Getting rooted by a drive-by dropper is fast becoming the predominate method of involuntarily joining a botnet. The simplest way to avoid this is to keep your computers up to date. Easier said than done? Well, it doesn't have to be.
I made mention in my article "Botnets: How to Get Rooted in One Easy Lesson" that most computers become rooted and part of a botnet due to an operating system or application vulnerability that could have been patched, but wasn't. What I didn't expect was to have several current real-world examples to back up my statement.
Case in point, Microsoft released a critical and atypical out-of-band patch on Thursday October 23. MS08-067 was developed to repair a vulnerability in server service that could allow remote code execution. Only five days later, the exploit code for this vulnerability was publicly released.67.exe and KernelBot
Currently there are several trojan worms in the wild that are exploiting the MS08-067 vulnerability, one is ironically called 67.exe (dropper) and the bot code is 6767.exe (rootkit). Experts are already familiar with the botnet as the new malware is similar to the KernelBot, which is mainly used for denial-of-service attacks.
The dropper also installs the eMule peer-to-peer program. If the eMule client is successfully installed, the worm tries to spread across P2P networks by advertising an X-rated movie file, which in reality is the worm code. There aren't any infection statistics yet, but experts are saying it could get significant. You can keep track at this Arbor Networks activity Web page.
My second example is a hot-off-of-the-press article by Robert Vamosi of CNET "Security Expert Talks Russian Gangs, Botnets" and it's another example of a drive-by dropper exploit, but with some very insidious implications. This article is a must-read for everyone, because it discusses a real-life example of how a person's financial information was stolen and used to transfer a great deal of money to a foreign bank. Please take the time to watch the videos; it's that important. It certainly reaffirms my commitment to provide as much information about rootkits and botnets as I can.Who's vulnerable?
These exploits are just two of the most current examples of how easily botnets can form by leveraging unpatched vulnerabilities. Why is it so hard to keep everything up to date? It usually isn't for SMB and enterprise networks. They are mothered by system administrators and typically have automated systems in place that roll out the patches when everyone is sure the patches won't break anything.
Most individuals with home or SOHO computer networks don't have dedicated IT personnel, the time, or inclination to keep computers current on every operating system or application update. This is a real problem as evidenced by the number of home or SOHO computers that belong to botnets.Why focus on Microsoft?
I, like many other individuals and business entities, use Microsoft operating systems/applications for a variety of reasons. It's this popularity that makes Microsoft products a target-rich environment for bot-creating drive-by dropper attacks. To recap, there are a lot of Microsoft-based operating systems associated with home and SOHO networks that aren't getting the required updates.Vulnerability analyzers
To help in this regard, I'd like to discuss two vulnerability analyzers that are specifically formulated to keep Microsoft operating systems and applications up to date. The programs I want to talk about aren't new, but still very much underused. In that regard, I'm hopeful the information in this article may help change that trend.Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is a very simple and thorough way to make sure any MS-based computer is up to date and configured according to Microsoft best practices. This distinction is important, because many people get confused as to why MBSA is needed. Doesn't Microsoft or Windows Update do the same thing? According to Microsoft:
"Microsoft Baseline Security Analyzer (MBSA) is an easy to use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems."
So it does more than just make sure the computer being scanned has all the latest updates, and that's important, especially to those who aren't totally up to speed with current best practices. The following diagram is a screen shot from MBSA showing the options MBSA is capable of checking:
My suggestion is to run MBSA after the second Tuesday of the month update from Microsoft or after any MS-mandated configuration change. The following diagram depicts typical scan results:
Notice the severe risk flag? If I'd have included the entire report you would have seen the severe risk flag was set due to the Windows Firewall being disabled. I also wanted to mention that MBSA is capable of scanning more than one computer. All that's required is to key in the domain name or subnet range.Secunia Vulnerability Scanners
Scanner applications developed by Secunia are the ideal complement to MBSA. MBSA deals almost exclusively with operating systems, whereas Secunia inspects Microsoft applications as well as over 7,000 third-party programs. Depending on your needs, Secunia offers several scanner options as well as what Secunia calls Vulnerability Intelligence on their Web site. As an example, I've included the following diagram depicting the scan tab from the PSI scanner application:
The next diagram depicts the results of a scan that flagged some problems with third-party applications. It just so happens that I have an older version of WinZip on the scanned computer, and Secunia PSI determined that and pointed out two other End-of-Life applications:
I normally try to remain neutral about vendor applications, but I must admit that I'd be in a very difficult place without the NSI and PSI scanners by Secunia. I also wanted to mention that TechRepublic writer Tom Ozlak has written an in-depth article "Free Security Tools: Secunia Personal Software Inspector" about the Secunia PSI scanner.Is this really necessary?
I say yes emphatically. While doing research for this rootkit/botnet series, I've had the good fortune to converse with several world-renowned experts. Guess what they say? Exactly, the primary reason a computer becomes rooted or part of a botnet is due to an unpatched existing vulnerability on that computer.Final thoughts
I initially asked the members what concerned them the most about rootkits and botnets. Not surprisingly the responses focused on methods of prevention. Only problem, there isn't a sure-fire answer, but keeping your computers up to date will really help.
Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!