IDG News Service - WASHINGTON -- Over the past eight months, major new hacker tools have been released or revealed, ending a lull in activity among hackers that followed the Sept. 11 terrorist attacks and the enactment of legislation that enhanced law enforcement's ability to prosecute people who break code and wreak havoc on networks by exploiting software vulnerabilities, hacking consultant Ed Skoudis said yesterday.
LibRadiate, Paketto Keiretsu, Setiri and The Defiler's Toolkit are some of the tools that have cropped up since March and are keeping security specialists awake at night, according to Skoudis, who gave a threat update briefing here at a SANS Institute Inc. conference. SANS is a security education and research organization in Bethesda, Md.
Skoudis, vice president of ethical hacking and incident response at consultancy Predictive Systems Inc. in New York, said the June-through-September period saw massive exposures of security vulnerabilities in OpenSSH, Apache Web server software and Microsoft Corp.'s Web browser Internet Explorer.
The popularity of war driving
"This summer has been a huge summer for hackers. There were huge issues discovered all summer long, and things really opened up between March and now," Skoudis said. "The golden age of hacking rolls on."
One of the latest developments involves the security of wireless LANs and the ease with which people are able to detect them. For one week in early September, amateur WLAN sniffers used freeware called NetStumbler to detect hundreds of insecure business and home WLANs in North America and Europe, in an exercise called a "war drive" (see story).
Skoudis said attackers have "flocked to this area" and are finding that many WLANs are set up without basic security. After they detect the WLAN, they can use a tool that's been available since May, called LibRadiate, an application programming interface that allows developers to easily capture, create and transmit arbitrary packets on a wireless LAN using the IEEE 802.11b standard. The tool runs on Linux (Kernel 2.4) with wireless cards that have the Intersil Corp. Prism 2 chip set, Skoudis said.
Capturing TCP/IP packets with LibRadiate
LibRadiate makes it possible for hackers using "fairly simple C code" to capture TCP/IP packets or inject them into a network, Skoudis said. Among the wireless attack tools expected to become available for use with LibRadiate, according to Skoudis, are WEP crackers, which exploit flaws in the Wired Equivalent Privacy (WEP) protocol, allowing a hacker to determine encryption keys even when WEP is in use; and malformed packet generators, which inject strange and noncompliant packets into a network in an attempt to crash systems that can't handle unusual packet structures.
"With tools like LibRadiate, the computer underground is starting to develop far more sophisticated attack tools than what we have seen in the past," Skoudis said.
Another tool, released two weeks ago, is Paketto Keiretsu, which Skoudis referred to as a suite of tools for doing TCP/IP tricks. One of its most fundamental capabilities involves rapid port scans, which it does by separating the packet sender from the receiver.
Setiri, a Trojan horse
Skoudis also described Setiri, a new Trojan horse back door. The tool can bypass personal firewalls, Network Address Translation devices, proxies and advanced firewalls by starting up an invisible browser on the victim's PC. Then Setiri, running on the victim's system, uses OLE to communicate with the hidden browser. As long as the victimized PC's browser can access the Internet, Setiri can reach across the network and get the attacker's commands.
Setiri, developed by a small group of South African security consultants and demonstrated in August at Def Con (see story), hasn't been seen in the wild yet, Skoudis said. Nevertheless, he included it in his presentation because its existence has been acknowledged within the security community and writing the code is something a moderately skilled coder could do.
Skoudis said the system strips out information about the user by going through Anonymizer.com, a Web site that offers anonymous e-mail and Web browsing, so blocking access to that site is a way of defending against Setiri. Another solution would require changes in Internet Explorer that limit the actions of an invisible browser. Skoudis said Microsoft has said it will address the matter.
'Antiforensic' Defiler's Toolkit
In the new area of "antiforensics," hackers have had access to a tool called the Defiler's Toolkit since July. It's able in a number of ways to foil the Coroner's Toolkit, a tool that has been used by computer forensic specialists for several years, Skoudis said. For example, it can destroy or hide the traces of a hack that the Coroner's Toolkit looks for. The Defiler's Toolkit targets the Linux Ext2fs file system, but Skoudis said the concept could be extended to other platforms.
Commenting on Monday's distributed denial-of-service attack on the Internet (see story), Skoudis said major U.S. law enforcement agencies are investigating, but he didn't know whether they had developed any theories about where the attack originated.
Alan Paller, director of the SANS Institute, said the attack is being characterized by security professionals as a Smurf attack that could have been much worse if all 13 root servers had been affected.
"Had it knocked out all of them, there's a reasonable expectation that over a certain amount of time ... the way that you use the Internet would have ceased to work," Paller said.
There's no easy fix for preventing DOS attacks, and the time is fast approaching when Internet service providers aren't going to allow users who don't meet a minimum standard of security on the Internet because they pose a threat to other users, Paller added.
"DOS attacks are not going to be solved because we get some new hardware in the system," Paller said. "You are going to have to re-engineer the whole Internet. That's going to take close to a decade. While we are doing that, we are going to have to start protecting ourselves from [users who] are not going to be careful."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
