vulnerable to Hackers? - May 15th, 2007
Extrusion Detection - April 30th, 2007
Spam and Flooding - May 15th, 2007
Spear Phishing - May 9th, 2007
Remote Maintenance - May 9th, 2007
The Risk of Default Passwords - May 11th, 2007
Race Conditions - May 11th, 2007
Interrupts - May 11th, 2007
Browsing and Enumeration - May 16th, 2007
Traffic Analysis - May 16th, 2007
Alteration Attacks - May 16th, 2007
Logic Bombs, Trojan Horses, and Trap Doors
May 2nd, 2007
By Stephen Northcutt
There are many types of malicious code in the wild today. Though they are only a small subset of these, logic bombs, Trojan horses, and trap doors are fairly common.
Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.
UBS PaineWebber system administrator Roger Duronio has been charged with Logic bomb
Former UBS PaineWebber system administrator, Roger Duronio, has been charged with sabotaging company computer systems in an attempt to manipulate its stock price. Duronio placed logic bombs that deleted files on the computers. Duronio has been charged with one count of securities fraud and one count of violation of the Computer Fraud and Abuse Act.
Trojan Horses
Trojan horses (often just called Trojans) are programs that must be installed or executed by a user to be effective. Often, these are disguised as helpful or entertaining programs which can include operating system patches, Linux packages, or games. Once executed, however, Trojans perform actions the user did not intend such as opening certain ports for later intruder access, replacing certain files with other malicious files, and so on.1
"Assistant U.S. Attorney Mauro Wolfe gave his closing arguments to the jury in U.S. District Court here for more than two hours Monday. He told jurors that Roger Duronio, the defendant in this computer sabotage case, was the man with the motive, the means and the ability to do the crime. And on top of that, copies of the trigger for the logic bomb were found in his home."2 He was sentenced for 8 years.3
Roger Duronio showed all the classic signs of entitlement
Entitlement, railing at a perceived injustice, is known as a "trigger". A trigger, commonly seen in insider attack and espionage cases, is an event that causes an individual to choose to act out betrayal. "Many people, perhaps most people, experience some form of stress that threatens their self-image at some time in their lives. They face serious financial problems combined with an available opportunity for illegal gain; failure to compete effectively with their peers; perceived injustice at the hands of an employer or supervisor; termination from a job under circumstances that prompt resentment; rejection or betrayal by a spouse or other close family member."4
A chilling piece of journalism from Information Week shows this was quite likely to come.
"Wolfe reminded the jury about the testimony of
Rajeev Khanna, manager for UBS's Unix Systems Group, at the time of the
attack. Khanna had told the jury that Duronio went to him in 2000,
saying he had "cash flow problems" and asking for a pay increase.
Khanna said he had liked Duronio and went to bat for him, even though
it was midyear and an unusual time to ask for, or give out, a pay
raise. Khanna got Duronio a $10,000 bump in salary. But Wolfe was quick
Monday to remind the jury that Duronio had not been satisfied with it.
"It wasn't good enough," Wolfe told the jury. "The seeds were planted.
He wasn't happy with what he was taking home."5
NOTE: This was such a serious breach of faith that Paine Webber changed their name to UBS Wealth Management after the incident.
Logic bombs for good
Some of these techniques can also be used against attackers in a devious sort of way. Administrators sometimes intentionally deploy pseudo flaws, also known as honey tokens, which are things that look vulnerable to attack but really act as alarms or triggers of automatic actions when an intruder attempts to exploit the flaw. Do not confuse the single pseudo flaw with the concept of a pseudo flaw that extends to encompass an entire host or network - often referred to as a honeypot or a honeynet; neither of these terms properly refers to a single pseudo flaw.
Trap doors
Trap doors, also referred to as backdoors, are bits of code embedded in programs by the programmer(s) to quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only sure way.
DEBUG mode Sendmail, the most famous Unix Trap Door
The so called Morris worm took advantage of a common trap door in 1988. Here is a part of that famous account,
"Sendmail is the program
that provides the SMTP mail service on TCP networks for Berkeley UNIX
systems. It uses a simple character-oriented protocol to accept mail
from remote sites. One feature of sendmail is that it permits mail to
be delivered to processes instead of mailbox files; this can be used
with (say) the vacation program to notify senders that you are out of
town and are temporarily unable to respond to their mail. Normally this
feature is only available to recipients. Unfortunately a little
loophole was accidentally created when a couple of earlier security
bugs were being fixed - if sendmail is compiled with the DEBUG flag, and
the sender at runtime asks that sendmail enter debug mode by sending
the debug command, it permits senders to pass in a command sequence
instead of a user name for a recipient. Alas, most versions of sendmail
are compiled with DEBUG, including the one that Sun sends out in its
binary distribution. The worm mimics a remote SMTP connection, feeding
in /dev/null as the name of the sender and a carefully crafted string
as the recipient. The string sets up a command that deletes the header
of the message and passes the body to a command interpreter. The body
contains a copy of the worm bootstrap source plus commands to compile
and run it. After the worm finishes the protocol and closes the
connection to sendmail, the bootstrap will be built on the remote host
and the local worm waits for its connection so that it can complete the
process of building a new worm."6
The ultimate Trap Door, in the compiler itself
"Ken Thompson's Reflections on Trusting Trust7was the first major paper to describe black box backdoor issues, and
points out that trust is relative. It described a very clever backdoor
mechanism based upon the fact that people only review source
(human-written) code, and not compiled machine code. A program called a
compiler is used to create the second from the first, and the compiler
is usually trusted to do an honest job.
Thompson's paper described a modified version of the Unix C compiler that would:
Thompson's paper described a modified version of the Unix C compiler that would:
- Put an invisible backdoor in the Unix login command when compiled and as a twist
- Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be
extremely unlikely to notice the machine code instructions that
performed these tasks. (Because of the second task, the compiler's
source code would appear "clean".) What's worse, in Thompson's proof of
concept implementation, the subverted compiler also subverted the
analysis program (the disassembler), so that anyone who examined the
binaries in the usual way would not actually see the real code that was
running, but something else instead. This version was never released
into the wild. It was released to a sibling Bell Labs organization as a
test case; they never found the attack."8
Defending against logic bombs and trap/back doors
According the the Chey Cobb blog,
"How can companies defend against
such attacks? Some executives may bridle at our answer, but we think it
is the right one: by hiring the right people and then treating them
right. In other words, this is a people problem and so it needs a human
solution. All the technology in the world is not going to prevent an
insider, with authorized system access and detailed knowledge of the
system, from planting a logic bomb. There are some technologies, such
as network surveillance and monitoring programs, that might detect
attempts to create logic bombs. Integrity checking software might
deflect attacks from logic bombs. Properly enforced software
development policies and procedures will make it harder for someone to
plant a logic bomb. But the bottom line is that a determined insider is
almost impossible to stop."9
Indeed it is a tough problem. In the case of Roger Duronio, it is not clear if more money would have helped him despite the fact that he had a supportive supervisor. Of the five types of defense in depth architectures, the hardest to implement, threat vector analysis10, works best against this difficult issue. We have little doubt at this point that UBS Wealth Management has a documented threat of unauthorized modification of code and has determined the vectors that one would have to use to accomplish this. Generally this requires separation of duties so that one person cannot move modified code to a production system; they can, at most, move it to a staging area. In addition, we would not be surprised to find code audits high on the list!
SANS courses that teach how to defend against logic bombs and trap doors include:
- Reverse-Engineering Malware - Hands-On11 - The same principles used to analyze malware work just fine on any code you have in your organization.
- Java Security Auditing12 - If you are programming in Java, this will teach your auditors what to look for so they can find logic bombs and trap doors
1 http://www.informationweek.com/story/showArticle.jhtml?articleID=188700855
2 http://www.darkreading.com/document.asp?doc_id=98858
3 http://www.theregister.co.uk/2006/12/13/ubs_logic_bomber_sentenced/
4 http://rf-web.tamu.edu/security/secguide/Treason/Insider.htm
5 http://www.informationweek.com/news/showArticle.jhtml?articleID=190301972
6 http://www.google.com/search?q=cache:cihLehcH3WMJ:ftp.cerias.purdue.edu/pub/doc/morris_worm/seely.PS.Z
7 http://www.acm.org/classics/sep95/
8 http://en.wikipedia.org/wiki/Backdoor
9 http://www.cheycobb.com/logic_bombs.html
10 http://www.sans.edu/resources/securitylab/316.php
11 http://www.sans.org/training/description.php?tid=390
12 http://www.sans.org/training/description.php?tid=447