Wednesday, June 10, 2009

rm -rf

Suppose you were one of the security Bad Guys. You have a nifty "Day Zero" exploit - code that uses a vulnerability for which there is no patch to protect the computer. You can run code on the target computer. What do you run?

You might install your own software to let you back in later, even if a patch is released to close the hole you just exploited. You might even - if you were sneaky - install a rootkit, software to hide your malicious software.

Of course, you wouldn't bother installing software if you were a more destructive Bad Guy. On Unix and Linux computers, rm -rf will cause the operating system to lobotimize itself, as it deletes all files from the hard disk. On Windows computers, format c: is effectively the same thing.

So if you were extra super crazy destructive Bad Guy, what might you do? Exactly this, on 100,000 web servers:

A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.

Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company's system, Rus Foster, the company's director told The Register.

[snip]

Some 50 percent of Vaserv's customers signed up for unmanaged service, which doesn't include data backup, Foster said. It remains unclear of those website owners will ever be able to retrieve their lost data, he said. As a result, at least half the websites that were hosted on the site remain offline.

The story gets stranger, as the head of the company that made the software exploited by the Bad Guys seems to have killed himself:

The boss of Indian software firm LxLabs was found dead in a suspected suicide on Monday.

Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM, a virtualization application made by LXLabs, to wipe out data on 100,000 sites hosted by the UK web hosting firm VAserv.

Weird. Sad, too.

Some days, this seems like a very strange line of work.

5 comments:

Anonymous said...

Wouldn't you have to do
rm -rf /

rm -rf would only delete from where you're at

blogger said...
This comment has been removed by a blog administrator.
Borepatch said...

Anon, you're right. The Windows command is also not quite right. There are two reasons that I didn't put these in:

1. Readability. It doesn't really matter much to most readers.

2. I don't want to put explicitly damaging instructions on my blog. I get a lot of hits from people googling "hack your neighbor's wifi", and so leaving something out is a feature, not a bug.

Yes, I could leave the entire thing out, but the string "rm -rf" was in the story I quoted, so Google will lead people there - in other words, my post is no more damaging than the original story.

Anonymous said...

Ah.

No, worries. I think everyone needs to do an rm -rf at least once.

I got bit doing an "rm -rf myfile. *"

Yes - there is an inadvertent space between the dot and the *. Luckily it was just an afternoons work and not my home directory.

rm -rfi, rm -rfi, rm -rfi

Borepatch said...

Anon, amen. And LOL.