page-062

Chapter 1 / Empty Cup Mind

web server and then adjusted the domain's group policy to point domain

members to the rogue SUS server.

Just in case you're wondering, Microsoft's SUS product was released as a

way to help administrators provide updates to their machines by acting as

a LAN-based distribution point. This is particularly effective on networks

that have a slow WAN link. Whereas gigabit bandwidth is fairly common in

American universities, there arc still local area networks (e.g., Kazakhstan)

where dial-up to the outside is as good as it gets. In slow-link cases, the idea

is to download updates to a set of one or more web servers on the LAN, and

then have local machines access updates without having to get on the Inter¬

net. Ostensibly, this saves bandwidth because the updates only need to be

downloaded from the Internet once.

Although this sounds great on paper, and the Microsoft Certified System

Engineer (MCSE) exams would have you believe that it's the greatest thing

since sliced bread, SUS servers can become a single point of failure and a tru¬

ly devious weapon if compromised. The intruders used their faux SUS server

to install a remote administration suite called DameWare on our besieged

desktop machines (which dutifully installed the .MSI files as if they were a

legitimate update). Yes, you heard right. Our update server was patching our

machines with tools that gave the attackers a better foothold on the network.

The ensuing cleanup took the better part of a year. I can't count the number of

machines that we rebuilt from scratch. When a machine was slow to respond

or had locked out a user, the first thing we did was to look for DameWare.

As it turns out, the intrusions in our college were just a drop in the bucket as

far as the spectrum of campus-wide security incidents was concerned. After

comparing notes with other IT departments, we concluded that there wasn't

just one group of attackers. There were, in fact, several groups of attack¬

ers, from different parts of Europe and the Baltic states, who were waging a

virtual turf war to see who could stake the largest botnet claim in the SFSU

network infrastructure. Thousands of computers had been turned to zombies

(and may still be, to the best of my knowledge).

Conclusions

By now you should understand the nature of rootkit technology, as well as

how it's used and by whom. In a nutshell, the coin of this realm is stealth:

denying certain information to the machine's owner in addition to perhaps

offering misinformation. Put another way, we're limiting both the quantity