Just like momma used to make...

Over the past few weeks I have been playing around with the Metasploit Framework, an open source software program which automates the process of using exploits to compromise systems.  Metasploit is a great tool for penetration testers as well as an excellent way to get familiar with the tools and tricks used by the bad guys.

My recent experiments with Metasploit have been focused on malware.  One of the modules in the toolkit allows the user to create back doored executable files, which when run on the targeted host, connect back to the attacker machine and provide access to the now compromised system.  I found that it was pretty darn easy to create one of these booby trapped executables piggybacked onto an innocuous program.  Of course, when I tried to copy my new creation to a system running one of the major anti virus programs, the appropriate alarms were set off and the system prevented me from installing my malware.  End of story, right?  Wrong.

Metasploit also includes tools which allow the user to encode the malware payloads they create to protect them from the prying eyes of anti virus software.  There are a number of encoding techniques to choose from, including one called “shikata ga nai” which is Japanese for “nothing can be done.”  Once encoded with shikata ga nai, my amateur attempt at malware became a whole lot more interesting.  I was able to install it on systems protected with one of the major anti virus products in use in many large organizations.  Once installed, I had full access to the file system of the compromised computer, and could take screenshots and record audio, video and keystrokes from the system with nary a peep from the protective AV software.

I have to admit that this freaked me out a bit – I did not have to write a single line of code to do this.  I simply used the “evil erector set” parts provided by Metasploit.   The antivirus that I used for testing was up to date and correctly configured.  At first, I thought that I had found a weakness in the specific antivirus package I was testing with.

To see if this theory was correct, I uploaded my tinkter toy malware to a site called Virus Total.  Virus Total takes the files you upload to it and runs them through 45 different anti virus programs and reports on the results.  The executable I generated from Metasploit was detected by only 19 of the 45 scanners.  The scanners which failed to detect the malware included some of the biggest names in the business.

So, what does this tell us?

First of all, it does not take a genius to build effective malware.  While I like to think of myself as pretty technical – I have no digital clocks flashing midnight in my house – I cannot code my way out of a paper bag.  The people who create malware for a living have many more tricks up their sleeves and can (and do) create much more stealthy malware then I ever could.

Second of all, while anti virus software provides protection against much of the “run of the mill” malware your users will encounter, if an attacker is specifically targeting your organization, they will probably whip up something custom which will slip by the AV scanners. So, while you still need to keep those signatures up to date, don’t fool yourself into thinking that a well managed AV install is a panacea.

Which brings us to our third conclusion – that people continue to be the biggest potential weak link in our organizations’ defenses. Malware attacks depend on momentary human failure for success.  Whether it is enticing a user to “download an e-card” from a friend or to click on a link which takes them to a so-called “drive by download” site which will compromise their system, these attacks work when users are too trusting and let their guard down for just a second.

As security professionals, we need to test and educate our users.  Only by demonstrating to them how easy it is to make a mistake which could open up the organization to systems compromise can we hope to get them to think before they click or download something nasty.

Next week, I’ll talk about how I conducted just such a test in my organization with little cost and effort and how you can do so as well.

Sometimes, the best place to hide things is in plain sight...

One of the revelations from the recent capture of a number of deep cover Russian spies here in the US was that they used steganography (the concealment of data within innocuous looking files) in order to hide and transmit secret documents and messages to their handlers.  Steganography is one of those techniques which get talked about a lot a security conferences, but has not seemed to play a major role in news of security breaches.  This seems a bit odd to me – stego seems like a great way to exfiltrate information in plain sight.  By embedding ill gotten data in vacation pictures posted to Flickr or Facebook, spies (corporate or otherwise) can create very low risk electronic dead drops with a few mouse clicks.  Unlike encryption, stego does not leave suspicious encrypted files to exfiltrate, just innocent looking pictures or songs.  The software needed to create stego protected files is available on the Net.  So why (other than some articles about Al Qaeda reportedly using stego to embed secret information in internet images) do we not hear more about this technique?  I have a couple of hypotheses here:

Attackers are using stego, but they are not getting caught. Detection of files with steganographically hidden content is very difficult, requiring very specialized knowledge and tools which most enterprises and forensic examiners don’t have access to.

Attackers don’t need to use stego because they don’t need to. There are so many organizations out there who do not have a handle on what information is leaving their networks, that they don’t feel the need to go to the trouble of hiding the information they are swiping.  Or they are using really low tech methods to get the data out of the organization, like printing, or fax, or this.

Is stego a real threat to the enterprise?  I am not sure.  But the availability of stego underlines the need to build a security culture in your organization and use both technology and non tech means to detect potential problems.  Stego seems to be a tool which insiders would be predisposed to use – detecting insider threats takes both technology and plain old vigilance.  There is some excellent information on detecting insider threats available from the CERT team – this should be on your reading list.

This post was inspired by Kai Axford’s (Accretive Solutions) great presentation at today’s New York Metro InfraGard meeting.

something new for the po-po to listen to?

Here’s an interesting story that bears some watching… security researcher Sean O’Neill claims to have reverse engineered the proprietary encryption which Skype uses to protect voice, video and IM communications on its network.    This work, while impressive, does not mean that Skype’s encryption has been broken, since knowing the details of an encryption algorithm does not allow you to decrypt data unless you can also derive the keys used to encrypt the data.  However, there are some reports that the O’Neill’s code has been used to launch spam attacks on Skype users.  I am sure that intelligence and law enforcement agencies all over the world are quite interested in how this all turns out, as they have complained in the past that Skype provides criminals, terrorists and other n’er do wells with un-wiretap-able communications.  O’Neill plans to provide more information on his work at the Chaos Computer Congress in December. 

In the mean time, I plan to continue using Skype without too much worry.  Of course, I’ll think twice about using it for coordinating the global tentacles of my evil plan for world domination, but I see no reason to avoid Skype for personal and business communications right now.  Stay tuned.