Friday, November 14, 2008

Social engineering at work

w01f sent me a malicious file that tricks victims into installing malware using social engineering. I tested it in a virtual machine and it is simple really.
Victim plays MP3. User is informed that a Codec is needed to listen to the song and is directed to a website to download the missing software. Victim installs "Codec". Wham!!! Victim trojaned.

If you had a decent AV software installed and updated, it would have prevented you from downloading the malware. However, there are crappy AV engines that failed to detect this malicious executable.

Don't be fools people! Always question every piece of software you are prompted to install.

Friday, August 15, 2008


Windows stores user passwords in hashes. Hashing is a one way transformation of text and thus Windows passwords can be cracked by matching hashed passwords with rainbow tables.
Ophcrack is an open source program that cracks Windows passwords. Burn Ophcrack into a bootable CD and boot up your target system with the CD. Ophcrack will dump the Windows hashes and start matching the dumped hashes against its rainbow tables.
In this specific scenario, the caveat is that you need physical access. There are tools that perform offline cracking. Cracking passwords can be time consuming but it doesn't alert the admin or user as you do not change the original password. Did you know that all it takes to change the user password in Mac OS X is to boot up using the installation CD???
The high res version of this demo can be downloaded here.

Monday, July 21, 2008

Magic bytes

File type detection is crucial when attempting to block specific file types from being downloaded in a corporate environment for security or legal reasons. File extension renaming is a rudimentary method of bypassing security filters but yet it is surprisingly still effective in certain scenarios. Ever tried sending an executable file over the MSN network? The Windows Live Messenger client will display an error message "The file you attempted to send has been detected as potentially unsafe and was not sent.". Have you tried renaming .exe to .doc? OMG... it works!!!
Perfect example why filtering by file extension name is weak. The more sophisticated and effective method of file type detection is "magic bytes" matching. Certain files can be uniquely identified by either their file header or file header and file footer combination. An executable file will have the hex values of "4D 5A" or its ASCII equivalent of "MZ" at the beginning of the file.

PDF files on the other hand can be identified by their file header and footers.

Don't believe me? Give it a go. Download HxD Hex Editor to view files in Hex format. Try renaming file extensions and you will see that the file contents do not change.

Tuesday, July 15, 2008

Session hijacking

Imperva defines session hijacking as "the act of taking control of a user session after successfully obtaining or generating an authentication session ID... involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress".
I demonstrate session hijacking using a combination of tools called Ferret and Hamster as well as my own private wireless network. No neighbours or wireless users were harmed during this recording. The use of Internet Explorer is to simulate another party (ie. the "victim") sharing the same open wireless network (eg. free wireless at Starbucks). Ferret sniffs the unencrypted traffic in the air and collects useful information into a text file. From Firefox, I access Gmail to show the login page and verify that I did not cheat by logging in earlier. Hamster is then utilised to present web session-related information in the form of hyperlinks which I click to present me (ie. the "attacker") with easy access to active sessions. Viola! You have been hijacked!

The higher res version of this demo can be downloaded here.

To avoid being hijacked, avoid logging into websites that do not support HTTPS on open wireless networks. If you don't want to be snooped on, don't use public networks period.

Tuesday, June 10, 2008

Automated threats

Malware exploit the fact that your machines will follow instructions stored in a hidden text file called "autorun.inf". The sample below basically instructs your machine to execute the file "setup.exe" when the CD is read by your CD-ROM.


Having the "Autorun" feature in this scenario is convenient because the installer file will be triggered upon insertion of the installation CD. Imagine if a hacker planted a Trojan on a USB flash drive. How convenient would that be now?
Do not panic! There is hope. Modifying your registry within XP permits you to disable "Autorun".
  1. Access your registry by clicking on your "Start" button then "Run". Type in "regedit" before clicking "OK".
  2. Expand "HKEY_CURRENT_USER" followed by "Software", "Microsoft", "Windows", "CurrentVersion", "Policies" then "Explorer".
  3. Double click the entry "NoDriveTypeAutoRun".
  4. Change the value to "ff" (Hexadecimal) or "255" (Decimal) then click "OK".
  5. Restart your machine for the change to take effect.

Note: This registry change is only relevant to the current user you are logged in as. To disable "autorun" for the entire machine, you would want to change the value in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun" instead. You have to manually create this entry if it cannot be found in your registry. It is advisable to backup your registry before attempting any modifications.

"Autoplay" was a feature introduced in XP and has been included in Windows OSs since. It serves a similar function to "Autorun" but invokes a menu on top of executing the "autorun.inf" instructions. To disable "Autoplay" in XP:
  1. Click "Start", "Run" then enter "gpedit.msc".
  2. The "Group Policy" configuration window will appear. Drill down to "Computer Configuration", "Administrative Templates" and "System".
  3. Double-click "Turn autoplay off" listed in the right panel.
  4. The default setting is "Not configured" . Set it to "Enabled" and select "All drives".