Evil Computer Virus May 7, 2009Posted by gordonwatts in computers.
Ugh. I hate computer viruses. I hate them because they make me do extra work. I don’t like the work much because I don’t think of it as interesting – why spend my time programming security fixes when I could be trying to search for the Higgs or something similar to that. However, it must be done.
Up until very recently I’d always thought that putting a set of machines behind a firewall, and not letting anything through that firewall, was a great way to secure them. Since an attacker from the outside couldn’t penetrate, you’d be safe, right? A random port-scan of a computer behind the firewall will just turn up a “no one home” answer because the firewall will block it. This makes security a lot simpler.
Until the Phalanx2 virus came along. Actually, virus is the wrong word here. It is really a Trojan horse. Or perhaps a combination of a Trojan horse and a virus. It is insidious. Most viruses break into a computer and then start scanning for any other computer near by that might vulnerable, break into that computer, and then repeat. As a result they can spread very very fast. However, the firewall I mentioned above totally defeats them. They try to scan a machine behind a firewall and… well, the firewall blocks them. So those machines are safe.
But us humans have a way to get to those machines behind the firewall. We have a special set of encrypted commands that we execute that will poke a small hole through the firewall and allow us to access these machines. I use this technique all the time to access computers at Fermilab and CERN. It allows me to help maintain the data acquisition system at DZERO, for example.
And this is where Phalanx2 is clever. Once it gets onto a machine it watches for me to make these very types of connections, memorizes the keystrokes I used to make them, and then later, perhaps while I sleep, it will repeat the same actions and gain access to that machine behind the firewall. It then uses a bug in the Linux kernel to worm its way into the system and set up shop. Ops! Infected machine behind the firewall!!
The upshot is it is suddenly as important to keep those machines behind the firewall as up-to-date and patched as the machines that are outside on the internet. This is more work. A lot more work. And, frankly, it isn’t very interesting work.😦 Bastard virus writers.