|Home » Resources » Rants
Berbew: The Aftermath
Week of June 26, 2004
Less than a week after its detection, the attack vector known as Berbew has been conditionally thwarted, the provider E-Neverland in Moscow shutting down the key website providing the all-important malware payload.
IIS web servers at prominent sites remain infected, as do countless Windows clients, and the worst of it is no one has any details on the 'zero-day hole' used to compromise the servers.
The zero-day hole is the holy grail of hackerdom: it is a vulnerability so secret that no one else knows about it. Normally white hat hackers find the vulnerabilities, inform the vendor companies, patches are created, and the script kiddies only have a chance with boxes that are not properly updated. The zero-day hole is detected without ever being found out: it becomes, to quote Tom Hanks in Saving Private Ryan, like 'looking for a needle in a stack of needles' - there is no way to patch the software because no one knows where the error is, and even if someone should find an error, they have no way of knowing it's the same error that the attackers used - the hole might still be open.
Which is why that in addition to being the holy grail of hackers, the zero-day hole is the ultimate nightmare for security professionals.
Of course the news that IIS is weak on good engineering and security is actually no news at all: a typical product of Microsoft Corporation and once popular with US federal government offices, it was unconditionally condemned several years ago by the US Federal Accounting Office (FAO) as being 'beyond hope of repair or improvement', wherewith most offices ceased using it and the IIS market share fell accordingly. Still, there are some sites out there, very prominent and highly trafficked private sites, that for reasons only their web masters could possibly know continue to use it.
The world has seen many an IIS exploit in the past, Code Red being one of the more memorable examples. Obviously as long as this excuse for server software continues to find even a marginal (< 25%) market share the world will see more.
The attack vector is interesting and particularly effective because of its nimble use of multiple Microsoft 'technologies' against one another. The gangs believed to be behind the latest waves of malware attacks have shown an incredible understanding of how different technologies can be combined to produce even more devastating results. Spam is sent out with malware payloads that turn unwitting Windows machines into proxy relays for the sending of more spam; at every turn keystroke loggers are installed 'just in case'; machines are rounded up to march into battle as DDoS zombies, participating in attacks against prominent web sites and key points of technological infrastructure; the attackers are preparing like a Russian chess master readying his pawns for an all-out attack on one or more of many possible fronts.
But Berbew is the first time Microsoft's notoriously weak technology has been used against itself: compromised Microsoft servers are re-programmed to attack (and compromise) Microsoft clients. These gangs, from Russia or wherever, have punched so many holes in Microsoft that it's like a merciless beating in the prize fighting ring at the hands of a Mike Tyson in the 'good old days': it's total, it's humiliating, and it's an all-out massacre - a rout.
Seeing one's 'software' treated in this fashion would humiliate and shame all but Bill Gates. Sitting atop his empire, he makes sure his web masters choose the right words for informing the public about the dangers ahead so that no one finds the smoking gun to again lay the blame at his doorstep. But leading a company that has never regarded product quality as an important part of marketing, he should have known all along it could come to this: if you don't take pains and really care about what you're pushing on the public, the karma is going to hit you sooner or later. That boomerang would seem to be headed back to Redmond right now.
Work ceased on the Internet Explorer browser as soon as market dominance was established and the threat of entry by Netscape and Unix cross-platform software eliminated. Gates invited the heads of then Mosaic Communications Corporation to Redmond long before the Netscape browser hit the PC market. He told them in no uncertain terms that they were not to port their browser to Windows. His analysts had summed up the situation correctly: if Mosaic (later Netscape) were allowed to enter the PC market, their browser's application programming interface (API) would open the floodgates and make it possible for Unix vendors to reach PC users. And this would have bypassed Microsoft, obviated the need for Windows, and threatened to reduce the Redmond company to the margins. It had long since been realised that Windows was not necessary for users to surf the Internet; Microsoft needed to keep PC technology locked into Windows so that this could not happen.
Mosaic - later Netscape after the name change - refused to do Bill's bidding. They proceeded to develop a version of their browser for the PC/Windows market - thus forcing Bill to activate 'plan 2'.
Plan 2 involved putting the thumb screws down on original equipment manufacturers (OEMs) and Internet service providers (ISPs) to make sure that access to the new Netscape browser was severely limited. ISPs were generally interested in any perks they could get from the Redmond beast; OEMs were directly dependent on it. Working in a hardware market where profit margins were extremely slim, they needed Steve Ballmer's special brand of 'lock-in' to survive: manufacturers were able to provide customers with 'turnkey' systems ready to run and connect to the Internet, with Microsoft Windows pre-installed, and were able to get Windows at an attractive price, as long as they agreed to pre-install (and pay for) Windows on every machine they manufactured: even if a customer declined the offer of Windows, the OEM was required by the terms of the contract to pay for the Windows licence anyway.
And now, with the browser war about to begin, Ballmer tightened his grip: any OEM making it 'too easy' for customers to get the Netscape browser risked losing their special privileges, low prices, and advantageous contracts. Ballmer even threatened IBM: IBM had made it a policy to give customers a copy of Netscape if they specifically asked for it; Ballmer's rule was based on the actual percentage of computers shipping with the Netscape browser; everyone knew about Netscape and everyone wanted it; but Ballmer made it clear to IBM that if they didn't find a way to reduce the numbers, IBM would have to pay full price for their Windows licences - something IBM simply could not afford to do.
All of this is of course useless without an alternative to Netscape, which is where Internet Explorer came in. Running on a total budget of US$5 billion and with never a thought of recovering any of this expense, Internet Explorer was not an attempt to create a good product, but merely a 'good enough' product so that PC users had an alternative when Netscape was no longer available. Using their trademark methods, Microsoft combined technologies bought and purportedly stolen into a somewhat cohesive whole.
'Embrace and extend', another trademark Microsoft marketing weapon, was used effectively as an instrument of Bill's 'Plan 2': whilst Microsoft officially supported World Wide Web standards for HTTP and browsers, their representatives met unofficially with important players in the market to discuss 'Microsoft enhancements' to said standards, and could thus corrupt both the official standards everyone else was dependent on and undermine the fundament the Netscape browser stood upon.
But all that was only necessary until Netscape was no more. By the time of the DOJ trial in Washington DC, Netscape was a thing of the past, swallowed up by America Online who had no intention of going head to head with Bill Gates. And with Netscape gone, there was no reason to pursue development of Internet Explorer anymore, and development abruptly stopped.
Bill Gates doesn't see the browser as important anymore anyway: the 'money' is in DRM - digital rights management - and he will do his best to strangle that market and milk it for all he's worth (and that's a lot).
The technology of the web browser has otherwise come a long way since Internet Explorer was put under wraps. Blocking popups is de rigeur as are tabs. Standards have changed as well, and ironically it's the 'Netscape' family of browsers, in particular the 'open source' ones that belong to the so-called 'Mozilla Foundation', that have come the longest. All the Mozilla/Netscape products are based on the Gecko rendering engine, a piece of solid engineering so good even IBM wanted to licence it. The Mozilla browsers, like their Netscape antecedents, are available on almost all platforms, on Linux, FreeBSD, and of course Windows. And they're all free. And all the downloads and further information is available at the URL below.
But will people migrate to Mozilla - or the lean and mean latecomer Firefox - now? Will things change - things where Internet Explorer, despite its notorious holes and weak technology, despite its embarrassing lack of modern features and security functions, still holds a good 90% or more of the market?
The odds are against it. For that to happen, Harry and Harriet Homeowner have to burn their fingers. They have to have their hands put firmly on the hot plate on the stove until they scream out in pain and in fright. Harry and Harriet do not see what is happening as an imminent threat. Yes, Russians are spying on us again; yes, we could theoretically lose our life savings just sitting here and chatting with our friends and spending five hours each and every day registering for new prizes at the sweepstakes sites; but it's just not going to happen to us, is it?
People are just trying to scare us. If there were any danger, Computers R US would never have sold us this excellent machine as they did. It's just not going to happen.
Besides, we're used to Internet Explorer and Outlook Express and we don't want to change. If there's something really wrong, Microsoft will fix it. We just don't think there's anything to worry about.
A tempest in a teacup.
But Berbew is not dead. The Russian web site hosting the keystroke logger is offline, but no one knows even to this day how the IIS servers were compromised, and finding zero-day holes in IIS, working as these hacker undoubtedly are round the clock, is akin to finding holes in a fish net. They're either being paid well to research the matter or have formed into lucrative profit-sharing coops, and either way they're going to keep on going - whoever they are: no one knows that either.
All we do know is that they're good; that they understand Microsoft technology far better than Microsoft themselves; that they possess programming skills Microsoft have no hope of coming close to; and that they're intent on getting your money.