We’re back for the second day @ hack.lu. I need coffee!
First presentation was made by Frank Boldewin. He presented the rootkit Rustock.C aka Ntldrbot. Like a lot of malwares, there was several versions were spread from 2005 to 2008 (when a new version was discovered – version .C). It appeared that Rustock.C was spread through the RBN. Its code is protected by spaguetti-code, RC4 crypted code and important strings (such as IP, ports) were assembled at runtime to avoid easy detection. There is a lot of methods used to present detection by AV programs. The rootkit infects a random Windows driver. Other OS components are modified like NTFS.SYS to fake file sites and uses hooks (read/write operations). Last version send spam using HTTP and stolen Hotmail accounts! (Port 25 – SMTP – is less used as most SMTP relay can easily detect such kind of spam).
Second talk of the day, Paul Craig explained how to hack Internet kiosks (or public access points found in multiple locations such as airports, hotels, …). Paul immediately announced that it can hack a kiosk in less than 120 seconds! His goal was: pop up a shell! (cmd.exe or command.com). Why are kiosks so easy to hack? “Popularity + Poor Security Visibility = Goot Attack Target“. They are mostly based on Windows and Internet Explorer, using winhttp.dll and msinet.ocx. Lot of techniques are used to protect against attacks (watchdag, blacklists, ACLs, keyboard filtering). Their security model is based on reducing functionality. Nice quote made by Paul: “Windows is designed for idiots“. Indeed, the same directory can be reached from IE as: “c:\“, “file://c:\“, “%systemroot%“. Here are others way to access data from the URI toolbar:
- “about:Click-here“
- “shell:System”
- “shell:Profile”
- “shell:Windows”
- “shell:::{…}” -> access resouces by ClassID
As kiosks trust more websites than users, why not use a site dedicated to hacking kiosks? The iKAT” (Interfacitve Kiosk Attack Tool) project was started. iKAT intensively use URI handlers (over 100!). Windows Media Files are also interesting: It’s possible to turn Windows Media Player into a web browser! As we saw yesterday, Office documents are also unsecure and can be used to spanw external commands! Do we have to mention ActiveX? (It will change with IE 8 – admin rights will be required to run ActiveX). Another technique is to crash the browser: behind the browser, there is… the desktop! If not the browser, why not try to crash a plug-in? (using a malicious .swf file) Once you owned the kiosk, the next challenge is … how to download files? Using any “File/Open” dialog box, using Flash. By using “File/Save As” in Notepad, you can upload files in a remote site! (Webdav based). Finally, Paul made a live demonstration of iKAT against two kiosk products installed on VM’s. Successful! That was really a good presentation (good topic, good speaker)!
Coffee break now!