Stop Software Attacks From Destroying Your Servers

Stuxnet-style malware that attacks computer hardware could put your company out of business by physically destroying the servers, networking equipment and storage resources in your data center. Unlike Stuxnet, however, this type of malware is easy to create.

Stuxnet-style malware that attacks computer hardware, physically destroying servers, networking equipment and storage resources in your data center is easier to create than you might think. Learn how to stop it in its tracks.

That’s the stark warning Itzik Kotler issued at the HackInTheBox hacker convention in Amsterdam last month. Kotler is the chief technology officer of the information security company Security Art.

Software attacks that stop the physical hardware from ever working again are known as Permanent Denial of Service (PDoS) attacks. The Stuxnet virus — which attacked Iran’s nuclear facilities — was so complex that many security companies concluded it must have been the work of one or more government agencies rather than individual hackers.

But that doesn’t mean all PDoS attacks have to be difficult to devise, according to Kotler. “Think about it — you can “brick” an iPhone or iPod accidentally when you try and jailbreak it,” he pointed out. Back in 2008 at EUSecWest, HP researcher Rich West demonstrated that NAS, security and networking appliances can be vulnerable to malware that downloads malicious firmware and flashes the appliance with it, rendering the hardware unusable. For that reason there has been a trend toward ensuring that appliance firmware updates are digitally signed by the manufacturer.

It’s not just appliances that are susceptible to “phlashing,” as flashing with deliberately defective software is known. You can brick a server or router by phlashing the CPU with damaged or malicious microcode, or by phlashing the BIOS with garbage. Although it is usually possible to reflash a server BIOS to get it working again, Kotler pointed out that if 5,000 servers on the same network had their BIOS phlashed at the same time, the consequences would still be devastating to the organization that was the victim of the attack. Other hardware, such as graphics cards, disk drives and high-end network interface cards with TCP Offload Engine (TOE) can also be permanently diasbled by phlashing with damaged firmware.

But what about causing real physical damage to computer hardware? Software attacks can cripple hardware easily, Kotler said. “We are used to software damaging other software, but people forget that software controls hardware. That means you can alter software to make hardware perform operations that slowly damage it over time, and you can also make hardware damage other bits of hardware.”

Some simple ways that malicious software can damage your server hardware include:

• Overclocking: Gamers often overclock their hardware to boost performance, but they know that overclocked systems need efficient cooling systems to dissipate the extra heat that overclocking generates. Software or BIOS modifications that overclock a system without extra cooling can permanently damage the system’s CPU or RAM. Even if the damaged hardware components are replaced they will quickly fail again.
• Overvolting: This is the dangerous cousin of overclocking. By increasing the voltage on a motherboard substantially, a component can be “zapped” and instantly destroyed. Smaller voltage increments cause components to heat up slightly, causing a phenomenon called electromigration. Over time, this can cause the pins of a CPU or RAM chip to crumble, disabling the system. Again, replacing failed components will get an infected system up and running only until the same or other components fail once more.
• Overusing (mechanical): mechanical parts wear out or overheat when used intensively, and a hard drive can be damaged through excessive write and read operations or by excessive head parking. For example, the command:
  

  while true; do dd if=/dev/xxx of=/dev/xxx conv=notrunc; done

  creates an infinite loop of disk read and write requests, which will quickly cause a server hard drive to fail through heat damage, while:

  hdparm -S 1 /dev/xxx while true; sleep 60; dd if=/dev/random of=foobar count=1; done

  will cause a hard drive to spin down, wait one minute, start up, write random information, and then spin down again in an infinite loop. “Pretty quickly, the hard drive will start to make uncomfortable noises and an attack like this will wear it out very quickly,” said Kotler.

• Overusing (electronic): Flash memory has no moving parts, but it can be made to fail by writing to it continuously. Suitable code could be as simple as:

dd if=/dev/urandom of=/dev/xxx

Once the flash memory fails, it will no longer be able to store information. While this is merely annoying in a USB flash drive, it could be a major failure issue if the flash memory in question is in a router, as it would be no longer be able to store logs or receive updates and therefore must be replaced

• Overcycling: Continuously power cycling a system is a very basic attack that can have some very interesting results, said Kotler. That’s because a system gets warm when turned on and cools when turned off, causing temperature flexion and spikes in voltages, which can damage various parts of a system unpredictably.

Many companies around the world are threatened with distributed denial of service (DDoS) attacks and blackmailed into handing over large sums of money. “Hacktivist” groups like Anonymous also use DDoS attacks to punish organizations that they feel deserve it.

Since there is little specific that companies can do to defend against PDoS attacks beyond using signed firmware updates when they are available, Kotler said he believes it may only be a matter of time before PDoS attacks become a more popular alternative.

Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.

Follow ServerWatch on Twitter