Page 4 of 7
So how is the virus deployed? Easily enough.
Team Blue has spent the last 3 months buying
email lists… the 1,000,000 addresses for
$100.00 lists that are readily found on the
internet. And after a bit of wardriving, Team
Blue has found multiple, non-secured wireless
hotspots. Each takes a laptop to one hotspot
and plugs in a brand new PCMCIA wi-fi card.
They each have a different email list and they
send their virus to everyone on the list. They
each have the same virus, but they distribute
it in different ways, making it harder to track.
They spoof the “from:” and “reply-to:”
addresses. They use interesting subject lines
like “critical vulnerability patch”
from the “Administrator”. Or they
embed the virus in a table in a Word doc, and
email it as “Resume for My Name”.
Knowing that extensions such as .exe, pif, .bat,
and .scr are commonly blocked by virus scanners,
they send the virus with .doc, .xls, or .zip,
plus they send it as .exe, .bat, and .pif for
the unknowing. Once the emails are sent, the
wi-fi card is removed and trashed. The system
is wiped by formatting the hard drive from a
boot floppy and the members of Team Blue simply
drive home. They don’t meet for beer.
They don’t brag on IRC. They just go home.
In fact, they even “get infected”
within a few days and complain to their wives
and co-workers that they too got that damned
virus spreading around. And what’s the
name of the virus? Why, cowboy_neal,
of course. And just to keep everyone guessing,
they called it “cowboy_neal.c” to
make everyone think there were earlier .a and
.b strains.
The result? If done correctly, worldwide infection
can occur within 1 to 12 hours. If done fast
enough, there will be no vulnerability patches
to get, even if the sites responsible for distributing
them had something to distribute. With the anti-virus
sites crippled, and their ISPs being DDoS’d,
no new anti-virus definition files can be obtained.
So the virus simply continues to spread. After
48 hours, the imbedded time-bomb goes off and
the worst is yet to come… maybe systems
are put in a reboot loop, maybe some ActiveX
exploit is performed to make the system unusable.
The choices are virtually endless since the
main part of the virus will have already done
its job, now the real payload can be released.
The end target are Microsoft Windows systems
since, after all, Microsoft OS's account for
more than 90% of the desktop market and Microsoft
Server OS installations are on the rise.
The next issue that Team Blue must address
is when to release the virus. One would think
that Friday afternoon would be a good time.
After all, people just want to go home and home
users statistically spend more time online on
evenings and weekends. However, our world as
a whole is too connected. Most semi-competent
sysadmins have pagers, cell phones, and access
to email, news, TV, and radio. They will undoubtedly
hear about a weekend outbreak and could choose
to just turn off the company mail server Saturday
and deal with the issue Monday morning. However
Team Blue decided to release it at 6am Monday
morning, East Coast Time. Why? Because Monday’s
are always bad days for IT people. Systems go
down on weekends. Scheduled power outages for
business-zoned areas occur on weekends. Monday
mornings are typically fairly busy for IT people.
And 6am EST allows for 3 hours of infection
before the west coast is online. By the end
of the day, the virus will spread worldwide
and all the sysadmins who stayed up late the
previous Sunday night will be tired Monday evening
and not giving their full potential and thought
to the problem. By Wednesday, when updates aren’t
possible due to the DDoS attacks, and the sysadmins
are frazzled from lack of sleep and too much
coffee, the time-bomb built into the virus goes
off and things only get worse…
The next few pages deal with how sysadmin types
should prepare for this type of an issue. For
the conclusion of the "what if" scenario,
please click <here>.
<previous><;next>
1
- 2
- 3
- 5
- 6
- 7
