In Search Of a More Secure Internet
Published: September 19, 2007
by Alex Woodie
It's no secret that the Internet has become a giant cesspool of sorts, teeming with a rich assortment of spyware, rootkits, spam, Trojans, exploit kits, and Russian crime bosses that continually evolve to maintain their edge. By some accounts, 30,000 Web sites are hacked every day. While the sheer hugeness of the Internet tends to mask the problems, it's no wonder we haven't all become digital hypochondriacs by now. Thanks to people like Roger Thompson of Exploit Prevention Labs, people may continue to enjoy the Internet from within a cocoon of ignorance.
As the chief technology officer of Exploit Prevention Labs, which is based in New Kingstown, Pennsylvania, Thompson's job is to keep an eye on the "bad guys" (as he puts it), and their attempts to use vulnerabilities in common software products to infect computers.
There's no shortage of work at EPL these days, as Thompson and his crew have been the first researchers to spot several hacks. These include the use of Google's AdWords for malware distribution and the compromise of a handful of small government Web sites to distribute malware. Just last weekend, Thompson discovered a drive-by exploit in an advertisement on Facebook.
Business is good these days for Thompson, which means it's bad for people who value security. "Every few years, the bad guys reinvent themselves and move the target," he says. "It used to be that most of the guys--mostly guys--who write virus do it to show their buddies how smart they were. They write worms to say they crashed the Internet, or infected 80 percent of the Internet overnight. That used to be the motivation. Eventually, those guys grew up and got a job, or got a girlfriend, and found something better to do, and stopped." But times have changed, and today's typical malware writer is working for profit, not fun.
One of the most disturbing trends in computer security these days has been the emergence of pre-packaged exploit kits, such as MPack, WebAttack, NeoSploit, and IcePack, that criminals can use to infect a large number of PCs in a short amount of time. "They're sold to people who want to be malicious Webmasters, but they don't have the skills to put together they're own exploit set. We see them all the time," Thompson says.
These kits, which emanate primarily from Russia, are professionally developed and pose a significant threat to Web security because traditional security tools, such as firewalls and antivirus software, have a hard time stopping them, says Thompson, who spends much of his time tracking the kits. "We know where the bad guys tend to be, and we know where their test servers are in many cases. We monitor what they're doing," he says.
A typical infection cycle goes as follows. A budding malicious Webmaster spends a few hundred dollars to get an exploit kit, and goes off to find a Web server or a group of Web servers that are susceptible to one or more of the vulnerabilities targeted by the exploit kit. Once the Web server is hacked, the malicious Webmaster will set up the Web site to infect the Web browsers of every visitor who visits that site. This malware could be used to do any number of things, including stealing the user's identity, installing "keyloggers" that capture the user's keyboard input, or installing mini servers that keep the whole ball rolling in the form of spam e-mails linking back to other malicious sites.
Thompson directs much of his research into LinkScanner, a security tool that he developed and which is sold by EPL (subscriptions cost $20 per year, although there is a free version, too). LinkScanner protects PC users from falling victim to Web attacks launched using these exploit kits, as well as others, by identifying the signatures of known exploit attacks, and then blocking them, even if the software they're using has a known security vulnerability.
"It's easy to explain, but it's not so easy to do," Thompson says of the techniques used by LinkScanner. "You have to know what the critical exploits are, and how to block them reliably." The majority of the big security software companies have yet to develop comparable technology to block attacks using these exploits, he says. (They can easily solve this deficiency by buying EPL, Thompson jokes halfheartedly.)
In time, products like LinkScanner will become ubiquitous, Thompson predicts. "Good security is all about having as many layers in place as you can. You can't do without your firewall, and you can't do without antivirus. My view is you can't do without an anti-exploit filter to stop the Web-based things. And of course people should patch."
There has been a give and take between hackers and security professionals since Al Gore invented the Internet last century. There's nothing new in that. What is new is the level of professionalism and sophistication that hackers are exhibiting today.
Indeed, security on the Web will get worse before it gets better, according to Thompson. "The bad guys have gotten really good at infecting large number of Web sites," he says. "They don't want to crush the Internet anymore because if they got 10 million infections, it would be a waste. They couldn't handle it. They don't want to cut down the tree anymore. They just want to shake it and pick up the apples that fall off."
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot