Before Microsoft released Microsoft XP Service Pack 2 (SP2), most attackers would compromise a computer system by simply attacking it with known vulnerabilities or "bugs" that could allow the attacker to gain some level of control over the system. Newer attack methods were starting to be seen where the attacker would take advantage of vulnerabilities within the Internet browser itself.
MALICIOUS WEBSITES Kevin Prince Chief Security Officer Perimeter eSecurity February 2007
Page 1 of 5 In August 2004, Microsoft released Microsoft XP Service Pack 2 (SP2). This marked a significant date in the network security world. The largest software provider in the world had released a version of their operating system (OS) that had built in security turned on by default. The next several weeks and months were interesting as many dependant software applications "broke" when the security features were tightened up. But all things said and done, it was a great milestone in security, and although it was a rough road, it was a long time in coming. Security enhancements included a major revision to the internal firewall which was renamed to Windows Firewall, advanced memory protection that takes advantage of the NX bit that is incorporated into newer processors to stop buffer overflow attacks, and removal of raw socket support (which supposedly limits the damage done by "zombie" machines: infected computers that can be used remotely to launch denial of service attacks). Additionally, security-related improvements were made to e-mail and web browsing. Windows XP Service Pack 2 includes the Windows Security Center, which provides a general overview of security on the system, including the state of anti-virus software, Windows Update, and the new Windows Firewall. Third-party anti-virus and firewall applications can interface with the new Security Center. These modifications to the worlds most popular OS shocked the hackers of the world. No longer would it be very easy to attack and compromise systems. No longer were there more open systems than they had time to compromise. Attackers would scour the Internet looking for open systems, and when found, would quickly close the holes so another attacker couldn't claim what they had rightfully stolen. Don't get me wrong, I said no longer was it "very" easy. Now it is just sort-of easy. Much of this is due to computer systems being brought online in other countries where there is a lot of pirated software, and other older OS's that don't have security features enabled. There are also a lot of older computer systems right here in the USA that are still using OS's older than XP SP2. Lastly, even with security turned on, there are other ways of having a system be vulnerable. But because most of the systems or information that had the highest value to
Page 2 of 5 hackers had become more secure, they were required to get creative in their attacks. In 2005 we saw the beginning of a movement towards an entirely new type of attack method. Until then, most attackers would compromise a computer system by simply attacking it with known vulnerabilities or "bugs" that could allow the attacker to gain some level of control over the system. These are commonly referred to as "inbound attacks". With personal firewalls loaded onto many systems, as well as other security features enabled, the "inbound attack" approach became increasingly less profitable. New attack methods started being seen where the attacker would take advantage of vulnerabilities within the Internet browser itself. These vulnerabilities would allow the attacker to download malicious code, Trojan horses, or other applications in the background simply by having the user look at a web page. Some of the new attack methods included luring unsuspecting users to malicious web sites via SPAM, instant messaging, or popular web sites. In one case, an attacker created a Katrina Relief web site. The site was good, giving up-to-date storm watch information, video's of survivors, even links to real donation sites. This web site was indexed by several search engines and quickly became one of the top links when typing "Katrina" into a search web site. Just by clicking the link, a malware program was installed onto the users PC. Malware programs can do things like: crash your system, keystroke (password) capture, screen shot capture, or give full remote control. What people don't realize is that the software makes an OUTBOUND connection to the Internet. Because the internal computer is making the request (connection) out to the Internet, it is assumed by the security systems to be "authorized" traffic. The PC's can make connections back to the attackers systems and they can do just about anything they want. This defeats a... [download for more]
