Attack Phase 5: Post-attack activity
CS 493/693 Lecture,
Dr. Lawlor, 2006/02/15
Once an attacker has gained root or Administrator access, the
machine is now theirs to use as they please. A machine provides a variety of
resources that are useful to hackers:
- Secrets (general defense: encryption)
- Searching for credit card numbers, bank account information,
and social security numbers, for plain and identity theft. There
is some evidence organized crime has been actively pursuing online identity theft since at least the 1990s.
- Searching the machine for unencrypted or weakly-encrypted
passwords or SSH keys. The use of unencrypted SSH keys was a
contributing factor in the April-May 2004 takeover of the TeraGrid by a 16-year old in Sweden. Several of our machines in Illinois were compromised by this attack.
- Intercepting passwords entered on or passing through the machine
(e.g., with a backdoored "ssh" executable, or a network sniffer) for use on other systems.
- Searching the machine for evidence of illegal activities, for use in blackmail or an ongoing lawsuit.
- Network Connection (general defense: network scanning)
- Distribution of spam, child pornography, narcotics and weapons manufacture instructions,
and copyrighted material including programs (warez) and music (mp3).
Machines on university networks, or any machine with high upload bandwidth, are particularly useful to attackers.
- Denial-of-Service
(DoS) attacks on other sites, for the purpose of extortion ("That's a
nice website you got there... Be a shame if the server went down.
We can protect you from that, for a price..."), retribution (e.g.,
disgruntled employee), publicity (for attacking a major site), anarchy,
reputation, or sheer idiocy.
- More bandwidth and access for scanning the net for other
vulnerable machines. This is a key function of all internet
worms.
Sometimes compromising a machine behind the firewall allows a whole new
set of machines to be compromised.
- Disk Space (general defense: disk auditing)
- A compromised machine normally has at least a few dozen gigs
of storage free. This can be used to store illegal data,
as a "drop site" for incriminating evidence, etc.
- CPU/Memory Power (general defense: Task Manager/top)
- Compromised machines provide compute power for cracking passwords with dictionary attacks.
It's possible to imagine a SETI@Home-style
application that distributes encrypted passwords and chunks of the dictionary to try
them against. With a sufficently large array of compromised machines, brute force
becomes plausible for short passwords.
- Legal Ownership
- More deniability. Attackers often manually jump from machine to machine,
forwarding or routing their traffic via several comprimised machines to
evade detection and capture.
Sadly, many compromises are only detected at this phase--when a machine saturates its
network connection sending out spam or viruses. A huge number of "quietly" compromised
machine exist, just waiting for the network command that will cause them to spring to
life. An array of these on-call quietly compromised machines is called a
"botnet" or "zombie army".