page-037

1.2 Distilling a More Precise Definition

This interface doesn't even have to be a traditional coiTimand shell; it can be a

proprietary API designed by the attacker. You could just as easily establish an

interface by impersonating a help desk technician or shoulder surfing. Hencc,

the tools used to root a machine will run the gamut: from social engineering

(e.g., spear-phishing, scareware, pretext calls, etc.), to brute-force password

cracking, to stealing backups, to offline attacks like Joanna Rutkowska's

"Evil Maid" scenario.� Based on my own experience and the input of my

peers, software exploits and social engineering are two of the more frequent

avenues of entry for mass-scale attacks.

The Role of Rootkits in the Attack Cycle

Rootkits are usually brought into play at the tail end of an attack cycle. This

is why they're referred to as post-exploit tools. Once you've got an interface

and (somehow) escalated your privileges to root level, it's only natural to

want to retain access to the compromised machine (also known as a plant or

■d foothold). Rootkits facilitate this condnued access. From here, an attacker

can mine the target for valuable information, like social security numbers,

relevant account details, or CVV2s (i.e., full credit card numbers, with the

corresponding expiration dates, billing addresses and three-digit security

codes).

Or, an attacker might simply use his current foothold to expand the scope of

his influence by attacking other machines within the targeted network that

aren't directly routable. This practice is known as pivoting, and it can help to

obfuscate the origins of an intrusion (see Figure 1.2).

Noticc how the last step in Figure 1.2 isn't a pivot. As I explained in this

book's preface, the focus of this book is on the desktop because in many

cases an attacker can get the information they're after by simply targeting a

client machine that can access the data being sought after. Why spend days

trying to peel back the layers of security on a hardened enterprise-class main¬

frame when you can get the same basic results from popping some execu¬

tive's desktop system? For the love of Pete, go for the low-hanging fruit! As

Richard Bejtlich has observed, "Once other options have been eliminated, the

ultimate point at which data will be attacked will be the point at which it is

useful to an authorized user."�

7. http://theinvisiblethings.blogspot.eom/2009/01/why-do-i-miss-raicrosoft-bitlockcr.htmL

8. http://taosccurity.blogspot.cora/2009/10/protcct-data-wliere.htinl.

Part I I 7