Download - CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits

cOnTenTs

cO

mba

Ting

buF

Fer O

verF

lOw

s an

d rO

OTk

iTs

CoreTrace Corporation 6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730

512-592-4100 | [email protected] | www.coretrace.com

Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu— a buffer overflow provides the way in and a rootkit provides the way to stay in, and invite some friends in too—and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be concerned with what may be hiding in that etc.). The best part, and why this technique is so popular, is that an endpoint is not aware that it has ingested anything.

Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man—the best defense is a good offense was never more apropos. Not only is it difficult to know that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an endpoint—just say no. The only way to do that is with Endpoint Security v2.0.

BOUNCER by CoreTrace™ Defeats Cybercriminals

June 2008

1 Overview

1 2008 FOrward: TOrnadO warning in eFFecT Inside the Cybercrime Tornado Seeding The Clouds Endpoint Security v1.0 vs. v2.0: who’ll Stop the Rain?

6 cybercrime aT-a-glance Cybercrime Tools and Techniques

Cybercrime Levels of Threat

11 buFFer OverFlOw + rOOTkiT access Vector: Buffer Overflow used to Inject Code Payload: Rootkit used to Obtain and Retain Control

12 endpOinT securiTy v2.0 Endpoint Security v1.0 vs. v2.0 BOUNCER by CoreTrace™

15 summary

http://www.coretrace.com/

http://www.coretrace.com/index.php?pid=108

http://www.coretrace.com/

BOUNCER by CoreTrace™

Combating Buffer Overflows and Rootkits 1

OverviewThe road sign from information highway to Internet, computer geeks to script kiddies, hackers to cybercriminals, worms to rootkits, bragging rights to offshore accounts, and just recently, malware to malware‑as‑a‑service, points in a very clear direction— from caché to cash—from v1.0 to v2.0, follow the money…and hold on to your Hats.

This paper reviews the nature of cybercrime focusing on two sophisticated threats whose popular malicious combination—buffer overflow + rootkit—requires the immediate attention of IT security departments.

Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu—a buffer overflow provides the way in and a rootkit provides the way to stay in, and invite some friends in too—and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be concerned with what may be hiding in that etc.). The best part, and why this technique is so popular, is that an endpoint is not aware that it has ingested anything.

Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man— the best defense is a good offense was never more apropos. Not only is it difficult to know that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an endpoint—just say no. Currently, the only way to do that is with Endpoint Security v2.0.

This paper contrasts Endpoint Security v1.0 with Endpoint Security v2.0, and discusses why Endpoint Security v1.0’s centre cannot hold. Also discussed are Endpoint Security v2.0’s three core tenets—control what you know, control at the lowest possible level, and control transparently—that were leveraged to deliver BOUNCER by CoreTrace™, a unique v2.0 revolutionary 180°‑shifted approach to endpoint security. With BOUNCER‑secured endpoints, an IT security department can have complete confidence that when, not if, a rootkit attempts to establish itself on their endpoint, this zero‑day threat has zero time‑to‑live, as BOUNCER delivers the first knockout punch.(1)

2008 FOrward: TOrnadO warning in eFFecTThe criminal energy that permeates the Internet cloud has caused a steady rain of profit for the cybercrime industry since just before the turn of the millennium; however, all indications are that the Internet cloud is poised to turn into a supercell “with billions of dollars of revenue seeming to appear from out of nowhere”(2) and be funneled into the cybercriminals’ offshore accounts. The cybercrime industry is heading inside the tornado of hypergrowth and will enjoy huge profits at the world’s expense.

Unfortunately, the majority of the endpoint security industry that is in a position to stop the unprecedented cybercrime deluge of cash visible on the horizon (i.e., Endpoint Security v1.0 antivirus blacklist vendors) is too busy cashing in on the mutually-assured-to-be-profitable cyber arms race that they are in with the cybercrime industry to need to upgrade their weapons systems to Endpoint Security v2.0. The cyber arms race is a lucrative, never ending cat‑and‑mouse game of virus release followed by antivirus update with dizzying rounds of races to the zero-day-threat finish line. Due to Endpoint Security v1.0’s reactive blacklisting strategy, it is running the cybercriminal’s race, so getting to the finish line first is simply not possible.(3)(4)

(1) BOUNCER‑secured endpoints include PCs, servers, and embedded systems.(2) Geoffrey A. Moore; Inside the Tornado; Harper‑Business; 2005; p 5.(3) Jeff Nathan; It’s Our Party & We’ll Cry If We Want To…; Arbor Networks; August 9, 2006.

(http://asert.arbornetworks.com/2006/08/it%e2%80%99s‑our‑party‑well‑cry‑if‑we‑want‑to/)(4) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65;

April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article)

“Have you ever taken a moment to realize that the primary reason the information security industry even exists is because a noted lack of pedantic people both in the RFC world of the 1980s and the software engineering world up until the mid 1990s? Yes, there was actually a time where people did not consider the unexpected consequence of an unbounded strcpy().(3)

– Jeff Nathan Arbor Networks

“Loved by some,

hated by others, rootkits can be considered as the holy grail of backdoors: stealthy, little, close to hardware, ingenious, vicious…Their control over a computer locally or remotely make them the best choice for an attacker.(4)

– Mxatone and IvanLeFou Phrack Magazine



INsIdE ThE CyBERCRImE TORNadOIt’s the Wild West…and east, and north, and south—cybercrime is inherently global and tantalizingly lucrative. A virtual frontier of opportunity targets combined with low barriers to entry, low risk of capture and conviction, and high earning potential is the risk/reward scenario that is fueling the cybercrime industry’s explosive growth rate.

The cybercrime business model has matured and borrowing the language from Geoffrey Moore’s best‑selling business‑strategy books—Crossing the Chasm and Inside the Tornado—it has crossed the chasm and is headed inside the tornado characterized by hypergrowth.(5) Read the excerpt below from Inside the Tornado in the context of the cybercrime juggernaut, does any of it sound familiar?

“Such are the market forces generated by discontinuous innovations, or what more recently have been termed paradigm shifts…For a long time, although much is written about the new paradigm, little of economic significance happens…But…there comes a flash point of change when the entire marketplace…shifts its allegiance from the old architecture to the new.

“This sequence of events unleashes a vortex of market demand. Infrastructure, to be useful, must be standard and global, so once the market moves to switch out the old for the new, it wants to complete this transition as rapidly as possible. All the pent‑up interest in the product is thus converted into a massive purchasing binge…Companies grow at hypergrowth rates, with billions of dollars of revenue seeming to appear from out of nowhere.

“Nowhere has the tornado touched down more often in the past quarter-century than in the computer and electronics industry…New products, designed to the new performance vectors, incorporate software that simply blows away the old reference points…

“…showing how companies can align themselves with these forces to win market leadership positions, we shall see a disconcerting pattern assert itself repeatedly:

The winning strategy does not just change as we move from stage to stage, it actually reverses the prior strategy.

“That is, the very behaviors that make a company successful at the outset of the mainstream market cause failure inside the tornado and must be abandoned. And similarly what makes companies successful in the tornado causes failure and must be abandoned once that phase of hypergrowth is past. In other words, it is not just the strategies themselves that are cause for note but also the need to abandon each one in succession and embrace its opposite that proves challenging.”(6)

Reversing StrategiesIt is interesting to note that the cybercrime industry’s leap across the chasm was symbolically marked in February 2008 by the disbanding of the infamous, old school VXer (virus writer) group 29A. So if we are not in Kansas anymore, then where are we?—put another way, if “29A has left the building!”(7) who are its current tenants?

“The shutters are being pulled down on old school virus writers’ group 29A.(8)(9)

(5) Geoffrey A. Moore; Crossing the Chasm; HarperCollins; 2002; and Inside the Tornado; HarperCollins; 2004.(6) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; pp 4–5 and 10.(7) VirusBuster/29A’s departing words posted on home page of 29A Labs; February 2008.

(This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.org.ua/29a/main.html)

(8) The Wallstreet Journal Business Technology Blog; Electronic Crime Really Does Pay; November 2, 2007. (http://blogs.wsj.com/biztech/2007/11/02/electronic-crime-really-does-pay/trackback/)

(9) Andrew Hendry; Wannabe Hackers Can Now Rent‑a‑Botnet; PC World; May 15, 2008. (http://www.pcworld.com/businesscenter/article/145931/wannabe_hackers_can_now_rentabotnet.html)

“The AFCC recently traced a new service… offering access to a bullet-proof hosting server with a built-in Zeus trojan administration panel and infection tools...the service includes all of the required stages in a single package, so you just have to pay for the service, then access the newly hired Zeus trojan server, create infection points and start collecting data…mirroring legitimate security vendor offerings—security-as-a-service… malware-as-a-service.(9)

– Andrew Hendry PC World

“…chief security officer at British Telecom’s global financial services division…tells us that as long as the risk of getting caught is so low and the reward so great, the number of attacks is bound to keep climbing. He calls this “the mathematics of toast,” as in companies who aren’t prepared for an influx of attacks are pretty much toast.(8)

– The Wall Street Journal Business Technology Blog



“29A, hexadecimal for 666, is an underground VXer collective known for creating the first Win 2000 virus, the first 64bit virus, and early examples of mobile malware that infected devices such as PDAs.

“…other less well known VXer groups are dying the death, a development symptomatic of changes in the malware market. Profit has replaced mischief, intellectual curiosity, or a desire to make a name for yourself as the motive for creating malware.

“Traditional virus writers have drifted away from the scene to be replaced by more shadowy coders creating sophisticated Trojans aimed at turning an illicit profit. Enforcement action against virus writers has acted as a further disincentive for hobbyists, at least.

“Instead of getting proof of concept malware from the likes of 29A, we’re dealing with the Storm Worm Trojan and other sophisticated “professionally developed” botnet clients.”(10)

By any measure, the cybercrime industry has crossed the chasm from v1.0 to v2.0—combating v2.0 cyberattacks with a v1.0 arsenal is Maginot-line strategy that will never lead back to Kansas. The road map back to Kansas is provided by Geoffrey Moore: “The winning strategy does not just change as we move from stage to stage, it actually reverses the prior strategy.”(11)

As the VXers crossed the chasm, following behind, as always, were the AVers (antivirus researchers) weighed down from Endpoint Security v1.0 (a reactive, inherently flawed, ineffective, and bloated blacklisting strategy). What is required to defeat cybercriminals is a “reversal of the prior strategy”—a unique v2.0 revolutionary 180°-shifted approach to endpoint security.

What is required is BOUNCER by CoreTrace™, the Endpoint Security v2.0 solution that cut the zero-day-threat finish line Gordian knot.

sEEdINg ThE ClOUdsBuffer overflow + rootkit is a handy combination for a v2.0 cybercriminal—a buffer overflow provides the way into an endpoint and a rootkit provides the way to stay in an endpoint for as long as possible. A rootkit’s ability to mask its presence and its activities, makes it very difficult to detect, thereby maximizing profit for each established rootkit and providing excellent ROI for v2.0 cybercriminal businesses.

Buffer OverflowsBuffer overflow vulnerabilities exist because software code is written without input validation on every instance and method of input into the software application. Code injection uses software errors to inject code into programs already running on an endpoint. The most common method of code injection, and one of the most difficult to stop, is via buffer overflow where code is injected at the end of a legitimate buffer to run whatever the cybercrime business wants.

RootkitsRootkits are a collection of tools and utilities that allow a cybercriminal to hide the presence of a rootkit and all of its activities, as well as provide a way to keep a backdoor open to the system for return visits. The extent and nature of activities a rootkit is able to perform and hide depend on the type of rootkit. There are many types of rootkits including user‑mode, kernel‑mode, kernel‑mode data structure manipulation, and process hijacking. While all rootkits are problematic, kernel‑based rootkits are especially insidious.(12)(13)

(10) John Leyden; Infamous malware group calls it quits; Channel Register; March 7, 2008. (http://www.channelregister.co.uk/2008/03/07/29a_rip/)

(11) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; p 5.(12) VirusBuster/29A; The number of detected virii war; 29A Labs; zines; Issue 4; 2001.

(This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑4/29a‑4.232)

(13) Aleph One; Smashing The Stack For Fun And Profit; Phrack Magazine; Issue 49; November 8, 1996. (http://www.phrack.com/issues.html?issue=49&id=14#article)

“A buffer overflow is the result of stuffing more data into a buffer than it can handle. How can this often found programming error can be taken advantage to execute arbitrary code?…Writing an Exploit (or how to mung the stack)…(13)

– Aleph One Phrack Magazine

“If you dig a bit on AV world, you will discover AVers are not a happy family…in some cases they hate more other AVers than VXers…Less known are the fights for the conquer of the AV market between companies…there is a new fight in the AV world: The number of detected virii war!…“my product detects the 100% of virii”…If that’s not a trick…what’s it?…It means that from a collection of 7,000 source codes, you could create an antivirus with 12,000 - 14,000 signatures. Then you run…similar virus constructions kits and you reach 20,000 signatures. You only need to inflate the numbers a bit and… TAAAAACHAN!!!!!!! You have a top eleet antivirus! Pathetic but that’s what it’s happening.(12)

– VirusBuster/29A 29A Labs



ENdpOINT sECURITy v1.0 vs. v2.0: WhO’ll sTOp ThE RaIN?Cybercriminals are well armed and well motivated, so how can an organization protect itself? Businesses invested $9.4 billion in IT security software in 2007;(14) clearly, increased spending on ineffective Endpoint Security v1.0 products will not stop the cybercrime tornado.

Endpoint Security v1.0Endpoint Security v1.0 strategy has been to identify malware and keep it out (i.e., blacklisting). In this zero‑day‑threat world, blacklisting’s reactive strategy (it is dependent on timely signature updates) is inherently flawed and no amount of multi-layering or heuristics can save it. In effect, blacklisting surrenders control to the cybercriminals, handing them the first-strike advantage. Moreover, if the first strike is delivered by a stealth bomber (buffer overflow code injection) that happens to drop a kernel-based-rootkit payload, Endpoint Security v1.0 technology is unaware that an attack has occurred and the compromised system is literally open for business.

Endpoint Security v2.0Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending the IT network—by necessity, that is Endpoint Security v2.0 whose revolutionary 180°‑shifted approach starts by turning v1.0 blacklisting on its head and proceeds from there.

Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there. Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting), so even if malware gains access to a system, it cannot execute and is neutralized— that’s the short answer. For security reasons, the details in the execution of that strategy are as important as adopting the strategy.

Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0 solution, the security features shown in Table 1 must be present.

Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges one list for another. While a whitelist‑based solution is superior to a blacklist‑based solution because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist of fingerprints customized for each endpoint; thereby, limiting the entries to programs installed on each endpoint vs. a centralized database of all programs. Additionally, a true Endpoint Security v2.0 solution automatically generates the customized whitelist for each endpoint in a controlled environment to ensure that it is not compromised. Further, a true Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not place a burden on the IT administrative staff.

The specious solution that has merely exchanged one list for another is only a 90°-shifted solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all-let’s‑hope‑the‑list‑isn’t‑hacked centralized database of all authorized programs that somehow has to be mapped to each specific endpoint.

Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or else the weight of this solution and attendant administrative burden and security risks will come crashing down on your CPUs and valuable IT staff.(15)(16)

(14) Gartner; Press Release: Gartner Predicts Worldwide Security Software Revenue to Grow 11 Percent in 2008; April 22, 2008. (http://www.gartner.com/it/page.jsp?id=653407)

(15) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008. (http://www.av-test.org/down/papers/2008-02_vb_comment.pdf)

(16) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article)

“Today’s threats are created by a commercial malware industry which has developed quickly and which has access to some billion-dollar resources… Some vendors have switched…to daily, or even half-hourly updates…The average size of the signature databases has at least doubled and in some cases tripled within the last 18 months. The trend seems to be clear: more updates and more signatures, and with them longer scan times, higher memory consumption, higher false positive rates and the like.(15)

– Andreas Marx av‑test.org

“Even if the

technology used by rootkits are more and more sophisticated, the underground community is still developing POCs to improve current techniques.(16)




Table 1. Endpoint Security v2.0: Security Features

Security FeatureScontrol

What you KnoW

control From the loWeSt

PoSSible levelcontrol

tranSParently

Only authorized programs allowed to execute h Authorized programs fingerprinted to hcreate a unique three-factor integrity check

File digest (SHA-1 hash) hFile location (pathname) hFile size h

Whitelist of fingerprints customized for heach endpoint—entries limited to programs installed on an endpoint

Automatically generates customized hwhitelist in a controlled environment

Ease-of-use whitelist updating procedure h Digital certificates used for authentication h Enforcement from within the kernel h Entry points to the OS securely wrapped h

Prevents direct kernel memory hread and write from user space

Monitors and reacts to memory hmodification

Provides a complete IPsec infrastructure h

(17)

(17) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal; Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf)

“The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities from exploitation, effectively neutralizing zero-day threats.

“…review on Windows Vista only included ‘pure’ anti-virus programs. The tools were last updated and frozen on 2 October 2007. To our surprise, the detection rate of inactive samples reached just 90% on average, even though most of the rootkits used were released during 2005 and 2006. Only four of the six installed rootkits could be detected by an average tool and the cleaning rate was even lower with 54%.(17)

– Andreas Marx and Maik Morgenstern

av‑test.org



cybercrime aT-a-glanceThe supercell cloud that will spawn the tornado of hypergrowth and huge profits for the cybercrime industry contains all of the cybercrime business segments. Cybercriminals target specific organizations at times; however, they are opportunists and collect rainfall whenever and wherever they can. Table 2 provides an at‑a‑glance view of some of their activities.(18)(19)(20)(21)(22)(23)(24)(25)

Table 2. Cybercrime at-a-glanceAV-Test.org h (18) 2005 2006 2007

MD5-unique malware samples h 333,000 972,000 5,490,000Unique AV h updates in 45 AV products 111,566 134,484 148,869Total size of AV h updates in 45 AV products 520 GB 1.0 TB 1.6 TB

Chances of becoming a cybervictim h (19) 1 in 4 US citizens (2007) h

Cybercriminal chances of getting h convicted (20) 1 in 7,000, although it could be as low as h1 in 600,000

Identity fraud victims h (21) 8.4 million US citizens (2007) hTotal fraud of $50 billion hVictims spend 25 hours (avg.) to hresolve case

Identity theft cost to consumers h (21) and businesses

$49.3 billion (2007) h

Stolen identity value to cybercriminal h (19) $14–$18 per identity (2006) h

Newly activated zombies h (22) 355,000 per day (1Q 2008) h

Spam levels of all e-mail h (22) 60%-94% (1Q 2008) h

Spam sent from zombies h (23) 80% (1Q 2008) h

Botnet uses h (23) #1 Use: Sending spam h#2 Use: DDoS attack hOther ways to make money: sell or hlease botnet

Top spam-sending countries h (24) 12 Months View (06/03/07–06/03/08)

United States 33.03%Russian Federation 5.64%Germany 5.47%United Kingdom 4.29%China 3.78%Other 47.79%

(18) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008. (http://www.av-test.org/down/papers/2008-02_vb_comment.pdf)

(19) www.consumerreports.org; Net threats: Why going online remains risky; September 2007. (http://www.consumerreports.org/cro/electronics‑computers/computers/internet‑and‑other‑services/net‑threats‑9‑07/overview/0709_net_ov.htm)

(20) Ben Worthen; Laws Go Soft on Hackers; The Wall Street Journal Business Technology Blog; February 22, 2008. (http://blogs.wsj.com/biztech/2008/02/22/laws‑go‑soft‑on‑hackers/trackback/)

(21) Javelin Strategy and Research; Press Release: Group Imagines ‘Ideal’ Credit Card; May 27, 2007. (http://www.javelinstrategy.com/2008/05/27/group‑imagines‑ideal‑credit‑card/)

(22) Commtouch Software; Q1 2008 Email Threats Trend Report: Zombies Depend on the Kindness (and IT Resources) of Others; April 7, 2008. (http://www.commtouch.com/site/Resources/documentation_center.asp)

(23) Vitaly Kamluk; The botnet business; viruslist.com; May 13, 2008. (http://www.viruslist.com/en/analysis?pubid=204792003)

(24) Commtouch Software; Top Spam‑Sending Countries; 12 Months View; June 3, 2008. (http://www.commtouch.com/Site/ResearchLab/statistics.asp)

(25) Martha Neil; Cyber Crime Does, Increasingly, Pay; ABA Journal; December 20, 2007. (http://www.abajournal.com/news/cybe_crime_does_increasingly_pay/)

“Just like legitimate businesses, cyber criminals today are trying to put themselves front-and-center on millions of computer screens. “The attackers are now following the same path that businesses have, in trying to advertise themselves in their own special way on the more popular Web sites,” says Tom Liston, who works with SANS Internet Storm Center…They’re doing exactly what every business tries to do, which is to find innovative ways get themselves out in front of as many eyeballs as possible…(25)

– Martha Neil ABA Journal



CyBERCRImE TOOls aNd TEChNIqUEsCybercrime is a global industry with low start‑up costs and, ironically, unless typing into a web form is considered a computer skill, no computer skills are necessary. Cybercriminals form a well integrated community that shares and trades information, and they have many tools and techniques at their disposal that are discussed below.

Writing Viruses � —A brilliant virus writer can make a decent living working at home and selling new malicious tools online to the highest bidder. Even the less brilliant virus writers can earn a living. There are many places on the web where cybercriminals post source code for new viruses for other people to use. There is no law against doing so, which means that anyone can download source code for a virus, modify it, and then send it out to do its work. Analysis of widely circulated viruses of the past five years shows that sections of them were copied from earlier viruses.

Discovering Vulnerabilities � —Cybercriminals research diligently to find new ways to break into endpoints, particularly those running Windows®. Discovering vulnerabilities is rewarding because they can auction new exploits on the Internet (see Figure 1).

Figure 1. Vulnerabilities are for sale on the Internet

Developing Software � —Cybercriminals run software development businesses for software products such as collections of exploits for breaking into endpoints and utilities to use once access is gained (such as remote control capabilities and keyloggers). They sell the software online using the same marketing and customer support techniques as mainstream software companies, such as segmentation into software editions, and offering product support and product upgrades (see Figure 2).(26)

(26) Rattner/29A; Gaining passwords; 29A Labs; zines; Issue 6; 2002. (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑6/29a‑6.225)

“If you make these steps the NT box is opened for everyone…Even if you don’t plan to write NT viruses at least add to your babes a code for adding SeDebugPrivilege to Everyone. Then it makes for another viruses easier to infect the machine - remember your fellow coders too :))).(26)

– Ratter/29A 29A Labs



Figure 2. Professionally marketed malware kits are for sale on the Internet

Build Attack Environments � —Script kiddies are teenagers without the engineering talent to carry out sophisticated attacks, but who can acquire powerful software tools online and buy the capability to assemble attack environments. To get started, all that is needed is a comprehensive hacker software development kit (SDK) that costs about $320 (see Figure 3) and a few viruses to sprinkle into the Internet. Virus source code can be downloaded for free, but specific viruses that are guaranteed to get past Endpoint Security v1.0 products like McAfee® Active VirusScan®, Norton Antivirus, Kaspersky® Anti‑Virus, etc., are for sale on the Internet (see Figure 4). With a budget of $1,000 to $5,000, Trojans are available that are purposely built to steal credit card data and e-mail it to a specific address.

“It’s comforting to know, should you want to become a Black Hat, that the barriers to entering the trade are much lower now. It’s true that you’ll never become a “legendary Black Hat” if you can’t cut a little C++ code. Nevertheless, out there on the Internet there are web sites where you can buy fully functional software for launching exploits that others have written for you. Yes, there are indeed hacker‑devoted software products freely available for purchase by anyone capable of installing software. $200 or so should buy you something useful (including updates).”(27)(28)(29)

Figure 3. Malware SDKs are for sale on the Internet(27) Robin Bloor; 10 reasons why the Black Hats have us outgunned; The Register; June 13, 2007.

(http://www.theregister.co.uk/2007/06/13/black_hat_list/)(28) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65;

April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article)(29) Dan Gooding; Rent‑a‑bot gang rises from the DDoS ashes; Channel Register; March 13, 2008.

(http://www.channelregister.co.uk/2008/03/13/loadscc_rises_again/)

“That’s how the war between rk[rootkit]-makers and anti-rk-junkies began, trying to find the best way, the best area, for hooking critical operating system features…In the wild the rk are used most of the time for lame mail spamming or botnets.(28)


“A notorious malware gang that rented out botnets by the hour has resurfaced after being knocked off line two months ago by a rival band of criminals…The gang came to prominence by renting out a botnet that fellow online criminals could use to install and maintain their malware. In October, it boasted more than 35,000 infected machines…Prices ranged from $110 to $220 per thousand infections depending on where they were located. The group was taken offline in January following a DDoS attack by a rival gang wielding a Barracuda botnet.(29)

– Dan Goodin Channel Register



Figure 4. Malware to avoid detection by specific Endpoint Security v1.0 vendors is for sale on the Internet

Assemble or Rent Botnets � —Cybercriminals assemble botnets (i.e., networks of compromised endpoints) to amass a huge amount of highly distributed power to use in their activities. If they assemble a large number of endpoints, they can rent them out for about $0.20 per endpoint per day. Remarkably, botnets of more than one million endpoints have been assembled.

Botnets are not without maintenance though, as owners discover and clean compromised endpoints, the botnet needs replenishment. The cybercriminals use the botnet to send out Trojan viruses that open a backdoor into an endpoint allowing the cybercriminal’s scanning software to gain access and add it to the botnet.

The botnet industry is well‑developed offering low start‑up costs and easy implementation. Botnets are now a turnkey business with one‑stop‑shopping for all the essentials: bot software; anonymous hosting services to set up a command and control (C&C) center (complete with support and a guarantee that log files are inaccessible to law enforcement); and ready-to-use botnets. Additionally, the software installation of a C&C center only requires the new entrepreneur to fill in a few form fields.

Spamming � —There are a host of different spam scams: from phishing for financial information, to 411 lottery scams, to the share tip scam, to direct ads for pharmaceuticals, insurance, and porn (e‑mail addresses from replies received are sold as sales leads). Spamming is illegal in many countries, but spamming operations cannot be easily or reliably traced, so this commercial arrangement persists.

Running Websites � —Cybercrime‑run websites may provide Trojans in the guise of free computer games or pornography, or malware disguised as music or video files; or may directly attempt to infect an endpoint upon access (known as drive‑by download). Some websites are spoof sites pretending to be banks or retailers. Cybercrime businesses drive traffic to their websites through mass e-mail campaigns, or by changing information in an endpoint’s browser, or by invading domain name servers and altering their reference information.

Stealing Identities � —What’s a cybercriminal to do with a stolen file of thousands of credit card records? Rather than try to exploit it on their own, cybercriminals sell the data for around $14–$18 per credit card record or around $500 if the PIN number is also obtained. In addition to selling credit card information, cybercriminals sell data from US Social Security cards, birth certificates, bills/invoices, and driver’s licenses—all of which can be used to set up fraudulent bank accounts.(30)

(30) Thomas Claburn; International Cybercrime Ring Busted; InformationWeek; May 19, 2008. (http://www.informationweek.com/story/showArticle.jhtml?articleID=207801060)

“bro this are from my spam…super fresh… I will spam more...spammed like hell…used 7 remote desktops and 13 smpt servers… 5 root…sent over 1.3 million emails.(30)

– Thomas Claburn InformationWeek



Providing Independent Contracting/Consulting Services � —Legitimate businesses hire cybercriminals to damage the competition. There is no way to tell whether a virus attack or a denial of service (DoS) attack has a third-party sponsor, but if intellectual property is stolen, a competitor may be the sponsor. The Russian Business Network is the most famous cybercriminal business and it is for hire; it is rumored that its software engineering expertise is so great that governments hire its services.

On the other side of the fence, there are ethical‑hacker consultancies that are hired to attack a network to test its security level. Banks regularly hire ethical hackers, known as white‑hat hackers, to fortify their security, but few other organizations do.

Covering Their Tracks � —The only link that ties a cybercriminal to an attack is communication from an endpoint that they own to their botnets, so if they communicate via public WiFi they are very difficult to trace. Furthermore, cybercriminals prefer to attack on foreign soil because they are much less likely to get caught, as it is very difficult for national police forces to work together even if evidence surfaces of who is behind specific attacks.

Banking Offshore � —Cyberextortion pays well and typically offshore accounts in the Cayman Islands are used to pass the money through. Ransom fees paid to end a DoS attack typically range from $10,000 to $50,000 depending on the size of the company under attack.

CyBERCRIME LEVELS OF ThREaTThere are three cybercrime threat levels that IT security measures need to address: background noise, opportunistic attacks, and focused attacks. While companies need to combat background noise, the real threats are opportunistic attacks and focused attacks.

Background NoiseBackground noise is the aggregation of all automated attempts by cybercriminals to gain access to endpoints across the world; subverting hundreds to thousands of endpoints daily. When an endpoint connects to the Internet, an attempt to gain access to it happens in seconds. Cybercriminals have scanners that scan the Internet in specific address ranges looking for known access points such as compromised endpoints (i.e., endpoints with open backdoors created by a virus) to add to their botnet. Consequently, some endpoints belong to more than one botnet.

Opportunistic attacksJust like all other IT managers, a cybercriminal tries to maintain a nonvolatile, reliable network, or in this case botnet, and a cybercriminal will put great effort into making network penetration difficult to detect.

The endpoints subverted through background‑noise activities may include a business endpoint that is valuable to a cybercriminal if it has resources such as high‑bandwidth Internet connections. The goal is to take control of resources and use compromised endpoints as spam generators, or rent them out, or set up transient websites on them. Instances of cybercriminals running spam broadcast sessions overnight from corporate endpoints when the company’s network is less active have gone undiscovered for months.

A cybercriminal may load a keylogger on a compromised endpoint to catch a password from the keyboard and use it to rifle the local e-mail file for e-mail addresses or use the local search capability to locate personal financial information.

There is an increase in establishing rootkits on compromised endpoints because it is a cybercriminal’s most reliable means of retaining control of an endpoint even after attempts have been made to clean it of all malware.(31)

(31) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal; Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf)

“Malware is becoming more and more complex every day. The number of newly discovered malware samples is skyrocketing, but that’s not the only challenge for the AV industry. In most cases, we’re looking at malware that is built in a modular way, with plug-ins that support new features such as hiding the malware’s presence from the user and from AV products. While it is easy for a good signature-driven product to find a known sample that has not yet been activated, it is becoming increasingly challenging to detect the sample once it is running and trying to hide itself and other malicious components. On the Windows platform the hidden objects usually include services and processes, registry keys and values, as well as directories and files.(31)

– Andreas Marx and Maik Morgenstern

av‑test.org



Focused attacksFocused attacks are clearly the worst threat. In a focused attack, cybercriminals are targeting a specific IT network with the intent to cause disruptive damage, steal data, compromise intellectual property, or perpetrate some kind of fraud. An additional aspect of focused attacks is that the cybercriminal will take their time and slowly compromise systems, resulting in an attack that is extremely hard to detect.

Commonly in focused attacks, cybercriminals have the inside help of a malicious insider that may provide information on security products and how the IT network is configured, or provide passwords, or open a backdoor into the network. Because few organizations keep comprehensive endpoint‑activity logs, it’s hard to prove whether a malicious insider was involved in an attack; however, it is probable in cases where the cybercriminals know exactly how to pull off a sophisticated computer fraud or exactly which data files to steal.

buFFer OverFlOw + rOOTkiTBuffer overflow + rootkit is a very popular malicious combination that is providing sustained revenue steams for the cybercrime industry and it is fueling the cybercrime industry’s hypergrowth stage inside the tornado.

aCCESS VECTOR: BuFFER OVERFLOw uSED TO INjECT CODECode injection uses software errors to inject code into programs already running on an endpoint. The most common method of code injection and the one of the most difficult to stop is via buffer overflow where code is injected at the end of a legitimate buffer to run a cybercriminal’s programs.

Programs define memory areas called buffers that are used to accept data from a user or another program. Buffers are defined to have a specific size. For example, a name field may permit 30 characters so 30 bytes of memory are provided. Ideally, if more data is sent to the program then it should reject everything after the first 30 characters. Unfortunately, most programmers do not bother to write their programs that way and just accept whatever is sent. To achieve a buffer overflow, cybercriminals add specialized program code called shellcode to the end of the 30 characters and the endpoint will execute the shellcode that was written to the end of the legitimate buffer.

All it takes is trial and error to discover if a program is vulnerable to buffer overflow—the cybercriminal tests to see what happens when a large amount of information is sent to the buffer. Many buffer overflow defects have been found in the Windows operating system (OS) by cybercriminals simply experimenting with the software. Buffer overflow vulnerabilities are even easier to find if the cybercriminal can get the program source code allowing them to easily check every instance where the program accepts input.

Another common method of exploiting buffer overflows is to analyze the patches released by OS and application vendors. This process has become so automated that when Microsoft releases security patches on Patch Tuesday (providing the less sophisticated virus developers with a pointer saying hack me here!) the cybercriminals exploit unpatched systems on Hack Wednesday.(32)

PayLOaD: ROOTKIT uSED TO OBTaIN aND RETaIN CONTROLOnce access to an endpoint is gained, cybercriminals install a rootkit to take control of an endpoint and to retain control so they can load the software needed to carry out their schemes at their convenience. Rootkits are either kernel‑based or non‑kernel‑based.

(32) Ben Worthen, Data Breach of the Day: Britney Spears Edition; The Wall Street Journal Business Technology Blog; March 17, 2008. (http://blogs.wsj.com/biztech/2008/03/17/data-breach-of-the-day-britney-spears-edition/trackback/)

“In fact, the malicious insider sounds like some sort of bogeyman to hear these security pros talk about it. But lest you think the threat is more imagined than real, consider that among companies that experienced a data breach in 2006, 23% said the culprit was an insider, according to a survey by the Computing Technology Industry Alliance.(32)

– Ben Worthen The Wall Street Journal

Business Technology Blog



Kernel‑based rootkits operate in the kernel and have the highest level of privilege (i.e., full administrator, or root) allowing the cybercriminal to define and change access rights and permissions to cover up traces of their activities, making kernel-based rootkits very difficult to detect once installed. For example, with this level of privilege the cybercriminal can hide the rootkit from endpoint utilities that list files and provide information about running processes, and they can also hide other programs they plant on the endpoint.

Non‑kernel‑based rootkits operate in user space and usually have the same privilege level as that of the user credentials used to install it.

Some rootkits are known and can be detected by a scanning program; however, this defense does not work for a newly written rootkit. Typically, established rootkits are detected by a file comparison between a suspect endpoint and a clean endpoint with full administrator rights; however, this is difficult to organize and difficult to carry out while endpoints are running.

endpOinT securiTy v2.0Cybercriminals are well armed, well skilled, and well motivated, so how can an organization protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the majority of cyberattacks can be stopped dead in their tracks if the right approach is taken defending the IT network—that is, Endpoint Security v2.0.

ENdpOINT sECURITy v1.0 vs. v2.0Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, security patches, and personal firewalls (all of which slow performance and add significant cost to network operations) can’t defeat today’s known rootkit threats or unknown threats (i.e., zero-day attacks from malware, rootkits, and buffer overflows)—let alone tomorrow’s.

Endpoint Security v2.0 is proactive, whitelist‑based, provides enforcement from within the kernel, and it is predicated on three core tenets:

Control what you know. �

Control at the lowest possible level. �

Control transparently. �

BOUNCER By CORETRaCE™BOUNCER by CoreTrace™ takes a revolutionary 180°-shifted approach to endpoint security providing a unique Endpoint Security v2.0 solution that defeats today’s, tomorrow’s, next year’s… known and unknown threats—finally, efficiently, effectively, BOUNCER stops the madness.

BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities listed below for PCs, servers, and embedded systems.

Preventing unauthorized programs and processes from running. �

Preventing rootkit establishment. �

Stopping code injected via buffer overflow from running and stopping further memory �corruption.

Preventing system configuration modification by staff members, malicious insiders, and �malicious outsiders.

Securing the endpoint transparently to end users. �

Providing ease‑of‑use to the operational staff. � (33)

(33) Rajaat/29A; Strategic Alliances? Bring ‘em on, we love ‘em!; 29A Labs; zines; Issue 2; 1998. (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a-2/29a-2.2_a)

“Strategic Alliances? Bring ‘em on, we love ‘em!...So they want to combine their engines...That’s a great idea! This will be much more tougher to defeat....That’s right guys. 1 + 1 = 1 in this case ;-) Stopped laughing yet? Ok…these antivirus engines combined can result in a really difficult to beat antivirus product, but there is also a positive side for us, virus authors. This “Strategic Alliance” also means that in the future we do have to concentrate on one product less! Yes, they are right in respect that it is harder to beat this combined product, but it will certainly take less time than testing your virus on 2 completely different products, let alone the fact that it costs you a lot more time to write retro structures against 2 antivirus products instead of one. Afterthought: Should we also take action and form “Strategic Alliances” other groups?(33)

– Rajaat/29A 29A Labs



Core Tenet #1—Control what you KnowControl what you know—what else can you control? Blacklists are pursuing the flawed strategy of trying to control that which is unknowable, and, as a result, are locked in a zero‑day‑threat race they can never win and being paid well for it. Conversely, controlling what you know—that is, controlling the authorized applications used by an endpoint so that you can be indifferent to the rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime.

BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized program’s fingerprint is comprised of the triple play of the following integrity checks: file digest (SHA-1 hash), file location (pathname), and file size.

When an unauthorized program tries to load (e.g., a virus from an e‑mail attachment, a program copied on an endpoint by an authorized user, or a program copied on an endpoint through a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast majority of threats, including preventing Trojans from overwriting authorized files.

The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities from exploitation, effectively neutralizing zero‑day threats. If a vulnerability is unpatched and exploited, the malicious program or injected code is stopped anyway, so zero‑day threats become a thing of the past. Hack Wednesday goes away and there is time to test all patches before they are deployed—if they are deployed at all.

BOUNCER’s leveraging of control what you know results in significant IT cost savings. IT departments that use BOUNCER can say goodbye to the following and say hello to a little sanity:

Zero‑day threats. �

Malware, trojans, viruses/worms, bots, keyloggers, adware, and spyware. �

Reactive security patching (patch for features you need on your schedule and have time �to fully test patches).

Chronic signature updating. �

Technology stacks, pattern matching, and behavioral heuristics (including the impact of �false positives and prolonged learning periods typical of behavioral solutions).

Core Tenet #2—Control at the Lowest Possible LevelMost sophisticated attacks are targeted at the kernel; therefore, that is where the battle lies (only security software that functions in the kernel can reliably deliver the controls that IT requires).

BOUNCER loads into the kernel very early and performs the following functions:

Allocates resources only to authorized applications. �

Locks down the process table and keeps track of pointers. �

BOUNCER leverages control at the lowest possible level to defeat the following threats:

Rootkit establishment. �

Injected code via buffer overflow (even in authorized applications). �

System configuration modification by staff members, malicious insiders, and malicious �outsiders.

Direct kernel memory read and write from user space. � (34)(35)

(34) Sinan “noir” Eren; Smashing The Kernel Stack For Fun And Profit; Phrack Magazine; Issue 60; December 28, 2002. (http://www.phrack.com/issues.html?issue=60&id=6#article)

(35) kad; Handling Interrupt Descriptor Table for fun and profit; Phrack Magazine; Issue 59; July 28, 2002. (http://www.phrack.com/issues.html?issue=59&id=4#article)

“Userland applications are usually executed in ring3. The kernel on the other hand is executed in the most privileged mode, ring0. This grants the kernel full access to all CPU registers, all parts of the hardware and the memory. With no question is this the mode of choice to do start some hacking.(35)

– kad Phrack Magazine

“This article is about recent exposures of many kernel level vulnerabilities and advances in their exploitation which leads to trusted (oops safe) and robust exploits…to prove kernel land vulnerabilities such as stack overflows and integer conditions can be exploited and lead to total control over the system, no matter how strict your user land (i.e., privilege separation) or even kernel land (i.e., chroot, systrace, securelevel) enforcements are… I also…contribute to the newly raised concepts (greets to Gera) of fail-safe and reusable exploitation code generation.(34)

– Sinan “noir” Eren Phrack Magazine



Preventing Rootkit Establishment

A cybercriminal’s goal is to obtain and retain control of the endpoints that they gain access to for as long as possible to maximize their profit margins. Once access to an endpoint is gained, cybercriminals install a rootkit to take control of an endpoint and to retain control so they can load the software needed to carry out their schemes at their convenience.

As soon as the OS boots, a BOUNCER process runs within the kernel and oversees all activities of every other process that runs. If a rootkit attempts to establish itself within a BOUNCER‑secured kernel, this zero‑day threat has zero time‑to‑live—BOUNCER will recognize it as unauthorized and it will be DOA.

Many rootkits are also Trojans masquerading as legitimate OS files. Sometimes, the malicious code is embedded in a legitimate OS file that still functions normally. Because BOUNCER’s whitelist is based on a fingerprint comprised of a triple play of integrity checks—file digest (SHA-1 hash), file location (pathname), and file size—Trojans are revealed as unauthorized and are not permitted to run.

Once established, rootkits are very difficult to detect because they use the administrator capability that the rootkit provides to cover up traces of their activities (hiding themselves from endpoint utilities that list files and provide information about running processes), and to hide other programs they plant on the endpoint. Some rootkits are known and may be detected by a scanning program; however, this defense does not work for a newly written rootkit. Typically, established rootkits are detected by a file comparison between a suspect endpoint and a clean endpoint with full administrator rights. This is difficult to organize and carry out while an endpoint is running.

If a rootkit is established on an endpoint (i.e., prior to being protected by BOUNCER), to completely eradicate the rootkit, the best practice is to reimage the endpoint with a known clean image. The better practice is to use BOUNCER to prevent rootkit establishment.

Stopping Code Injected via Buffer Overflow from Running

Injected code (for example, via buffer overflow) is not loaded through normal file access means; therefore, defeating this threat requires monitoring the code image in memory to detect changes and, when detected, to terminate the process.

Because BOUNCER has control at the lowest possible level, it is capable of defeating buffer overflows; furthermore, because BOUNCER’s whitelisting technology has created a controlled environment, even if the injected code manages to run for a few seconds, it will not be able to run any new programs, and it is only able to access whatever the program it injected itself into was able to access. Given BOUNCER’s unique approach to whitelisting, buffer overflows can be stopped—even in applications that are on the whitelist.

Preventing System Configuration Modification

Endpoint users unknowingly, and in the case of a malicious insider, knowingly, weaken and sometimes corrupt an endpoint’s security configuration by installing unauthorized programs. BOUNCER’s self-protection mechanisms that prevent such system configuration modifications include the following:

BOUNCER runs in the OS kernel and cannot be tampered with by the end user. �

BOUNCER Client is inaccessible to the end user, even if that user has administrator, or �root, access on the endpoint.

BOUNCER’s whitelist is encrypted. �

BOUNCER Client helps to keep an endpoint compliant by maintaining its desired state throughout its lifecycle with the following measures:

BOUNCER’s whitelisting technology ensures that an endpoint’s performance will not �degrade due to typical configuration drift or cyberattack.(36)

(36) sqrkkyu and twzi; Attacking the Core: Kernel Exploitation Notes; Phrack Magazine; Issue 64; May 27, 2007. (http://www.phrack.com/issues.html?issue=64&id=6#article)

“The kernel is a big and large beast, which offers many different points of ‘attack’ and which has more severe constraints than the userland exploiting. It is also ‘relative new’ and improvements (and new logical or not bugs) are getting out. At the same time new countermeasures come out to make our ‘exploiting life’ harder and harder.(36)

– sqrkkyu and twzi Phrack Magazine



BOUNCER Client can periodically scan the endpoint and remove unauthorized programs �copied onto the system (i.e., all programs that are not on the whitelist). The system logs the deleted files providing a record of activity on each protected endpoint.

Preventing Direct Kernel Memory Read and Write from User Space

BOUNCER Client securely wraps entry points to the OS by intercepting system calls from �user space and packets coming from the network card which are processed according to file policy or network filter rules, respectively.

Core Tenet #3—Control TransparentlyBOUNCER leverages control transparently to secure the endpoint transparently to end users, and to provide ease‑of‑use to operational staff.

Endpoint Security v1.0 blacklists are bloated (typically containing millions of entries per endpoint) and are plagued by exponential and constant growth due to the rampant proliferation of malware. Blacklists require a large footprint in memory and on the hard drive, and negatively impact the CPU—blacklist scans have a significant negative performance impact noticeable to end users. Moreover, because blacklists simply cannot be kept up to date, and therefore miss what they do not know, blacklists provide the cybercriminals a persistent window of vulnerability to pass through.

BOUNCER’s Endpoint Security v2.0 whitelist is lean (typically containing only a few thousand entries per endpoint) and is immune to the effects and onslaughts of cybercrime. BOUNCER’s whitelist requires a very small footprint in memory and on the hard drive, and has a negligible impact on the CPU—BOUNCER is transparent to end users.

summaryCybercriminals have strategically leveraged their malicious-foot-in-the-backdoor buffer overflow + rootkit combination, and, as a result, there are backdoors open and opening on endpoints throughout the world that will be used to accelerate criminal activities fueling the hypergrowth stage of the cybercrime industry.

(Buffer overflow + rootkit) × other malicious programs = malevolence2

By deploying buffer overflow + rootkit combinations en masse, cybercrime businesses are building an infrastructure of wormholes that when critical mass is reached, the chain reaction will take their industry to v3.0. Indeed, perhaps when the Russian Business Network goes missing, they are just taking a test slide to a parallel evil universe…

We appear to be knee-deep in a watershed moment in which the butterfly effect of a 180°‑shifted approach and mass deployment of Endpoint Security v2.0 could change the weather. With BOUNCER by CoreTrace™, IT departments now have a solution to defeat cybercriminals and stop the cybercrime tornado.

Endpoint Security v2.0 now or malevolence3 soon?(37)

(37) The Honorable James R. Langevin; US House of Representatives Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology; Opening Statement—Cyber Insecurity: Hackers are Penetrating Federal Systems and Critical Infrastructure; April 19, 2007. (http://homeland.house.gov/SiteDocuments/20070419153038-21091.pdf)

“In October 2006, hackers operating through Chinese Internet servers …penetrated the computers with a “rootkit” program…In fact, Commerce has no idea how long the attackers were actually inside their systems, nor…if the attackers are still within their systems. As far as I can tell from the responses, rogue tunnel audits, authentication changes, and complete machine rebuilds have not occurred… Security authorities …are highly dubious about the success of “temporary wrappers,”… State…put in place due to the absence of a Microsoft patch for several months. Most targeted attacks involve root-kits, which cannot be detected or stopped by a “temporary wrapper.” I don’t understand, therefore, why State wouldn’t take its entire system offline for a full kernel inspection.(37)

–The Honorable James R. Langevin;

US House of Representatives Homeland Security Committee,

Subcommittee on Emerging Threats, Cybersecurity, and

Science and Technology



abOuT cOreTraceCoreTrace delivers a revolutionary approach to endpoint security with BOUNCER by CoreTrace™: the most tamperproof, scalable, and comprehensive kernel‑level application whitelisting solution. Since BOUNCER only allows authorized applications to execute, it defeats sophisticated malware attacks, including rootkits and zero‑day threats, and it neutralizes memory-based exploits like buffer overflows. With BOUNCER, companies can stop paying for annual signature updates and start patching applications on their schedule.

© 2008 CoreTrace Corporation. All rights reserved. CoreTrace and BOUNCER by CoreTrace are among the trademarks

and registered trademarks of the company in the United States and other countries. All other trademarks are the property of their respective owners.

“As soon as the OS boots, a BOUNCER process runs within the kernel and oversees all activities of every other process that runs. If a rootkit attempts to establish itself within a BOUNCER-secured kernel, this zero-day threat has zero time-to-live—BOUNCER will recognize it as unauthorized and it will be DOA.

“BOUNCER by CoreTrace™ is a unique v2.0 revolutionary 180°‑shifted approach to endpoint security.

Download - CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits

Top Related