Security Based Idea Forum and Repository. Talk about what works, what doesn't etc.
Breaking the silence
August 15, 2009 at 4:10 pm #77996
Ok all, to get a little more technical and hopefully help some fellow people out. Here is some up to date information on some of the most prevelent "professional" hacking techniques going on around the community by from Hollywood "stars" .
As with any business or organization, we use an assortment of communications methods and software’s. One of the more common is the Adobe PDF format. It’s free, extremely functional and supported by web pages and readers in all formats. So when hackers look for a way into an organization, they want to use programs that they know users will be able to open. So Adobe is targeted for its success, stinks eh.
Backing up a sec lets talk about methodologies, contrary to popular demand, the majority of today’s hackers are encryption specialists, or brute force experts that can come to your front door of your network and magically gain root access. Today, they spend time doing their research before even tapping into their vast assortment of technical “toys”. They are familiar with your internal structure, who works with who, and usually have a predetermined target in mind, so obviously they acquire event more “public “ information about them, work times, assistant’s names etc. All which is mostly readily available via the web, Google, and other publications. If it’s not, a couple of quick phone calls to your office with a couple of questions usually pans out.
What’s next?, well they need to know what type of “protection” you are surrounded by, how you telecommute, if you have any intranets, VPN’s, Dial Up (yes async is still around in some places), etc etc etc. They want to know about your IT department, who the lead engineers are, Help desk names, support responsibilities etc. Why? Pretty easy once you think about it, most, once in with restricted or limited access, they want to gain elevated permissions, so what accounts would they want to pay attention to? You got it!. Additionally once in, these types of users usually have diagrams, documents and other valuable information about the network architecture that they would like to have. They also use this information for social attacks and phishing attempts which we will get into in a few.
So they now know quite a bit about your org, your team your network and your support systems. What’s next! Now comes the strategic well placed attack on one or a few individuals, which happens usually in one of two forms.
1. A lot of times, they have breached an associate business, agency or office that you may occasionally communicate with, and utilize legitimate documents and the like to send to you, so you don’t suspect a thing, someone you know, taking about a topic you went to a meeting about last week, no problem right? So they take one of these documents, say a PDF file, hide some executable code in it to do their will (albeit a small will, you will see how things pan out). The code is usually small and doesn’t add much to the PDF. This special email with the special attachment is then either sent FROM the user they have breached already, or Spoofed as them (a method of changing the from address to appear as someone else).
2. If they don’t have the luxury of another compromised system or user, they do the next best thing. Go to your web site or web sites you communicate with, find some obscure documents that may fit your “MO” for office work, customize an email from a generic “GMAIL” with a spoofed “From” address, and let her rip!. Has the same effect, but a little more risky as mail systems that do reverse lookups and such can drop them.
3. What about my Network and workstation Virus Protection?. What about it? The code in the document is “custom” and proprietary in nature; they don’t use existing viruses so they cruise right on through any Virus, SPAM, and Web Scanning software.
4. When Sally Mae gets this email Monday morning, first thing, she quickly open the email from [email protected] and see the attachment. Even if she doesn’t find it interesting, more than likely she opens it, just to be safe. Covertly, in the background, the PDF document drops a new executable program file onto the users hard disk, most of the time, overwriting a nonessential windows system32 program, or creating a new one similar. They even go as far to make sure the time and date stamp are several months old. The program usually has several modes of file placement, if the windows directory is protected, it will utilize the %temp% / the users temporary environment to store it load and execute it from a registry entry that a user may have write access to.
5. All of these programs assume that the users has some form of basic access to certain areas of the system. IF a user could not write, the code would have to use some form of application “exploit” to write itself to an area of the hard disk. But more often than not most organizations don’t lock down the systems to DOS/NIST standards, so, it’s farily easy to get a program started as the user. OR if the user can copy files to the windowssystem directory files can be overwritten that are “Windows SERVICES” which startup as the local system account (elevated permissions).
6. Up on the next reboot (or sometimes, just login), their custom “ET” app or what we refer to as C & C (command and control) program starts up as a hidden service and checks for commands from a remote system every so often.
NEXT UP, Command and Control logistics, common names and programs they hide as and ways you can determine valid windows system files from C & C files.
You must be logged in to reply to this topic.