Striking back against web attackers

There are probably very few system administrators who haven't at least contemplated some kind of retribution against attackers. Some may have envisioned something physical—perhaps involving red hot pokers—but it's likely that the majority considered extracting a payback via the same route they were attacked: the internet. A French company has taken that idea to its logical extreme by presenting thirteen "zero-day" exploits against tools used by attackers at the SyScan security conference, which was recently held in Singapore.

Many attackers use various applications—exploit packs and toolkits—that they install on the web sites they have compromised. These applications launch attacks against the web browsers of site visitors by probing for vulnerabilities, often in plugins like PDF or Java, and using those it finds to compromise the visitor's machine. TEHTRI-Security investigated several of these applications and found exploitable vulnerabilities in half a dozen of them. Unlike what it might have done for more benign applications, TEHTRI released the information at the conference with no warning to the projects and, not surprisingly, those who usually clamor for "responsible disclosure" were rather mute.

These exploit toolkits typically have two components: the payload delivery mechanism and an administrative interface. Payload delivery runs on the compromised web site, looks at the browser to try to find vulnerabilities, and then delivers the appropriate exploit. The web-based administrative interface often aggregates information from multiple compromised web sites and allows the attacker to see what browsers were successfully attacked, which vulnerabilities were used, where the user came from, and so on—essentially a web analytics tool for malware purveyors. TEHTRI found vulnerabilities in both of these components, which could lead to administrative interface defacement, attack management database destruction, authentication cookie disclosure, disclosure of attackers' IP addresses, and more.

The kinds of vulnerabilities that were found read like a laundry list of the most common web application flaws: cross-site scripting, SQL injection, cross-site request forgery, remote file disclosure, authentication bypass, and so on. Even those who exploit web application flaws for a "living"—exploit packs typically cost $500-1000 or more—seem to be unable or unwilling to write code that avoids those same flaws. It is rather ironic that the victims of these web attacks can turn around and use the same techniques to attack the attacker.

As TEHTRI and others point out, though, it may well be illegal to turn the tables on the attackers, no matter how satisfying—and reasonable—the idea seems. Self-defense is likely not a defense against computer crime statutes, at least in many jurisdictions. The administrative interfaces typically run on systems under the control of the attacker, but not necessarily a host that is "owned" (in the legal sense) by them. It is probable that an unsuspecting victim's server has been compromised to the extent that the web interface could be installed, which makes an attack against it even riskier.

While some specifics were given at the SyScan talk, TEHTRI is keeping the details of these vulnerabilities (and others that it hints about) to itself for now. There is another SyScan conference in early July (in Hangzhou, China) where TEHTRI's Laurent Oudot is once again presenting on this topic so, in order to keep up the interest in the talk, "it has been decided that we would not disclose the whole content of our findings before this upcoming event", he said. As with much security research, TEHTRI clearly sees these vulnerabilities as a marketing tool, and is, unfortunately in some ways, treating them as such. On the other hand, it's hard to feel much in the way of sympathy for the developers or users of the tools, so disclosure of the flaws, and how to exploit them, is not a particularly high priority.

Given that there aren't enough details, yet, to actually strike back against attackers using these exploit toolkits, there is some time to consider the ramifications of "defensive attacks". Computer crime statutes are typically written rather loosely, such that any access other than what the site owner wants can be considered a violation. As various folks have found out, intent means very little when it comes to computer "crime". In addition, judges and lawyers are not terribly savvy about these technical issues, which makes it that much harder for "white hats" to defend themselves. All of that makes it extremely risky for anyone to use these exploits (or other offensive methods) against attackers.

One way to use the vulnerabilities that TEHTRI has found would be by, or in conjunction with, law enforcement. Exploiting some of those holes could lead to other systems under the control of the attacker, potentially including a host that can be associated with a specific individual or group. That could lead to prosecution, and possibly unravel a larger network of attackers. Unfortunately, except for high-profile attacks, there seem to be few resources available to track down and prosecute these crimes.

In the end, the lasting legacy of these vulnerabilities is likely to be their amusement value. It's probably too risky for "white hats" to use them, and those who could use them without fear of prosecution (e.g. police) don't have enough time, money, or interest to do so. That's sad in many ways, and disappointing to system administrators who would like to extract a small measure of retribution, but it's also hard to see it changing anytime soon.