Rootkits in Corporate Espionage
JSharp in a blog entry recently, highlighted the potential of ID-triggered Rootkits, Rootkits that activate when they have reached a “Target” victim. This high profile victim could be a large company with a lot of Intellectual Property and a lot less security.
This does seem far-fetched to the average person but it has happened in the past and it will become more prevalent in the future.
Companies who are in a very competitive environment can only survive if they have the edge over their competitors. This edge can take many forms but information is the key. Information about competitor’s products, techniques, processes and sales are extremely valuable when making decisions about the future.
There would be no problem for an attacker to offer a low paid programmer a lot of money to write a rootkit that is undetectable by any of the current rootkit scanners. Earlier this year rootkit maker of HackerDefender, an extremely powerful rootkit, had a service whereby an undetectable version of Hacker Defender was made for a price. This super stealth service is now unavailable.
The Attacker could then purchase a zero day exploit, and unknown program vulnerability, from one the many sites offering them. There is a lot of money to be made from finding holes in software and selling the information or ready to go code for thousands of dollars.
One form of rootkit delivery is via a compromised website. A malware creation kit called Webattacker contains scripts that could check out the version of the visiting user’s browser and send down a rootkit and its payload. This payload could be a keylogger, perfect for capturing usernames and passwords for later attacks. It could also include file capturing software that could gather up Word documents, Spreadsheets or any other file type that could hold valuable information ready to be sent back via the same route it came in.
Another form of delivery is via email. Craftily created emails could be sent to employees enticing them to open safe looking attachments and then to release the rootkit and it’s payload. This happened in May of this year. A large, high profile, unnamed, company in Asia was targeted by an alleged criminal gang. An email was sent to certain employees in the unnamed company. The email contained a Word Document that in some way related to the employees area of work. The Word Document contained exploit code that was unknown to everyone in the world except for the attacker. The exploit code was then able to give the attack complete control over the employees PC. This hole in Microsoft Word was patched by Microsoft some months later. I am sure though that there are many companies out there that are still vulnerable because they have not patched or updated their Office Software.
“Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn’t completely right.
That user detected an email coming in that originated from a domain that looked like their own, but wasn’t their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.” http://isc.sans.org/diary.php?storyid=1345
Arrests were made earlier this year in London and Israel after a company found it had rogue software or malware on their PC’s. It turned out a married couple in London had written software that collected files that were then sent to a rival competitor. This software was used by “Private Investigators” to retrieve information from the competitors companies.
“Companies probed by the Israeli authorities in connection with the case include mobile phone operators, Cellcom and Pelephone, and satellite television provider YES. All firms have denied any wrong doing. The Trojan horse is said to have spied upon the Rani Rahav PR agency (whose clients include Israel’s second biggest mobile phone operator, Partner Communications), and the HOT cable television group. Mayer, a company which imports Volvo and Honda cars to Israel is suspected of having spied on rival Champion Motors, who import vehicles made by Audi and Volkswagen.” http://www.sophos.com/pressoffice/news/articles/2006/01/israeliesp.html
So there you have it. All an attacker bent on Industrial Espionage for gain has to do is get an undetectable rootkit. Package it with a file gathering payload. Deliver it via an unknown exploit to the target company and wait for all the companies’ information to flowing in.
This is why it is important for companies to have software installed on each machine that will stop software getting on to the machine in the first place.
Keep Safe,
regards
Steo
www.antirootkit.com
rootkit
January 27th, 2007 at 1:17 am
On the subject of corporate espionage and rootkits, I have experienced a situation that is far more widespread in scale and capability. Bootstrap rootkit code written into the manufacturers hardware that will create a back door upon computer rebuild and OS re-installation. This creates the ‘inside out hack’ that puts the intruder behind a corporate firewall, and from there a position can be built.
Imagine a failed OEM computer manufacturer in Latin America that was basically a money laundering front company, imagine what level of system knowledge an OEM would receive, and how that could be farmed out to malicious code writers to create devious software tools used in an international money laundering and corporate fraud network. Just how sophisticated a suite of espionage orientated malware can be written using the cash flow from a company with a peak USD250m market capitalisation using Latin American pay scales?
Imagine a set of coding objectives that include out-pacing law enforcement to ensure criminal organisational survival?
Then spin the technology off into corporate espionage applications for corporate fraud and other financial scams.
I would venture that companies and users of mainstream IT are in fact very vulnerable, and a bigger effort should be made to recycle end user experiences, corporate and personal, to put the option of privacy back in the hands of the user, large or small.
It is also worth considering the fact that Windows XP is going to be around for a while yet, and that protecting the integrity of that software and enhancing its security as is is very important for corporate customers.
A standalone operating system boot disk that can test the integrity of hardware and installed software without being subject to rootkit stealth techniques might be a very useful tool for Administrators.
Simple things for simple problems - make sure the memory overhead on chipsets that can range between 2mb and 8mb is filled and not fillable by flash utility - that is where companies are going to need to be protected.
January 27th, 2007 at 1:50 am
Richard,
thanks for the post. Very interesting indeed. It seems that any sort of intent and knowledge of rootkits can spell trouble for whoever gets targeted.
It actually reminds me about the guy who worked as a programmer for a software company who was writing a poker related program. He installed a rootkit to hide a password retriever for all the poker players who installed the software. He was a bogus programmer working for a legit company. He would then sit around an online poker table with players he had logged on make them lose all their money to him….clever….but not enough….
The link to the post is http://www.antirootkit.com/blog/2006/05/17/rootkit-software-infects-gamblers-computers/
Thanks again Richard,
regards
Steo
July 12th, 2007 at 4:46 pm
[…] We have all heard about Rootkits and how they are aimed mainly at normal users of Windows XP and Linux. I have written about Rootkits in Corporate Espionage and how custom designed and targetted Rootkits will allways be hard to spot. They are carefully created using undocumented features within the system kernel. If only the creator knows then who can find it? Now if this rootkit is used for one unique purpose, installed on one system, then the chances of it being found soon after it’s installation are small. This is exactly what happened in what is known as The Athens Affair. […]
October 26th, 2008 at 9:47 pm
soy estudiante universitario y mi proyecto de grado hacer una herramienta anti-rotokit bajo el lenguaje c++, me gustaria saber si alguien pude ayudarme con este proyecto , gracias