home made malware

Just like momma used to make...

Over the past few weeks I have been playing around with the Metasploit Framework, an open source software program which automates the process of using exploits to compromise systems.  Metasploit is a great tool for penetration testers as well as an excellent way to get familiar with the tools and tricks used by the bad guys.

My recent experiments with Metasploit have been focused on malware.  One of the modules in the toolkit allows the user to create back doored executable files, which when run on the targeted host, connect back to the attacker machine and provide access to the now compromised system.  I found that it was pretty darn easy to create one of these booby trapped executables piggybacked onto an innocuous program.  Of course, when I tried to copy my new creation to a system running one of the major anti virus programs, the appropriate alarms were set off and the system prevented me from installing my malware.  End of story, right?  Wrong.

Metasploit also includes tools which allow the user to encode the malware payloads they create to protect them from the prying eyes of anti virus software.  There are a number of encoding techniques to choose from, including one called “shikata ga nai” which is Japanese for “nothing can be done.”  Once encoded with shikata ga nai, my amateur attempt at malware became a whole lot more interesting.  I was able to install it on systems protected with one of the major anti virus products in use in many large organizations.  Once installed, I had full access to the file system of the compromised computer, and could take screenshots and record audio, video and keystrokes from the system with nary a peep from the protective AV software.

I have to admit that this freaked me out a bit – I did not have to write a single line of code to do this.  I simply used the “evil erector set” parts provided by Metasploit.   The antivirus that I used for testing was up to date and correctly configured.  At first, I thought that I had found a weakness in the specific antivirus package I was testing with.

To see if this theory was correct, I uploaded my tinkter toy malware to a site called Virus Total.  Virus Total takes the files you upload to it and runs them through 45 different anti virus programs and reports on the results.  The executable I generated from Metasploit was detected by only 19 of the 45 scanners.  The scanners which failed to detect the malware included some of the biggest names in the business.

So, what does this tell us?

First of all, it does not take a genius to build effective malware.  While I like to think of myself as pretty technical – I have no digital clocks flashing midnight in my house – I cannot code my way out of a paper bag.  The people who create malware for a living have many more tricks up their sleeves and can (and do) create much more stealthy malware then I ever could.

Second of all, while anti virus software provides protection against much of the “run of the mill” malware your users will encounter, if an attacker is specifically targeting your organization, they will probably whip up something custom which will slip by the AV scanners. So, while you still need to keep those signatures up to date, don’t fool yourself into thinking that a well managed AV install is a panacea.

Which brings us to our third conclusion – that people continue to be the biggest potential weak link in our organizations’ defenses. Malware attacks depend on momentary human failure for success.  Whether it is enticing a user to “download an e-card” from a friend or to click on a link which takes them to a so-called “drive by download” site which will compromise their system, these attacks work when users are too trusting and let their guard down for just a second.

As security professionals, we need to test and educate our users.  Only by demonstrating to them how easy it is to make a mistake which could open up the organization to systems compromise can we hope to get them to think before they click or download something nasty.

Next week, I’ll talk about how I conducted just such a test in my organization with little cost and effort and how you can do so as well.

home made malware

gone in 6 minutes – your passwords

One way to get stuff out of an iPhone without the passcode...

Apple’s iPhone and iPad have been phenomenally successful in the consumer sector and have been making inroads into the corporate world as well.  However, the iOS platform has been dogged by concerns around the security of information stored on these devices. This week, a group of researchers supported by the German government released a paper and video demonstration (see below) which once again highlights serious weaknesses in the security of iOS.

The group, from the Fraunhofer Institute for Secure Information Technology, wanted to see whether they would be able to extract user passwords from a locked iPhone or iPad without knowing the device’s passcode.   What they found was disturbing.   By jailbreaking the device and installing a script which takes advantage of weaknesses in Apple’s Keychain password storage system, the researchers were able to extract a variety of passwords in under six minutes.

Corporate applications did not fare well under this attack.  The research team found that they could extract passwords for LDAP, Microsoft Exchange, VPN connections, voicemail, and WIFI credentials quite easily simply by having physical possession of the phone and low to moderate levels of technical skill.   They also found that passwords for Gmail accounts set up as Exchange servers were easily accessible.

The underlying problem that allows this attack to succeed has to do with how iOS encrypts information.  They key used to do the encryption has nothing to do with the user’s passcode; it is made up of information present on the device.  This means that an attacker who has physical possession of an iPhone, iPod, or iPad has access to the key used to encrypt the data.  Not a good thing.

So, what are the takeaways from this?

First, the iOS platform is still not ready for prime time when it comes to corporate use.   Apple still has not gotten the security features needed to keep sensitive information confidential right.  Using the iPhone or iPad in a corporate environment still requires add on software with strong encryption and secondary user authentication to sandbox and secure corporate data.

Second, users should not rely on the passcode to protect their phones or tablets in case of loss or theft.  If your device has gone missing, you need to change your sensitive passwords which were stored on that device as well as any passwords which you have used on multiple systems.  While using Apple’s “Find My iPhone” feature to remotely erase your device provides some protection, you can’t really count on this to guarantee the safety of your passwords.

It seems to me that the iOS passcode is in some ways an anti-security feature.  Most unsophisticated users probably see the passcode as guaranteeing that nefarious people can’t access their sensitive data.  In fact, it is in some ways an instance of “security theater,” which provides a false sense of security and encourages users to take risks with their device and the information on it.

If Apple is serious about making iOS devices ready for the corporate market they need to get with the program and build real security features into iOS.

gone in 6 minutes – your passwords

it’s a printer! it’s a file system! it’s both!

Not sure if this particular printer is a threat...

You probably don’t give much thought to the printers on your network, at least from a security point of view.  Well, some recent research presented at the ShmooCon hacker conference in Washington DC last week, provides some insight into how HP printers can be used in a quite surprising way.

It turns out that HP’s networked printers all have some storage built in to them in the form of RAM disks.  Normally, this storage is used to load fonts onto the printers.  Well, Ben Smith of the security research group remote-exploit.org got to thinking about that storage and how it might be put to use.

Smith described a toolsuite he designed called PrintFS, which takes the storage on all of those networked printers and aggregates it into a hidden file system, accessible only to those in the know.  PrintFS makes the printer storage look like a hard disk to computers with the software installed.

A program called PFScanner is used to find all of the printers on the network suitable for use with PrintFS.  According to Smith, PFScanner was written to evade signature based intrusion detection systems by varying the order in which it carries out its scanning steps.

When files are written to the virtual printer disk, they are compressed, encrypted and given randomly assigned file names which are mapped to a table stored on the computer running PrintFS.  Each file is stored on two separate printers, so that if a printer is turned off, rebooted or removed, the files in its memory are not lost.

PrintFS could provide attackers with a valuable tool for evading detection.  In many cases, attackers who gain access to networks spend a lot of time finding the information of value, packaging that information, storing on a staging server, and then exfiltrating the data.  One of the ways that these long term attacks are discovered is when an alert system administrator finds the attacker’s cache of data waiting for transmission off the network.  By hiding the data in a virtual disk which is off the radar of most system administrators, the attackers gain more time to exploit the network.

PrintFS has another advantage for the attacker… if their presence on the network is detected, one of the tools in the suite provides a “panic button” which they can use to reboot all of the printers which make up the virtual hard drive.  Since the data is stored in the RAM of the printers, pushing the panic button will remove all of the data and leave no forensic evidence behind.

Given that PrintFS is a hacker tool, it is not surprising that Smith included some other functionality… for example, the PrintJack module which serves as a GUI for the scanner also allows the mischievous attacker to change the messages on printers’ status displays to something of their own choosing, say “Insert a quarter to print.”  The tool also has a denial of service mode which can either simply prevent jobs from being accepted by the printer or cause the printer to print black pages continuously, exhausting the supply of paper and/or toner.

I think what is most important about PrintFS is how it takes devices on our networks which we don’t give much thought to and uses them in a way which exploits their “dullness” to mask our ability to see what the attackers are up to.  While I hope that HP comes up with a patch to prevent this attack from being successful on newer printers, it is very likely that the majority of the millions of HP printers out in the field will remain vulnerable, since upgrading printer firmware is not on the top priority list for most IT departments.

It seems to me that the way to detect attacks like PrintFS is to get a good baseline of the traffic on your network and to look for anomalies involving the amount of data transferred between IP addresses and the times of those transfers.  If your office hours are nine to five and you start seeing megabytes of traffic flowing from a workstation to a printer at 3 AM, this is a good time to put on your investigator hat and find out why.

PrintFS is scheduled for release in the next week or two at www.remote-exploit.org.  It is written in the Python scripting language, which means that it will run on a variety of platforms (Windows, Linux and Mac).

PrintFS is just one of a number of interesting tools and techniques discussed during ShmooCon 2011.  I’ll be be posting more about what I learned at ShmooCon over the coming weeks.

This post is a transcript of a piece I did for broadcast on IGTV – the weekly video broadcast of New York Metro InfraGard.

it’s a printer! it’s a file system! it’s both!