What do hackers want?
A rooted box is a useful thing to have around the home, so let’s start by looking at how it got that way and what can be done with it.
When a machine becomes compromised, it’s often through the front door. Either someone’s password was obtained or that machine was misconfigured to enable guests to do much more than they should. Passwords can be pilfered through keyloggers, social engineering or because they were re-used from a compromised site (so-called password dumps are easy to find if you know where to look). Typical misconfiguration errors include leaving default accounts open and setting overly permissive permissions on files and services.
If these were the only kind of hacks then life would be a little simpler, but of course they’re not. Often a program or service running on the machine is tricked into doing something it’s not supposed to do, or breaking in a particular way, which can enable the attacker to access things they shouldn’t be able to (privilege escalation), run whatever they like (arbitrary code execution) or perform all kinds of other mischief. The hacker that the inspirational Clifford Stoll was chasing back in 1986 used a flaw in the movemail program, part of GNU Mailutils, which enabled superuser access to the host computer, and by extension the rest of the Lawrence Berkeley National Lab’s systems: privilege escalation of the worst kind.
Attacks can be targeted against individuals or organisations, or they can be indiscriminate. When Proof of Concept (PoC) code is released for a new vulnerability, it’s only a matter of time before that code is weaponised. Tools like the Shodan website can be used to list vulnerable machines, providing endless targets for script kiddies, bot-herders and anyone else who wants to break the law. For a remote code execution vulnerability, an attacker will attach a payload (using some kind of obfuscation techniques if they’re good) to the exploit code. If all goes well (or wrong if it’s your system being attacked) then that code will be run on the remote machine. On a home machine this code might be a keylogger or other spyware. On a server the holy grail is a reverse shell, where the target machine connects to the attacker’s and makes it possible for terminal commands to be run.
PAY UP OR ELSE…
Ransomware attacks (where files are encrypted and a Bitcoin ransom demanded) have proven reasonably lucrative over the years. However, last year’s WannaCry attacks (which crippled the NHS in the UK) only netted around $195,000. That’s not much considering some 200,000 machines were infected. This attack would have been worse had it not been for the actions of UK national Marcus Hutchins (aka MalwareTech). Unfortunately, Marcus’s previous malware research has seen him indicted in the US, where he was picked up after attending security conferences last year. Latterly, the trend has been to cut out the end-user middleman and install cryptocurrency mining software directly (cryptojacking). Thanks to its anonymity, and the fact that it’s profitable to mine without expensive hardware, Monero has been the currency of choice for these kind of attacks. As recently as August this year some 200,000 routers in Brazil were found to be infected with Coinhive code.