Home / Blogs

How a Security Specialist Fell Victim to Attack

These days, I write several pages for our site plus two to three articles per week. The first places these articles are posted are Defending The Net and CastleCops. Several days later, I post these articles on other submission sites. This is standard operating procedure in the world of article submissions.

For the most part, articles are re-published without you even knowing. You typically find out when someone visits your site from another where the article has been posted. Other times, the site that plans on posting the article e-mails you and asks you to review it before it goes live. Two weeks ago, I received one of these e-mails. It was all downhill from there.

To Click Or Not To Click, That Is The Question

Our systems are protected by state of the art security systems. Our SPAM filter is a hardware device that is nearly 100% effective. It also helps in protecting against Spyware and other malicious code. Our Firewall is similar to those you would find in large corporations. Our Anti-Virus system has served us well and we've not had problems with virus for years. I'm not claiming that our systems are 100% protected as there is no such system at this point in time. However, we are fairly confident in our security systems.

Two weeks ago, I received approximately twenty e-mails requesting the review and approval of Defending The Net articles published on other sites. I thoroughly review the e-mails to make sure they seem legitimate. I review the URL's included to make sure they are valid and not redirected to a site that is IP only. The last e-mail I reviewed seemed to be in proper order. When I clicked on the URL to the article, the site failed to load.

Approximately five minutes later, my system slowed to a crawl. I reviewed the running services on the machine and found that the "SYSTEM" process was running at 100% CPU utilization. A thorough review of the system did not reveal anything out of the ordinary. Yet, the machine was barely operating.

After rebooting the system in safe mode and reviewing the event logs, I found the cause of the problem. The event log revealed that the TCP/IP stack repeatedly exceeded the maxim number of connections. I had fell victim to a local machine Denial Of Service attack.

In most cases, an event like this would reveal at least something out of the ordinary; A registry entry, file, or service that should not be present. But not in this case.

The computers local drives were imaged to preserve their current state. The images were then submitted to our Anti-Virus and Firewall vendor research teams. As of today, they have not been able to determine the exact cause of the problem. They do know something malicious is going on, and are looking closely at the TCP/IP stack and system process. Short-term investigation points in the direction of one of these components being modified or corrupted. It's quite possible that a new vulnerability exists and I'm fairly confident they will be able to pinpoint it.

What's the Point?

I've seen just about every type of exploit, vulnerability, and attack you can think of over the years. Some items we uncover during security assessments would make your jaw drop.

It never ceases to amaze me how many people out there just don't care what kind of problems or damage they cause. It appears as if the point of this recent attack was nothing more than to cause the recipient grief, to put the target computer out of business for a while. One things for sure, it resulted in a bad day for me. The time I had to put into investigating the situation, and preparing the images for delivery to our vendor, could have been spent working on something productive.

Conclusion

Because of this event, we have configured a dedicated system whose sole purpose in life is to test potentially harmful URL's. It is actually a virtual machine that if attacked, can be configured to its default state within seconds.

I can only imagine the stress and frustration others without technical experience or resources must go through when something like this happens. I receive countless e-mails from our site visitors regarding their concern that they may have been attacked or compromised. I wish I could help them all out directly but that is not always a reality.

What I can do is share my experiences and recommendations. This is one of the primary reasons why I enjoy writing articles as much as I do.

By Darren W. Miller, Information & Network Security Specialist

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Re: How a Security Specialist Fell Victim to Attack By David MacQuigg  –  May 09, 2005 7:50 am PDT

It would be helpful to know what software you are using.  You talk about "safe mode", so I assume it is Windows.  XP?  Version?  SP2?  Explorer?  Version?  Latest security patches?

I assume you tried to trace the source of the email.  What was the result?  Was the attack directed at you personally, or have others been hit?

Is the link still up?  Have you tried opening it with different setups?  Is the experiment repeatable?  I assume you will update us when you hear from your vendor.

I thought Microsoft finally had the holes in IE patched.  This does not seem like a fundamentally difficult problem.  I should be able to view any text, any graphics, even fill out some simple form fields, without running unknown program code.  If a web site must have dancing bananas, sorry, my viewer doesn't allow them.

I sympathize with the main message of your article - even those who are careful about security are not safe.  I used to scoff at viruses and email abuse.  Then I got hit by a clever DoS attack - the Swen worm - lost a weeks worth of email, and not a thing I could do about it!!  My inbox was flooded with 3000 spams, all will different headers, so there was no way to separate the legitimate mail.  I'm pretty sure they got my email address from a posting to one of the security newsgroups.  It didn't help that I changed @ to 'at', etc.

I think one effective solution to these problems will be email authentication.

Re: How a Security Specialist Fell Victim to Attack By Jeff  –  May 24, 2005 12:17 pm PDT

Mr. Macquigg's niavete is refreshing, but it looks like you've uncovered yet another one of those situations where all the security preparedness in the world isn't going to do you any good. The sad part is that all you can say is "it happens" and move on, after trying your best (as you're doing) to keep it from happening again.

Such was the case in my own shop, last year, when I was one of the first to get hit by a new worm (Bobax.A, in my case). It took me several days to figure out that something was fishy, since it didn't affect the system performance. Then it took about another >4< days to get my ISP and the others involved (the security software vendor) to admit that something was wrong and give me enough info to let me wipe out the threat.

By the time the rest of the world knew anything was going on, I had identified the cause of the problem and wiped it out.

The point here is that all the preparedness in the world won't help you when the threat is totally unknown. You do your best and hope the next one doesn't have your name on it.

Re: How a Security Specialist Fell Victim to Attack By David MacQuigg  –  May 24, 2005 3:25 pm PDT

Well Jeff, I assume from your arrogance that you know everything about the security of web browsers.  Please explain in fundamental terms why a web browser needs to run unknown program code.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Brand Protection

Sponsored byAppdetex

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias