home made malware

Just like momma used to make...

Over the past few weeks I have been playing around with the Metasploit Framework, an open source software program which automates the process of using exploits to compromise systems.  Metasploit is a great tool for penetration testers as well as an excellent way to get familiar with the tools and tricks used by the bad guys.

My recent experiments with Metasploit have been focused on malware.  One of the modules in the toolkit allows the user to create back doored executable files, which when run on the targeted host, connect back to the attacker machine and provide access to the now compromised system.  I found that it was pretty darn easy to create one of these booby trapped executables piggybacked onto an innocuous program.  Of course, when I tried to copy my new creation to a system running one of the major anti virus programs, the appropriate alarms were set off and the system prevented me from installing my malware.  End of story, right?  Wrong.

Metasploit also includes tools which allow the user to encode the malware payloads they create to protect them from the prying eyes of anti virus software.  There are a number of encoding techniques to choose from, including one called “shikata ga nai” which is Japanese for “nothing can be done.”  Once encoded with shikata ga nai, my amateur attempt at malware became a whole lot more interesting.  I was able to install it on systems protected with one of the major anti virus products in use in many large organizations.  Once installed, I had full access to the file system of the compromised computer, and could take screenshots and record audio, video and keystrokes from the system with nary a peep from the protective AV software.

I have to admit that this freaked me out a bit – I did not have to write a single line of code to do this.  I simply used the “evil erector set” parts provided by Metasploit.   The antivirus that I used for testing was up to date and correctly configured.  At first, I thought that I had found a weakness in the specific antivirus package I was testing with.

To see if this theory was correct, I uploaded my tinkter toy malware to a site called Virus Total.  Virus Total takes the files you upload to it and runs them through 45 different anti virus programs and reports on the results.  The executable I generated from Metasploit was detected by only 19 of the 45 scanners.  The scanners which failed to detect the malware included some of the biggest names in the business.

So, what does this tell us?

First of all, it does not take a genius to build effective malware.  While I like to think of myself as pretty technical – I have no digital clocks flashing midnight in my house – I cannot code my way out of a paper bag.  The people who create malware for a living have many more tricks up their sleeves and can (and do) create much more stealthy malware then I ever could.

Second of all, while anti virus software provides protection against much of the “run of the mill” malware your users will encounter, if an attacker is specifically targeting your organization, they will probably whip up something custom which will slip by the AV scanners. So, while you still need to keep those signatures up to date, don’t fool yourself into thinking that a well managed AV install is a panacea.

Which brings us to our third conclusion – that people continue to be the biggest potential weak link in our organizations’ defenses. Malware attacks depend on momentary human failure for success.  Whether it is enticing a user to “download an e-card” from a friend or to click on a link which takes them to a so-called “drive by download” site which will compromise their system, these attacks work when users are too trusting and let their guard down for just a second.

As security professionals, we need to test and educate our users.  Only by demonstrating to them how easy it is to make a mistake which could open up the organization to systems compromise can we hope to get them to think before they click or download something nasty.

Next week, I’ll talk about how I conducted just such a test in my organization with little cost and effort and how you can do so as well.

Leave a Reply