The motives vary for randomly exploiting vulnerable systems. Every time one of our honeypots is compromised, we learn the tools and tactics used, and we often also learn why the honeypot was attacked. This information can often be the most interesting and helpful.
One motive may be denial-of-service attacks. Recently, new denial-of-service attacks have been reported: DDoS (distributed denial of service). With these attacks, a single user controls hundreds, if not thousands, of compromised systems throughout the world. These compromised systems are then remotely coordinated to execute denial-of-service attacks against one or more victims. Because multiple compromised systems are used, it is extremely difficult to defend against and to identify the source of the attack. For such an attack to work, a blackhat needs access to hundreds, if not thousands, of compromised systems. To gain access to such a large number of systems, the blackhat randomly identifies vulnerable systems and then compromises them to be used as DDoS launching pads. The more systems compromised, the more powerful the DDoS attack. We saw this in Chapter 6, where the honeypot we analyzed was compromised to be used as a Trinoo client, one version of a DDoS tool. To learn more about DdoS attacks and how to protect yourself, check out Dave Dittrich's site at http://staff.washington.edu/dittrich/misc/ddos/.
Another motive is for blackhats to hide or to obscure their source and identities. When blackhats attack a specific system, they do not want the attack to be traced back to them. Blackhats can obscure their true identities by compromising a system from a chain of previously compromised systems. Instead of directly attacking a system from their own location, the blackhats will compromise systems in a series of hops. After compromising one system, the blackhats hop from that system to another, and so on, continuing this series of hops until they achieve their final goal. This makes it extremely difficult to trace back to the blackhat, as one must go through a series of compromised systems. Most likely, somewhere along the line, the blackhat has effectively cleaned any tracks. To make this tracing more difficult, blackhats can compromise systems in various countries having different time zones, languages, and government structures. This makes it far more difficult for administrators and law enforcement to trace an attack. Language barriers, time zones, and political systems can make it impossible to follow the chain of compromised systems. To create such a chain, a blackhat must have access to a large number of systems.
Another motive for randomly compromising systems is IRC, or Internet relay chat. Often, blackhats want to maintain administrative rights (sys ops) on their IRC channel. To maintain such rights, the blackhats have to maintain a presence on the channel. An automated tool, bots, allows them to keep these rights at all times. However, bots can die or be taken out by other blackhats. So a common tactic is to compromise as many systems as possible and to launch automated bots from the compromised systems. The more systems compromised, the more bots the blackhats have. The more bots the blackhats have, the more power they have on the IRC channels. These same systems are also used to launch denial-of-service attacks against other blackhats to kill their bots or to remove them from IRC channels.
Also, these same IRC channels are a primary means of communication among blackhats. The Honeynet Project has repeatedly had honeypots compromised to facilitate such communication. In one situation, not only IRC bots were installed, but also BNC, a utility allowing blackhats to proxy connections through the system. For more information on IRC and how the blackhat community uses it for communication, we highly recommend the paper "Tracking Hackers on IRC" by David Brumley, available at http://theorygroup.com/Theory/irc.html.
Another motivation to win is bragging rights. Many blackhats like to brag about how many systems they have compromised. It does not matter which sites they compromise, just as long it is more than everyone else. Often, blackhats advertise these acts by compromising Web sites and then modifying them to brag. Also, compromised systems can become a form of currency. Blackhats can exchange the accounts of compromised systems for things of value, such as stolen credit cards. We see these motivations in Chapter 11, in our review of the communications of several blackhats.
Compromised sites can also be used as storage and distribution centers. Blackhats will often set up websites to distribute tools, documents, cracked softwareoften called Warezmusic, photographs, and other assorted files. Why should blackhats pay for such resources when they can use someone else's?
The motives are as varied as the blackhats themselves. There is no single, common motivation. Often, blackhats will attempt to justify their actions by claiming that their activity is politically justified, such as retaliation against an "unjust" political system or specific corporations. In Chapter 11, we see blackhats who state that they have a political agenda but appear to be out for a joyride. The Web site http://www.attrition.org lists Web sites that have been compromised. Spend time reviewing these compromised sites and the Web pages vandalized by script kiddies. They often post messages of political motivation. However, these justifications tend to be nothing more then conjured-up reasons for the blackhats to satisfy their own personal motives.