A few years back, a good friend (and Microsoft Networking mentor of mine) came to visit me during a course. We started talking about the (latest at the time) ZOTOB worm (MS05-039) and I asked him if he had seen any instances of it. He answered that he saw an infection in one location, where it was quickly overcome. He then said: “That ZOTOB was annoying though, it kept rebooting the servers until they managed to get rid of it“.
I took my friend aside and proceeded to boot a vulnerable class computer and told him: “Watch this, I’m going to manually replicate the Zotob attack”. I browsed to the milw0rm site, and downloaded the first (at the time) exploit on the list, and saved it to disk. I opened a command prompt, compiled the exploit and ran it. The required command-line to run this exploit was similar to ms05-039.exe [victim IP]“. I punched in the IP address of the vulnerable computer with one finger, and pressed enter.
I was immediately presented with command shell belonging to the victim machine. I typed in ipconfig, and then whoami and proceeded to add an administrative user to the victim machine. I gave my friend just enough time to see the output, and then typed exit.
Exiting the shell caused svchost.exe to crash, and a reboot window popped up, just like the ones he saw. I could slowly see the realization seep in. His face lost colour and he slowly sat down on the nearest chair. He looked at me, horrified, somehow managing to gasp “how” and “why” at the same time. He then quickly exited the room and made some urgent phone calls.
“there is a divinity that shapes our ends, rough-hew them how we may.”
The best defense is a good offense
I realized that this master of Windows Active Directory and Multiple Domain PKI Infra-structure guru did not share the same narrow (in)security knowledge as a 12 year old junior hacker. He was not aware of the outcomes of such an attack and did not know that the “reboot” syndrome he observed was an “unfortunate” byproduct of an unauthorized SYSTEM level access to the machine.
This made me realize that there is a *huge* gap between the “Defensive” and “Offensive” security fields. A gap so big that a 12 year old could outsmart a well seasoned security expert. Hopefully, if this separation between the “Defensive” and “Offensive” fields is clear enough, network administrators and (defensive) security experts will start to realize that they are aware of only one half of the equation and that there’s a completely alien force they need to deal with – and that in order to defend their environment, they need to understand the attacks.