Perhaps the current popularity of remote/local terms comes from the Lincoln Labs studies done in 1998: http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh_html/ Attacks were divided into four categories: denial of service probing/surveillance remote to local user to root attacks In the email examples given so far (note that nothing of similarity was in the LL study) they would all be "remote to local". There's no need for trying to define a compound attack -- it serves no purpose. Plus the confusion that results from using just "remote" or "local" should be more than obvious to anybody reading this thread. If you don't want to use a formal taxonomy for talking about these things you will always suffer from misunderstanding. Dr Cowan makes this point below -- he apparently calls the email portion "local" and the social engineering "remote". I believe the original intent of the two "remote to local" and "user to root" classes was to distinguish the threat level. "user to root" implies that you only need worry about those people who have physical access to the target, and "remote to local" meant you had to worry about the millions of users on the internet. Then end result being you worried a heck of a lot more about "remote to local" than "user to root" (although both provide root access). _______________________________ Michael D. Black, MSIA, CISSP, IAM Information Systems Security Officer Essex Corporation black@xxxxxxxxxxxxx -----Original Message----- From: Crispin Cowan [mailto:crispin@xxxxxxxxxx] Sent: Sunday, July 24, 2005 7:47 AM To: Technica Forensis Cc: Black, Michael; James Longstreet; Derek Martin; bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: On classifying attacks Technica Forensis wrote: > This really depends on the situation. Say I write an exploit that > when run as a user spawns a listening ssh service with root priv. I > get on the system however I do, download this file and exec it. I > think everyone would agree that is a local exploit. > I send that same file as an email attachment to some dolt and peer > pressure him into running it. Just because I downloaded the file by > emailing it to said dolt doesn't change the exploit from local to > remote. It potentially changes it from 'exploit' to trojan, but it is > still being executed locally. > That sounds like a compound attack with 2 stages: * a social engineering attack to get the victim to run the code o can be very simple like "please run this code" o can be very sophisticated, like phishing attacks carefully crafted to resemble legitimate mail to get the user to click on something * a local attack that happens when you run the malware What makes this compound attack "remote" is that the social engineering attack is remote. This makes most common viruses compound remote/local attacks with a remote social engineering attack to somehow induce the user to run a local attack. The exception to this is e-mail viruses that require no social engineering because they can exploit some flaw in the preview pane or such like so that the user only has to browse the mail to run the malware. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Director of Software Engineering, Novell http://novell.com
