Security Vendor Exposes Vulnerabilities in DDoS Rootkit
In what it says is an attempt to turn the tables on malicious hackers, security vendor Prolexic on Tuesday released details of vulnerabilities it has discovered in a toolkit family used by hackers to launch distributed denial of service attacks against corporate networks.
The disclosure is designed to give IT security staff information they can use to mitigate attacks launched using the DDoS toolkit, according to Prolexic.
The company's vulnerability report specifically details flaws in the command & control component of the Dirt Jumper DDoS toolkit that has been associated with DDoS attacks recently. The flaws allow "counter-attackers to obtain access to the Command and Control (C&C) database backend, and potentially server-side files," the company noted in a statement.
Such counterattacks can result in a total compromise of the toolkit's attack capabilities, Prolexic said.
"With this information, it is possible to access the C&C server and stop the attack," Prolexic CEO Scott Hammack said in statement. "Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large."
While such vulnerability disclosures involving malware products are likely to be welcomed by many in the security community, the legality of enterprises using the information to actually launch a counter attack against hackers remains an open question.
In 2004, when a security researcher at Sandia National Laboratories used reverse engineering techniques to trace attacks against the lab to a Chinese hacking group called Titan Rain, he was suspended and eventually fired. The researcher later sued the laboratory for unfair termination and was awarded $4.3 million in damages by a New Mexico jury. The case was later settled for an undisclosed sum.
Attitudes appear to have changed quite a bit since then though.
Earlier this week, for example, the Washington Post reported that the Pentagon is said to be considering allowing its Cyber Command specialists to take whatever defensive actions may be necessary to protect U.S. cyber assets even if it means combating attackers on private networks and in foreign countries.
The plan apparently is to introduce new rules that would permit U.S. military cyber specialists to take action outside U.S. military networks under some pretty narrow circumstances involving threats that could result in "deaths, severe injury or damage to national security", the Post reported.
The proposed rules, if adopted, would represent a marked change from present policies that allow the military to take defensive actions only on its own networks.
With traditional network defenses and security products increasingly unable to stop targeted cyber threats, even many enterprise security executives have begun looking at more military-style approaches for protecting their networks.
In a recent survey of 100 security executives from companies having revenues of $100 million or more, a majority 80% advocated the use of intelligence gathering and situational awareness building as key to defending their networks.
More the half (54%) of the IT security executives surveyed believed their companies would be well served if they were legally allowed to strike back either defensively or pre-emptively at those seeking to attack their network infrastructures, according to the survey which was commissioned by security vendor CounterTack.
Another 27% said they wouldn't mind launching an offensive against an attacker if such a move would help law enforcement.
A growing number of organizations have begun breaking back into servers and networks belonging to their attackers to see what data might have been stolen from them, or to disrupt the attackers command and control capabilities, said Richard Stiennon, a principal at IT-Harvest who contributed to the report.
"All of a sudden it has become a bit of the Wild West out there," said Stiennon.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.