Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Super cyber sleuths in Badman backdoor bruhaha

Rob Rosenberger, Vmyths co-founder
Friday, 16 June 2000 WE NEARLY LOST the Internet for good last week, if you believe Fox News and the Associated Press. (What, not again?) Check out this orgasmic report:
The spread of a dangerous computer program masquerading as a harmless video clip may have been slowed in its sinister tracks Friday by a team of super cyber sleuths. Working through the night in the dark, musty offices of their 'attack lab,' investigators with the Hedron, Va., Internet security firm Network Security Technologies discovered a team of hackers had embedded a Trojan horse, a seemingly innocent application that executes destructive code, in computers across the globe.
Every firm has the right to re-edit a press release to make it look better. I merely caught NETSEC doing it.
"Super cyber sleuths"? A Dow Jones newswire disclosed an employee "inadvertently downloaded and launched the infected file onto a laptop computer, [which was] a serious breach of security etiquette." NETSEC even bragged how they "detected the Trojan on one of its PCs as the Trojan unsuccessfully attempted to contact the hackers across the company's networks." Yeah, and I'll bet a can of soda the employee downloaded it from a raunchy Usenet newsgroup. NETSEC guzzled from the fountain of newspaper ink thanks to an obvious PR event. It contained many of the elements reporters look for — such as an urgent meeting with FBI agents deep inside the Hoover building (a short drive from NETSEC's offices). The security industry refused to play along, though. A Command Software spokeswoman asserted "this is not a new find, it's not a new discovery. In fact, Backdoor.SubSeven has been in the wild for quite some time and should be detected by antivirus software. Even if it had not been updated recently, it should still be detected." ICSA went so far as to label it "hype" both on their website and in an email newsletter. If you screw up like NETSEC did, "then your pc is certainly compromised," cautioned ICSA. "But there is no reason to think that it will be successful with the next step, because all ICSA.net certified anti virus software has been able to detect SubSeven for some time... There are no new exploits. There are no new tricks. Trojans disguised as movies are common. There are five or six hundred posted to newsgroups each month." A fact which makes NETSEC's internal security failure all the more ironic. Marc Maiffret (eEye) flipped the bird at NETSEC in a public message. "I would be interested if someone could email me, personally, and let me know how NETSEC 'alerted the Internet community' because the only thing I've seen on mailing lists is people making fun of the [hysteria] that NETSEC media whored to everyone." Even the well-documented fearmongers at FBI NIPC chose not to scream about the Trojan. Man, if you can't get Michael "cyberHoover" Vatis to appear on-camera with you...
THE TIDE OF reporting quickly turned. Damaging headlines soon appeared on MSNBC and The Register. Even Hacker News Network chimed in:
Last Friday's announcement by NETSEC (Network Security Technologies) of a new DDOS tool installed on thousands of computers world wide created a lot of media attention but was really nothing new. The so called 'Serbian Badman Trojan' is nothing more than a repackaged version of Sub7, a remote administration tool similar to NetBus, that has been around for years. Sub7 is incapable of launching a DDoS attack in its current revision. NETSEC's discovery amounts to nothing more than a publicity stunt by an opportunistic security firm in quest of free advertising in the form of media attention.
"Super cyber sleuths"? NETSEC admits they got whacked by a well-known security threat. How will their custo­mers react to such news?
NETSEC president Jerry Harold fired off a rebuttal to Hacker News Network. "The naysayers here are the antivirus cartel who speculate without even bothering to gather fact (sorry to step on the toes of your little fraternity, guys.) This was proactive detection and prevention of an active attack before it caused major damage. What did companies like Network Associates and Symantec do to detect and prevent the last DDoS attacks BEFORE they caused millions in damage? The answer is: nothing." Another employee, Scott Shreve, decided to "set the record straight" in an open rebuttal:
While the media has performed to their regular standard of sowing the seeds of FUD, we have been guilty of nothing more than attempting to alert people to the fact that many hosts have been put in a position to unknowingly wreak mayhem. If we wanted press, NetSec would release the list of infected clients — THAT would would make good press. Nobody said there was a cutting edge new tool out there. We just found definitive evidence that several thousand machines fell victim to a slightly modified version of an old tool. The binary has been torn apart and distributed to several sources in the vain attempt to perform a service to the community and avoid much of the mudslinging that is currently going on. If anybody bothered to watch the CBS morning show they would have seen us state on National TV that the trojan was a modified version of SubSeven and the focus of the threat was not the "scariness" of the tool — it was the size of the infected populace and the serious nature of SOME of the infected clients.
(Ignore Shreve's comment about identifying infected clients to reporters. It would violate one of marketing's Ten Commandments: "Thou Shalt Not Smite Customers By Name.") Perhaps NETSEC labeled it a known Trojan on national TV — but they buried the knowledge in their original press release. A re-edited version of the 8 June document makes the point more clear. (The original version remained on NETSEC's website until at least 11 June at 6:50pm CT. Hacker News Network bashed them the next day.) Notice the subtle differences, underlined here for clarity:
Original 8 June press release   Re-edited 8 June press release
 
"a 'polymorphic' Trojan is causing widespread compromise of computer systems around the world."   "a variation of a known Trojan has been used to compromise unprotected computer systems around the world."
 
"NETSEC security engineers then followed the Trojan's communications and monitored Internet conversations among hackers in Maine, Canada, and elsewhere."   "NETSEC security engineers have traced the Trojan to its source, collected lists of compromised machines, and followed Internet conversations among hackers in Maine, Canada, and elsewhere."
 
"The hackers 'Serbian', 'Badman', and others bragged and laughed about their successful attacks on networks as well as the sheer numbers of machines that they had compromised. The hackers execute their attacks by distributing a 'Trojan', which is a piece of malicious code embedded inside a legitimate downloadable file. The file infiltrates a PC and contacts the hackers over a network to offer them full control of the computer while it's connected to the Internet."   "The hackers 'Serbian', 'Badman', and others laughed about their successful denial-of-service attacks on other PCs. They also bragged about the large numbers of PCs that they controlled. The hackers execute their attacks by distributing a 'Trojan', which is a piece of malicious code that masquerades as a video or other downloadable file. The file infiltrates a PC and contacts the hackers to give them full control of the computers. While the Trojan itself generally does not damage a PC, it can allow a hacker to damage the PC or use it to attack other PCs and networks."
 
" 'Due to the wide-scale nature of the infection, the hackers could easily use the compromised machines to launch a distributed denial of service attack, such as the one that recently disabled major e-Commerce web sites,' stated Jerry Harold, NETSEC's President and cofounder. NETSEC has identified over 2,000 computer systems within the last few days that have been comprised by this Trojan."   " 'Due to the wide-scale nature of the attack, the hackers could easily use the compromised machines to launch a distributed denial of service attack, such as the one that recently disabled major e-Commerce web sites,' stated Jerry Harold, NETSEC's President and cofounder. NETSEC has identified over 2,000 computer systems that have been comprised by this Trojan."
 
"This is a unique implementation of a known Trojan called 'Backdoor.SubSeven21'. This version is noteworthy because so many PCs have been infected without detection and it is actively being used by hackers. The malicious part of the code is compressed to avoid detection when the video or host file is execute. In addition, it changes its name each time it is installed on a computer and it is not visible to users as other programs are. Once installed, it cannot be deleted easily. Virus detection software appears only to detect the Trojan after it is fully executed and only when the user manually scans the PC."   [entire paragraph deleted]
 
"The Trojan, which was detected 'in the wild,' is transported within another executable file that contains a compressed, malicious executable ('.exe'). The compression is designed to prevent detection of the malicious code by virus scanning software. When the user attempts to execute the legitimate file..."   "The Trojan, which was detected 'in the wild,' is believed to be transported within a file that looks like a Video Clip ('.avi'). This file contains a compressed, malicious executable ('.exe'). When the user attempts to play the .avi file..."
Childish hackers will accuse NETSEC of "evidence tampering." Au contraire: we're talking about ethics, not evidence. Every business has the right to modify press releases. The very nature of the web encourages change, and a press release by definition tries to cast its presenter in a good light.
Even FBI NIPC chose not to scream about NETSEC's "disco­very." Man, if you can't get Michael "cyber­Hoover" Vatis to appear on-camera with you...
I merely caught NETSEC doing it. As I mentioned earlier, NETSEC detected their security failure only when a laptop tried to contact its new masters. The press release ironically quotes CEO Ken Ammon: "security products [must] be managed by trained security professionals who understand how to use the products to detect, analyze, and eliminate these security incidents." Hmmm, sounds like a job for Serbian & Badman... Managed-security firms look stupid when they get whacked by a security threat. It stings even worse if they get whacked by a well-known threat. NETSEC's customers should demand to know why the firm searched for compromised PCs only after Backdoor.SubSeven infected one of their own systems.
A RUMOR IN the security world says NETSEC infuriated the FBI — by failing to turn over IRC chat logs and other "definitive evidence." (Their press release claims they "caught a group of hackers in the act of compromising thousands of computers.") I asked an FBI spokesman a simple yes/no question: did they receive any evidence? He couldn't give me a definitive answer. I suspect the altered press release will disturb FBI officials. It looks waaay too much like a PR event gone awry. Mulder & Scully create enough cyber-embarrassments by themselves; they don't need to take on NETSEC's as well. Oh, I almost forgot! You're reading the second edition of this opinion piece. I repositioned one paragraph about an hour after the original posting. (Guess which one.) If only we could rewrite history this easily...