Inside the Mind of a Hacker - ' Page 2 '
( Page 2 of 2 )

A newer trend that has been a boon to the malware profit machine is the rapid advancements being made in rootkit technology.

"Some rootkit technology we see at [McAfee's] Avert Labs is unbelievable," Kurtz said. "[We see] stuff not done in the past, [done] in new ways, [done] covertly to steal information and use it for financial fraud. From a [criminal] perspective, it's moved from, 'Let me find a vulnerability,' to, 'Let me find an application vulnerability and automate it and put it into a bot, load up pages and reinfect the client, which I can then use to populate my bot network.'"

Security researchers are closely watching out for the weaponization of two new rootkit technologies that they fear will someday contribute to the stream of money feeding into the bot economy: virtual rootkits and evil hypervisors.

"We know that the bad guys are looking for more ways to stay on systems longer, unnoticed," said Joe Telafici, vice president of McAfee's Avert Operations, in Beaverton, Ore. "The longer you stay on a machine unnoticed, the longer you can rent out your botnet or whatever."

Both evil hypervisor technology and virtual rootkits, seen only in proof-of-concept code to date, allow malware authors to stay on a machine, undetected, for a long time. Researchers until recently have grimly waited for black hats to weaponize the new technologies; it's a question of when, not if, they believe. (On June 27, a group of researchers challenged the premise that such exotic new rootkits were undetectable, but the jury's still out on that question.)

Let It Bleed

Thomas Ptacek, principal, researcher and founder of security company Matasano, said it's not only the duty of developers and system architects to assess the security of the products protecting their assets; it's also their duty to rip the code underneath those systems to see if it bleeds—the same thing that hackers do. "[To do] due diligence, they're going to have to strip open those applications," Ptacek said.

Stripping open Microsoft's Windows Vista, for example, will show that Microsoft has made what most consider to be significant security improvements in its newest operating system.

In its 64-bit form, Vista will take away some of the tools attackers now use.

The 64-bit version of Vista makes it harder for attackers to exploit insecure functions by assuming that the entry point is always in the same place. Vista also does away with the ability to inject code into the Windows kernel to watch what functions are being called by other running programs.

Click here for a basic request for proposal that can assist with identification and remediation of security risks.

Then there's Vista's UAC (User Account Control), which redirects some files and registry keys to "sandboxes." Malware can make changes, but the changes will go away when the process stops running or will at least not affect other users.

Rest assured, however, that these new security controls will not result in malware authors taking their ball and going home. Rather, security researchers are anticipating that Vista's new security profile will actually force attackers to innovate.

McAfee predicts that it will take about six months for a frustrated or ambitious malware author to turn his or her attention to rootkitting a machine and leveraging virtual technology capabilities of an Intel or Advanced Micro Devices chip.

It's all a cat-and-mouse game: As new security techniques arise, hackers poke holes in them and malware authors learn how to manipulate them for profit.

Scanners and other tools used by hackers are available to anyone with an Internet connection, and it would behoove developers and system architects to use these tools routinely. Just don't think for a minute that these tools will keep out the most sophisticated attacks—they're most effective for low-hanging fruit or to accelerate testing.

The best advice echoes Ptacek's recommendation: Tear things apart as carefully and methodically as you put them together. It's better by far that you tear up your own systems to find the holes before someone does it for you.

This article was originally published on eWeek.com.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

>>> More Techniques Articles          >>> More By Lisa Vaas