Hannibal Finds His Victim
Upon receiving e-mail from his worm minions, Hannibal began to browse the messages looking at the initial splash pages of the Web sites that his worm had conquered. He didn't want to access the e-mail account directly because he wanted to avoid being caught. Instead, his worm had another trick up its virtual sleeve: The worm could bounce e-mail requests from the victim machine to an e-mail server. As depicted in Figure 6, Hannibal used his worm running on one victim machine to bounce his connection for reading e-mail. If and when investigators started to look for him, they would have to follow a confusing trail of bounced connections. "Where can I find someone with money?" Hannibal snarled.
Figure 6 Bouncing off one victim, the attacker retrieves anonymous e-mail.
"Hello, Clarice," Hannibal snarled in his monotone, gravelly voice when he spotted the Web page from Clarice Commerce. By quickly scanning the home page in his e-mail, he surmised that this Web site accepted sensitive customer financial information across the Web. Hannibal's worm had discovered hundreds of other similar sites. While Hannibal attacked many of these victims, to keep our focus, however, our narrative will center on Hannibal's actions against Clarice Commerce.
Next, Hannibal started sending commands to the worm waiting on the Clarice Commerce Web site. He used an Internet Control Message Protocol (ICMP) tunnel to carry his communication with the worm so that all traffic on the network looked like a ping and ping response. Hannibal's worm included a back-door capability so that he could send commands to the worm and have it do his bidding. With the worm, Hannibal had complete remote control access of the Clarice Commerce Web site.
Mistake #4: Clarice Commerce had inadequate intrusion-detection capabilities. Many remotely accessible back-door programs use defined patterns for communicating across a network. One popular tool that uses ICMP for communication with a back door is called Loki. Because Loki and many similar tools have defined signatures to their network traffic, an intrusion-detection system analyzing the network traffic can alert a company to the use of these types of attack tools. Such an alert can trigger an investigation so that an organization can minimize damage early in the attack process. Although an intrusion-detection system cannot detect all such anomalous behavior, it can certainly help. Organizations should deploy some form of intrusion-detection capabilities on their sensitive networks, such as their Internet gateways.