Why are the programmers (if I may call them that) who write attack tools so
incredibly, mind-numbingly, jaw-droppingly stupid?
It must be some sort of inherent deficiency in the
mental functioning of the sort of miscreants who feel
compelled to create tools whose sole purpose is to
attack other people's computers. I mean, if they are going
to bother doing it at all, why the hell don't they do it right?
Here are three things that are utterly brain-dead
about today's attack tools as used by today's script kiddies.
- Too much logging
- For some reason every time some script kiddie installs
a packet sniffer on a box they've rooted they feel this
need to have it log absolutely every packet that carries
a username/password combo. They end up with a master
list of usernames and passwords for the box they've cracked.
Unfortunately for them, the sysadmin of the box also ends
up with the master list of every account that the stupid
script-kiddie has compromised. Now guess which accounts the
sysadmin is going to change the password on?
A much better strategy for the clueless cracker would
be to log only some of the compromised data. Maybe
if they'd say this-
if(!(++cracked_account_count % 5))
mail_bad_guy_the_goods(user, passwd);
else
log_it_just_to_fuck_with_the_sysadmin(user, passwd);
they'd actually be able to do something interesting with
the hijacked accounts.
- Trojan Binaries
- Ok, just who is the absolute Einstein who came up with
this gem? Just about the first thing that any
sysadmin does upon bringing up a new system is run Tripwire
(or one of its many proprietary competitors). After that,
Trojan attacks are not only not useful, they're actually
detrimental to the luser's efforts. As soon as the
modified binaries are detected, the box enters a period
of intense scrutiny as the now pissed-off administrator
goes filesystem spelunking looking for other signs of
damage.
The better strategy here is to modify the .profile of
most of the stolen logins to do something nefarious with
some brand-new software (which won't trip most file integrity
software) installed by the cracker. Don't worry though, the
black hats appear to be too stupid to figure this out.
- Resource hogs
- Attention K-Mart crackers, repeat after me: "If my program
hogs all of the disk space, if it gobbles all of the cpu time,
if it overflows memory or swamps a network interface it will
be noticed and removed. After it is removed, it will no longer run.
Software that doesn't run, isn't useful."
Just think about how Mother Nature does it--the most successful
parasites don't kill their hosts, they just make them a little
less healthy.