A fascinating microcosm of technical Darwinism is the ceaseless escalation of sophistication between malware authors and anti-virus vendors. Formerly solo practitioners acting out of bravado or malcontent, malware developers are increasingly dedicated professionals bankrolled by organized crime syndicates or even governments in areas like Eastern Europe and Asia. With the huge financial incentive in identity fraud, online theft, and electronic blackmail, black hat hackers aim to exploit the twin vectors of technical vulnerability and human laziness. Anti-virus firms meanwhile have developed a huge market base by playing a largely defensive game against new attack types, constantly scouring the underground community for new examples of attack vectors and building massive databases of ’signatures’ or ‘fingerprints’ of specific variants. Yet just like organic mutation, each new form of defense is the inspiration for a variety of alternatives that seek to bypass the Maginot lines of AV software.

Botnet agent plays lost sheep to avoid detection | The Register

The Register reports on one such development in the ongoing mutation of the strain ‘Kraken’ (AKA Bobax) bot. Earlier botnets were susceptible to interruption by attacking not the zombie clients but, in military parlance, going after their C&C (command and control) elements that issue the bot its orders—attack a certain host via distributed denial-of-service (DDOS), for example. These were often IRC servers that allowed pseudonymous communication via protected messages. Yet IRC is, with the advent of IM and Web-based chat, now itself something of an anomaly that an AV program could view as suspicious.

The Kraken adaptation adopts dynamic DNS through generated domain names, passing encrypted commands through HTTP further obfuscated with bogus headers to fool SPI-capable firewalls. In this fashion, the bot homes in on the current location of its control server without having any hardcoded lists that can be used to target them for shutdown. The Australian firm PC Tools that analyzed the new code compared the process to the way a lost sheep tries to locate its shepherd (hence the article’s title). Similarly, new variations of P2P software have attempted to replace the fragile centralized tracker with distributed databases and multi-hop obfuscation through efforts like TOR and I2P.

Kraken also employs a random word generator to vary its infection host filenames, which spread through IM networks like MSN Messenger. This is a tactic previously adopted by spammers, who in turn were responding to naive Bayesian filtering built into antispam engines like SpamAssassin.

A parallel story at The Register notes a new kind of SQL injection attacks that targets DATE and NUMBER fields. Previously SQL injections exploited unchecked parameters or syntactic tricks to pass SQL code, often limited to text-based fields like VARCHAR. The recent nihaorr* mass attack on older ASP-based sites, for example, used a combination of techniques: the injection was appended as a POST in place of a standard GET query, overloading the request with a 4000-character hex string set within a CAST function. Decoding the hex to text revealed a procedural cursor that trawled the sysobjects DB for any char-based columns, to which it then proceeded to append rogue JS code via UPDATEs. Since most remedies for SQL injection have centered around validating text-based input, this variation bypasses such defenses by manipulating date and number data routines in Oracle’s PL/SQL.

Not content to be left on the defensive, particularly with suspicions that certain governments could be building up their own stockpiles of zombie PCs to act as a botnet in the effect of a (sigh) cyberwar, the US Air Force Cyber Command (AFCYBER) has recently published their consideration of mustering a military botnet. Ars Technica reviews the salient points of Col. Charles Williamson’s proposal, including the need for offensive capability (essentially to attack the attacker) in light of the indefensibility of our present infrastructure, and the potential political fallout were we to, say, pingflood France due to a DDOS mounted from a botnet there controlled by a rogue group elsewhere. The implications for this are somewhat provocative—even if AFCYBER were to build a managed botnet out of decommissioned military PCs, would some other branch like the NSA or CIA also receive a secret mandate to develop ‘offsite assets’ by infecting civilian PCs in other countries? Will some portion of future conflicts consist of shadowy agents provocateur wielding heavily anonymized zombie PC armies trying to provoke retaliation against the enemy’s allies by launching DDOS attacks from within their civilian networks?