Why Bad Things Happen to Good Servers

My colleagues and I have been posting about security related issues here for over a year now.  We often point to the continuing list of headlines and statistics that show an unrelenting torrent of and increased threat from malware. Things like:

To be honest, I’m not surprised if the hyperbole or the sheer scale of the numbers leads to incredulity on the part of the reader.  Like looking at national debts or deficit forecasts, the numbers and threats get so big that one tends to lose relation to them.  I’ll admit, even though they come from multiple sources, I often glossed over them myself or somehow become de-sensitized to them and discounted them as some type of “scare tactic”.  Often, it takes a more firsthand experience to reawaken us or attune us to the reality behind such massive statistics.

Count me as a believer.  One often hears that to experience malware is to know how damaging this can be. This is surely true.  Luckily I can tell you that I was not recently hacked or infected (that I know of).  Instead, I had the good fortune to participate in a “hands on” malware session hosted by McAfee Labs that took a group of people and over the course of an hour and a half walked them through the development of botnets, Trojans and viruses.  This was not taking skilled hackers and setting them loose.  This was taking folks like me (I’ll never be confused with a software developer), providing basic tools (browsers, notepad and the easy-to-obtain Shark Trojan and Zeus Builder creation kit) and in less than 2 hours have them churning out nasty malware. In short order we:

  • Created a Shark and Zeus Trojans and created an easy social engineering maneuver designed to “trick” an unsuspecting user into installing the malware;

  • Created a command and control infrastructure to allow us to take control of infected machines—essentially creating our botnet;

  • Used the botnet to harvest information (stealing files, screen scraping confidential documents, passwords, etc) from our infected machines;

  • Implemented web-redirection attacks to take users to sites to steal information and install more malware, and much more

I could tell that I was not alone in my astonishment.  My fellow class attendees were also constantly remarking that they could not believe how easy and fast it was to build these attacks.  There were many looks of amazement (from most) and fear (mostly from the class mates that were security and systems administrators) that showed that eyes were really being opened through the experience.

Seeing how easy it is and how flexible the tools of the malware trade are, I am now completely unsurprised at the explosion in malware.  In fact, I fully expect the trend lines of volume and severity of malware attacks to perhaps exceed the forecasts—the tools are that good and advancing that quickly. For that reason, it is imperative that the industry provide new capabilities to help protect infrastructure and personal property—yes, tools like Intel® Trusted Execution Technology and AES-NI provide some benefits in this regard.   But it also highlighted the need for continuing education—as social engineering elements will continue to be a fast and easy way for the bad guys to get into the infrastructure. In the end, tools are great and much needed, but being aware of the risks is a major element of helping to keep the computing environment safe.  Until then, the rapid advancement of easy to use tools for the bad guys will assure us that we’ll be seeing unfortunate headlines for years to come.