The 8 Second Hack
They're heeeere …
Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms.
Readers should also note, although a key binary in the cracked machine had been modified, tripwire and an assortment of other booby traps failed to detect this had happened. Even a close-up manual inspection (comparing file contents with a trusted backup, playing with its name) could not detect any odd behaviour. This trick, and others equally spooky, were achieved by clever manipulation of the OS's kernel code (dynamically, through a module).
Other characteristics of the attack which make it so eerily sophisticated:
1) The attacker (convincingly) masquerades as a local employee.
The attacker knows the employee's username and password and is even connecting through the employee's Japanese ISP on the employee's account! (the phone company identified this was an untraceable overseas caller).
This information could not have been sniffed, since network services are only provided over encrypted SSH sessions.
Further investigation shows that this employee's personal NT box, connected over a dynamic dialup connection, had been cracked into 4 days earlier.
His ssh client (TTSSH extension to TeraTerm) had been trojaned to transmit XOR garbled account information (hostname/username/password) over pseudo-DNS udp packets to a refurnished i486 Redhat v4.2 box used as a single-purpose cheap Samba file server in a small Australian ISP.
The little box was every cracker's dream, a discrete, utopian crack haven, installed by a former Linux-savvy administrator, the last of its kind in a homogeneous Unix-illiterate Microsoft environment. The ISP practically ignored the box, which was running (up 270 days straight) so reliably none of them had even bothered to log in since mid 1997! So as long as the crackers kept Samba running, they would the box completely to themselves.
How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those sneaky packets red handed, transmitting our SSH identification down under.
We never liked NT before, being generally suspicious of propriety blackbox OS, from a company with a long history of poor quality bloatware. But realising just how helpless we were against an attacker that obviously knew the ins and outs of this can-of-worms OS, the company recognised that NT was a serious security hazard and changed it's security policies to keep it as far away from its systems as possible, and this included restricting employees from using it from at home to log into the company network (even with SSH).
2) The attacker is using a custom built software penetration agent.
This is only an hypothesis, but is strongly supported by the fact that the entire attack only lasted an incredible 8 seconds! During which the attacker manages to log on (over an employee's SSH account, no less), gain root privileges, backdoor the system, remove any (standard) traces of its activity and log off.
And they probably would have gotten away with it too, if it wasn't for those meddling kids!
Who thoughtfully installed a crude old tty surveillance-camera hack that trapped IO calls to and from isatty(3) file descriptors, in real time, saving them on file along with a timestamp for neato it's-almost-as-if-you-were-there playback qualities.
And Wow! If there ever was a crack to appreciate for its elegance, simplicity, and efficiency, this was it.
First off this thing is smoking fast! Which puts the likelihood of any manual intervention at square zero. It's also mean and lean. Forget fumbling with an FTP client, leave that to the slow soft pink-bellied human cracker-weenies, real agents pump files directly through the shell (uuencode(1)'d at one end, uudecode(1)'d at the other). Extending privileges with an army of amateurish recipe-book Bugtraq exploits? I think not! Introducing the super-exploit, an all-in-one security penetration wonder which quickly identifies and exploits any local security vulnerabilities for that wholesome, crispy, UID zero flavour (we were vulnerable to a recent KDE buffer overflow). After promptly confirming its shiny new root privileges, the agent transfers its last archive (a cross between a self-installing feature-rich backdoor, and a clean-up-the-mess, we-were-never-here log doctor), executes it and logs off.
After watching the attack on playback (at 1/8 of its original speed) several times over, standard security-compromise ritual kicked in. We took the affected machine offline, remounted the disks read-only, fired up our trusty file system debugger, and slaved away to salvage whatever we could. Luckily, we found the attacker's transferred archives still intact, along with large fragments of the undoctored logs, allowing us to fill any still-missing details on the blitz attack. At the end of the day, when we finished playing with the cracked machine on loopback, we changed the compromised account's password, restored binary integrity, rebooted the system and put it back on the network, this time running a network dump of all its incoming-outgoing traffic, just to be on the safe side.
Whoever they were, they certainly knew what they were doing, and for the most part seemed very good at it. But being determined, clever, and sophisticated just doesn't cut it when you do battle with wizardly foes (that's us) yielding the great powers of the Universe to their command: Dumb luck and clinical paranoia.
So who done it ???
Could it be ...
(A government conspiracy I tell ya'!) Any one of the many press-savvy three letter agencies scrambling for a bigger slice of the US-government funding pie? They've got motive, but are they really sneaky, clue-full and competent enough to take the blame?
How about the SIGINT spooks? The NSA (Information superiority for Americans!), or the GHCQ (Her Royal Majesty's Intelligence)? Someone working for the Chinese? The KGB? The Russian mob? The giant from Redmond? Elvis and Bigfoot?!
Who knows ...
They tried something spooky 2 nights later, when around 4 AM (Japanese time) our network dump captures several pseudo-DNS udp packets originating from a familiar Linux box in a small Australian ISP. We assume they were attempting to communicate with the software they left behind during their brisk first visit. Several minutes pass, and the attempt is followed by a "TCP ping" (a stealthy alternative to an ICMP ping), several more pseudo-DNS udp packets, and silence.
To the best of my knowledge, we haven't heard from them since. How discrete.
Loading comments...