What do hack­ers want?

A rooted box is a use­ful thing to have around the home, so let’s start by look­ing at how it got that way and what can be done with it.

APC Australia - - Feature / Hacker Secrets -

When a ma­chine be­comes com­pro­mised, it’s of­ten through the front door. Either some­one’s pass­word was ob­tained or that ma­chine was mis­con­fig­ured to en­able guests to do much more than they should. Pass­words can be pil­fered through key­log­gers, so­cial en­gi­neer­ing or be­cause they were re-used from a com­pro­mised site (so-called pass­word dumps are easy to find if you know where to look). Typ­i­cal mis­con­fig­u­ra­tion er­rors in­clude leav­ing de­fault ac­counts open and set­ting overly per­mis­sive per­mis­sions on files and ser­vices.

If these were the only kind of hacks then life would be a lit­tle sim­pler, but of course they’re not. Of­ten a pro­gram or ser­vice run­ning on the ma­chine is tricked into do­ing some­thing it’s not sup­posed to do, or break­ing in a par­tic­u­lar way, which can en­able the at­tacker to ac­cess things they shouldn’t be able to (priv­i­lege es­ca­la­tion), run what­ever they like (ar­bi­trary code ex­e­cu­tion) or per­form all kinds of other mis­chief. The hacker that the in­spi­ra­tional Clif­ford Stoll was chas­ing back in 1986 used a flaw in the move­mail pro­gram, part of GNU Mailu­tils, which en­abled su­pe­ruser ac­cess to the host com­puter, and by ex­ten­sion the rest of the Lawrence Berke­ley Na­tional Lab’s sys­tems: priv­i­lege es­ca­la­tion of the worst kind.

At­tacks can be tar­geted against in­di­vid­u­als or or­gan­i­sa­tions, or they can be in­dis­crim­i­nate. When Proof of Con­cept (PoC) code is re­leased for a new vul­ner­a­bil­ity, it’s only a mat­ter of time be­fore that code is weaponised. Tools like the Sho­dan web­site can be used to list vul­ner­a­ble ma­chines, pro­vid­ing end­less tar­gets for script kid­dies, bot-herders and any­one else who wants to break the law. For a re­mote code ex­e­cu­tion vul­ner­a­bil­ity, an at­tacker will at­tach a pay­load (us­ing some kind of ob­fus­ca­tion tech­niques if they’re good) to the ex­ploit code. If all goes well (or wrong if it’s your sys­tem be­ing at­tacked) then that code will be run on the re­mote ma­chine. On a home ma­chine this code might be a key­log­ger or other spy­ware. On a server the holy grail is a re­verse shell, where the tar­get ma­chine con­nects to the at­tacker’s and makes it pos­si­ble for ter­mi­nal com­mands to be run.


Ran­somware at­tacks (where files are en­crypted and a Bit­coin ran­som de­manded) have proven rea­son­ably lu­cra­tive over the years. How­ever, last year’s Wan­naCry at­tacks (which crip­pled the NHS in the UK) only net­ted around $195,000. That’s not much con­sid­er­ing some 200,000 ma­chines were in­fected. This at­tack would have been worse had it not been for the ac­tions of UK na­tional Mar­cus Hutchins (aka Mal­wareTech). Un­for­tu­nately, Mar­cus’s pre­vi­ous mal­ware re­search has seen him in­dicted in the US, where he was picked up af­ter at­tend­ing se­cu­rity con­fer­ences last year. Lat­terly, the trend has been to cut out the end-user mid­dle­man and in­stall cryp­tocur­rency min­ing soft­ware di­rectly (cryp­to­jack­ing). Thanks to its anonymity, and the fact that it’s prof­itable to mine with­out ex­pen­sive hard­ware, Monero has been the cur­rency of choice for these kind of at­tacks. As re­cently as Au­gust this year some 200,000 routers in Brazil were found to be in­fected with Coin­hive code.

Blue back­lights and clean fin­ger­nails are es­sen­tial for any hacker worth their salt.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.