Monday, June 23, 2014

Backdooring Executables



A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing illegal remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. In recent days, large organizations deploy Intrusion Detection Systems (IDS) to detect attacks directed to their online resources. This hardens chances for successful attacks; however, attackers can still use client side attacks to compromise and gain control of remote systems.

In this post, we shall practically see one of the commonly used methods, backdooring executable, that will lead us into a successful attack. It might look intimidating if you see this for the first time, but don’t be scared since as you continue to follow these posts finally everything will be clear and start making sense. Hopefully you will enjoy and love this, just like how I do when I was preparing it.

To begin, we shall get any executable that we will use as our backdoor. And if I say any I mean ANY, like adobe reader, VLC media player, web browser etc. since majority of us like movies, I will download the recent version of a VLC media player for windows 32 bit operating system.


Great! We have two options to create a backdoor, first by manually appending our malicious shell codes and then modify the program execution flow or by using a Metasploit framework. In this post, we shall use the second method which is easy to understand for the time being; however, it is quite important to know both of them as we shall see in later posts.

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework. You can download it from their website www.metasploit.com, as for my case I am using kali Linux which is pre-loaded with Metasploit framework. You can also download and install kali Linux from www.kali.org .

So far so good! On the console, I used Metasploit payload called reverse https which is followed by local IP address and port that I will use to receive connection from the remote machine. I encoded this payload with three iterations to avoid antivirus and IDS detection. Finally, the downloaded VLC will be passed as an input as well as providing the name for the output malicious VLC backdoor.



Perfect! Now we have our backdoor, we need to send it to our victim’s machine for execution while on our attacking machine we shall set a listener waiting for any remote connection. This is where Social Engineering comes into account. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

After spending time and money, we can successful convince our user to install our malicious VLC backdoor. For demonstration, I will copy the backdoor the var/www directory and start an apache server. Then I will start postgresql server and the Metaslpoit. Finally, Metasploit console will be launched.

 
Bravo! I selected a multi-handler to handle the remote connection form our victim machine. It demands the payload, local port and IP address of attacking machine to be set. Remember, there has to be the same as the one used in creating the backdoor, I hope you can still remember that.


Now, our victim downloads the malicious VLC backdoor using our apache server. After downloading, he will then proceed to install this VLC media player. However, the moment he starts the installation, on out attacking machine we will receive a remote connection and gain control of his machine.




Fantastic! Now we have our Meterpreter session opened, we can type help to see some interesting activities that we can perform on this remote computer. We can get the user ID, and if the user is not an administrator, we can escalate our privileges and becomes system’s admin.



Great! Also, we can dump the hashes for all users on this machine and later on crack them to obtain their passwords.



At this point, we can download files from the remote machine; take screen shot, record video and audio by using the webcam and so on. Our victim is running a Windows 7 32 bit operating system.

Pause a bit and think how many times you have installed programs given from a third part? If so, as we saw, how many persons might be able to access and control your computer each time you are connected to the internet? Later on, we shall see how to inspect executable before installing on our machines.