Malicious Payload

Related terms:

Malwares, Android, Malicious Code, Ransomware, Malicious Software

View all Topics

Intrusion Detection in Contemporary

Environments
Tarfa Hamed, ... Stefan C. Kremer, in Computer and Information Security Handbook
(Third Edition), 2017

Dynamic Payload
An attacker may hide a malicious payload as an executable apk/jar inside the
APK resources. After installing the app, it opens the malware payload and loads
DexClassLoader API (if the payload is a jar file) and executes dynamic code. The
malware may persuade the user to install the embedded apk by pretending to be a
significant update. BaseBridge and Anserverbot are two malware classes that use this
technique. However, other classes of malware do not plant a malicious payload as a
resource; instead, they download them from a remote server and bypass detection.
DroidKungFuUpdate is a notorious example of dynamic payload malware. Usually,
these techniques cannot be detected using static analysis methods [8].

> Read full chapter

Logic Attacks
Mike Shema, in Seven Deadliest Web Application Attacks, 2010

Mixing Code and Data

Grammar injection is an umbrella term for attacks such as SQL injection and XSS.
These attacks work because the characters present in the data are misinterpreted as
control elements of a command. Such attacks are not limited to SQL statements and
HTML.

• Poor JSON parsers might execute JavaScript from a malicious payload. Parsers
that use eval() to extract JSON or mashups that share data and functions expose
themselves to vulnerabilities if JavaScript content isn't correctly scrubbed.
• XPATH injection targets XML-based content (www.packetstormsecuri-
ty.org/papers/bypass/Blind_XPath_Injection_20040518.pdf).
• Lightweight Directory Access Protocol queries can be subject to in-
jection attacks (www.blackhat.com/presentations/bh-europe-08/Alonso-Para-
da/Whitepaper/bh-eu-08-alonso-parada-WP.pdf).

A common trait among these attacks is that the vulnerability arises due to piecing
data (the content to be searched) and code (the grammar of that defines how the
search is to be made) together in a single string without clear delineation between
the two.

> Read full chapter

Intrusion Investigation
Eoghan Casey, ... Andy Johnston, in Handbook of Digital Forensics and Investiga-
tion, 2010

E-mail with Suspicious Contents

E-mail is a common delivery vector for malicious payloads, and as an initial vector
of entry into large corporations and government organizations. If someone reports
that they have received an e-mail from an unknown source and that they have
followed a link contained within, or opened an attachment that was delivered with
the e-mail, this may constitute a security event that will require an investigation.
Once a user executes a phishing or spear phishing attack payload, they may have
installed malicious code onto their system. There may still be an issue even if the
e-mail comes from a known source, but the attachment was unexpected, as source
addresses can be spoofed. In some cases, spear phish attacks will originate from an
organization that has been compromised to another organization that is a business
partner. By routing the e-mail attack through a compromised organization, it will
appear to be more legitimate, and will therefore be more likely to be opened.
> Read full chapter

Supervised Learning Based Detection

of Malware on Android
F. Tchakounté, F. Hayata, in Mobile Security and Privacy, 2017

2.1 Malware Techniques

Zhou and Jiang (2012) categorize existing ways used by Android malware to install
on user phones and generalize them into three main social engineering-based
techniques: repackaging, update attack, and drive-by download.

2.1.1 Repackaging
It is one of the most common techniques that malware authors use to piggyback
malicious payloads into popular applications. In essence, malware authors may
locate and download popular applications, disassemble them, enclose malicious
payloads, and then reassemble and submit the new applications to Google Play and
alternative markets. Users are vulnerable by being enticed to download and install
these infected applications.

2.1.2 Update Attack

Malware developers insert a special upgrade component into a legitimate applica-
tion allowing it to be updated to a new malicious version, which is unlike the first
technique that typically piggybacks the entire malicious payloads into applications.

2.1.3 Drive-by Downloads

The ability to install and download applications outside the official marketplaces
allows malware developers to mislead users into downloading and installing ma-
licious applications. It is a class of techniques where a web page automatically
starts downloading an application when a user visits it. Drive-by downloads can be
combined with social engineering tactics to appear as if they are legitimate. Because
the browser does not automatically install downloaded applications on Android, a
malicious Website needs to encourage users to open the downloaded file for actually
infecting the device with malware.

2.1.4 Remote Control

Malware authors aim to access the device during the infection phase remotely. Zhou
and Jiang noted that 1.172 samples (93.0%) turn the infected phones into bots for
remote control during their analysis.

> Read full chapter

Signal-to-Noise Ratio
Will Gragido, ... Daniel Molina, in Blackhatonomics, 2013

Cyber Attacks: The Early Years

As we discussed earlier in this book, the concept of a virus originally was intended
to be more of a claim to fame, an actual ode to the hacker in the truest sense of
the word. In the first viruses, such as Creeper, which was released in the Advanced
Research Projects Agency Network (ARPANET) in 1971, a message was displayed on
the infected system. The message made it clear that there had been an infection,
and often, who had perpetrated it.

Later, viruses looked to celebrate a specific event, to a certain extent. The mali-
cious payload of the Michelangelo virus, for instance, was only triggered on the
birthdate of the renaissance artist, remaining dormant in the system for weeks or
months prior to its release. There was a certain artistic provenance regarding the
thoughtfulness of this virus’s developers. I’m not sure that it was a critical global
issue that people did not realize Michelangelo was born on March 6, but the virus
definitely called attention to that specific date in 1990 by celebrating the artist’s
birthday through mayhem.2 The media gave attention to the issue because nothing
like the Michelangelo virus had been seen before. It was, literally, newsworthy and
intellectually motivated, and despite the potential damage it caused to the average
computer user, all data on the drive was respectfully maintained. It only impacted
the boot sector of the hard drive or floppy.

Perpetrators back in the 1980s were looking to highlight their skills and mastery over
the computer operating system and applications. They could co-opt behavior from
the system beyond the design specifications, and that made them proud of their
accomplishments. Some of the more benignly intentioned hackers were looking
to correct what they saw as flaws in design or function, and intended to pressure
vendors into correcting these errors. They hunted for bugs and sought to improve
the ecosytem, even if their ways to the means were questionable. Others were merely
looking to leverage vulnerabilities in the system to draw attention to themselves.
In a way, when viruses were more interested in propagating merely to do harm
to operating systems, they were more like Lindsay Lohan, acting out merely to
be noticed, without causing real harm to others, except for the odd accusation of
shoplifting. They came in with a big brass band, almost immediately notifying the
infected target of their presence by flooding the target with information, changing
boot sectors to prevent the system from returning after a reboot, or changing
wallpapers and colors on the screen. They were nuisance viruses, but they were
easily identified, as the main motivator of the malware developer was to gain instant
personal notoriety. In fact, many of these viruses, as well as Web page defacements,
were literally signed by the perpetrators, in the same way that artists sign their
masterpieces. As well, because of their simple intent, the correction was often just
as simple: Rewrite the boot sector, as with the Michelangelo virus, and you regain
access to your fully operational system. Merely copy back the file index.html, and
your Web page is magically back. Copy win.ini back from a location where it was
thoughtfully left behind by the hacker, and your system is automatically back in
business.

As the main motivator has now shifted from fame to fortune, however, the focus
has shifted to stealth, and to losing your hacking self within the system’s inherent
noise. No drums, brass bands, and cymbals are wanted now, because they only
attract undue attention. Simply stated, if a cybercriminal can create an ATM-specific
Trojan and stay in the system undetected for one day, he or she may be able to
collect 50 credit card numbers and their respective PINs. If the cybercriminal can
remain undetected in the ATM for a week, we are talking about 400 credit cards and
PINs. After a full year, we are talking about a complete revenue stream that is easy
to monetize and extremely difficult to prosecute. With the amount of data that
is being transferred in each transaction, the purloined data becomes a very small
amount of noise to detect within the system’s signal.

This pattern becomes increasingly common as hackers look to monetize their

crimes. The lower their criminal noise can be in relation to the system’s valid signal
traffic, the longer they are likely to perpetrate the crime undetected. Because of
this motivation, they investigate, and often resort to purchasing, “zero-day” vul-
nerabilities whose potential heat signatures are not yet known to the anti-malware
community. Intelligent attackers seek to hide their behavior by obfuscating and
packing their messages, and they invest heavily in development cycles to make their
state-of-the-art malware more difficult to detect and remove. We see million-dollar
development efforts in some of the more sophisticated and dangerous malware
examples. The bad guys are investing these additional resources only make it harder
to defend against their malware, and to underline the fact that this is now a viable
business for them. They are no longer looking to hit the corner liquor store for $50.
They are looking to embed themselves much deeper into the ecosystem, often well
in advance of when they will exploit the vulnerability.

A clear, insidious, and dangerous example of this can be found in the Stuxnet attacks,
now known to have been perpetrated by unfriendly countries against Iran’s nuclear
infrastructure, where we see a new use for malware as a laser-targeted weapon of an
undeclared and potentially illegal cyber war. The developers of the malware sought
to insert themselves into a specific brand of programmable logic controllers (PLCs)
that were likely to be used in a nuclear reactor’s centrifuge. Interestingly enough, not
all of the PLCs were susceptible to the attack. A vaccine was included in the malware
for those PLCs in friendly geographic areas. The compromised PLCs were mostly
found in countries that were like-minded to Iran, such as Venezuela and Ecuador,
but not in Colombia, for example (see Figure 4.1).

Figure 4.1. Rootkit.Win.32.Stuxnet Attack Target Geography [1]

These PLCs were reconfigured to report back normal settings, while they were
accelerating the hardware to the point where they actually caused damage to the
centrifuge infrastructure. The operators were dumbfounded because their dash-
boards all showed readings that were within the expected parameters, but the
centrifuge was being damaged. This kind of malice aforethought goes well beyond
the opportunistic hackers of yore and into a much deeper and more dangerous
model of cyber warfare that requires investment levels far beyond those of typical
script kiddies. In the case of Stuxnet and Duqu, we now have clear and concise
evidence that these weapons were developed by the United States government, and
that they were deployed deliberately, if irresponsibly, upon the global interconnected
community. Moreover, the government’s admitting to having released those cyber
weapons has quietly unleashed a new era of global war, where escalation will yield
mutually assured destruction, a concept not considered seriously since the 1980s at
the height of the nuclear arms race. Pandora’s Cyber Box is now open for business.
Countries will now be forced to develop offensive cyber war capabilities, in essence
making them compete with cybercriminals for hacking resources.

Interestingly, we now see a common infrastructure, at an intimate level, among

three of the most insidious known cyber weapons: Flame, Stuxnet, and Duqu.
According to research performed by Kaspersky Lab, common code is included in all
three of these weapons, which seems to imply, despite very different attack vectors
and manifestations, that the developers of these weapons shared common tools
and development methdologies. Flame is a behemoth of a weapon, coming in at
a hefty 20 MB when one includes various plug-ins that are available, and having
deployed quietly, despite its heft, for the past two years across the cyber world. It
includes a packed module that was later found in Stuxnet, although the module is
unpacked in Stuxnet. This could be based on the need for agility in Stuxnet’s target
systems, PLCs. The size of the delivery package allowed Flame to carry multiple spy
weapons within it, including the capability to record with the PC’s microphone, to
capture screenshots, log keystrokes, and send this data to a series of hosted domains
that were all created bogusly. The code could be updated remotely, and the list of
command and control domains could be updated on the fly. It was not a particulary
beautiful piece of code in terms of efficiency, as it is believed to have been developed
by multiple teams modularly. Team A, in charge of deployment, had no knowledge
of the payload. Team B, in charge of finding and exploiting zero-day vulnerabilities
as entry vectors, had no understanding of the propagation methodologies. Team C,
in charge of the actual spyware payload, had no knowledge of how or where it would
be deployed. Team D, in charge of delivering the purloined information to a series of
repositories, was not responsible for the registration of domains or the deployment
of the actual data capture servers. Team E, in charge of stealth data collection and
actual spying, had no idea how the data was collected or that malware had been
involved.

Looking at it from a historical framework, Flame had to predate Stuxnet, since it

acted as the reconnaissance team, going deep early and gathering intelligence for
the future attacks. Flame is considered by many to be nuisance spyware, and this
is, in many ways, a correct assessment of the weapon. However, when considered
as part of a government-sponsored effort with a development budget in excess of
$1.2 million, along with how targeted it was in terms of deployment and focus, the
threat increases exponentially for the intended targets. The rest of the world was not
threatened directly in the same ways that North Korean tanks pointed at South Korea
are not a threat to China. However, if these weapons, be they Flame, Stuxnet, or a
tank, are redeployed to point at anyone else, the imminent threat becomes real to
the new target. These laser-focused attacks, with such deep development pockets,
are bound to be successful and, like other weapons, are likely to be misused and
obtained by entities that will use them in an irresponsible manner. The reality of
asymmetric cyber warfare is now upon us. How we, as a world community, react to
this new reality will dictate whether we develop further technologies, or sink back
into a romantic era of candle-lit dinners due to the destruction of the electrical
infrastructure by some SCADA-savvy cyber weapon gone awry. One well-placed clus-
ter of grapeshot can definitely have extremely dangerous repercussions on many
unintended targets. The unintended consequences of such an attack should not be
minimized. We are now involved in a Cyber Cold War, and we need responsible
thought leaders to protect us through intelligent use of weapons, global frameworks,
and nonproliferation treaties. The concept of these new hyper viruses in the hands of
unfriendly nongovernment organizations should create a visceral reaction on every
potential target. The closeness of a potential “Digital Pearl Harbor” should be a
concern on all of our minds.

The fact that command and control communications could be hidden within the
normal traffic for those devices also speaks to the sophistication of their develop-
ment. The malware was designed and developed with a keen focus on minimizing its
impact on available resources. A PLC, for all intents and purposes, can be considered
a dumb device by today’s standards. A PLC, much like the tiny brain that allows the
windshield wipers in a car to operate at multiple speeds and intermittently, is limited
by its design parameters and is intended for a particular purpose, and as such, we
would not expect that same PLC to easily go beyond its defined parameters. In this
particular case, a foreign entity was able to remotely reconfigure these PLCs, and
still manage to remain undetected for months, which speaks to extremely advanced
programming and quality assurance, factors that are rarely found in “normal virus-
es.” In other words, the signal ratio of today’s advanced malware ecosystem is much
lower, and easily hidden within normal traffic noise.

The net result of Stuxnet is that 20 percent of the Iranian centrifuges were physically
damaged under the very watchful eye of the facility’s monitors. Their only grievous
sin was to trust their monitoring equipment, and not realize that their infrastructure
had been severely infiltrated and compromised. Like in every Mission Impossible film,
an effective false facade was deployed to fool the sentries, while foreign entities,
unfriendly to their efforts, had managed to deliver an incredibly efficient, highly
stealthy, and incredibly effective weapon. The element of surprise could not have
been greater. The plot was not new, but the theater of operation was.

The reason I say this is because Kaspersky Labs found this code and once the code is
brought out of the wild, it can be deconstructed and sent back into the wild targeting
the sender. It’s like capturing a live Tomahawk missile and reprogramming it to
return home and explode.
While nobody can actually capture a live flying Tomahawk missile and do that, it’s
not impossible with computer code. This is more like capturing a Tomahawk, making
10,000 copies, and reprogramming them all to return home and explode. The United
States will end up becoming the target of the attacks thanks to its own code.

John C. Dvorak

The latest cyber weapon to be discovered that has similarities to Stuxnet, Duqu, and
Flame has been dubbed Gauss by researchers at Kaspersky Lab. The scary aspect
of this malware, first deployed in September 2011 and discovered in June 2012,
is that it may actually be the first documented use of a government-grade cyber
weapon, repurposed for cybercriminal deeds as a Banking Trojan.[2] This apparent
code-cousin of Stuxnet and Flame is aimed at stealing personal information, specif-
ically banking information, but leverages some of the same geographic controls of
previous versions, including targeting machines in specific time zones. While Flame
attacked mostly Iraqi address space, Gauss seems to be more focused on Lebanon.

Different modules of Gauss serve the purpose of collecting information from end
users’ Internet browsers, including the history of visited Web sites and passwords.
Additionally, data on infected machines is sent to the attackers, including specifics
regarding network interfaces, the computer’s drives, and BIOS information. Lastly,
the Gauss module is also capable of stealing data from the clients of several Lebanese
banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and
Credit Libanais, as well as specifically targeting users of Citibank and PayPal.

According to Kaspersky Lab, there are “strong resemblances and correlations be-
tween Flame and Gauss”.[3] This type of activity is more aligned to cybercrime
than it is to cyber espionage or cyber terrorism. As such, it would appear that this
type of cyber threat has leveraged the infrastructure of a government-sponsored
super-malware, and has reverse-engineered the code so that it can be aimed at
normal users. Unlike other weapons of war, when code is used to create a cyber
weapon of these proportions, the code is sent over open channels. As such, mere
mortals can intercept the code. When the code can be intercepted, even when it is
encrypted and packed, it can easily be reverse-engineered with tools available online
by any hacker with time and initiative.

At the risk of sounding like an alarmist, the possibility of this type of cyber weapon
having its payload altered by a relatively skilled hacker presents a nearly incredible
hazard to society at large. A powerful cyber weapon such as Stuxnet attacking
Internet banking transactions is a definite risk. However, leveraging it to attack
critical infrastructure through SCADA systems creates a much greater danger. With
the knowledge that Stuxnet already had to attack PLCs, the risk to all critical in-
frastructures by subtle reprogramming of the payload is potentially catastrophic.
The potential commercialization of such weapons, as intimated by John Dvorak,
will create a rather disturbing problem for those that originally created the cyber
weapons, and couldn’t manage to harness their power once it was unleashed. “At
the end of the day, there will be a government hearing and questions will be asked
as to why this code was released in the first place. There will be no good answers.”[2]

Using Stealth As a Weapon

Encryption started out as a weapon of war. The need to send information unknown to
the enemy was critical in the development of the first ciphers. As far back as the 7th
century BC, messengers delivered transport-encrypted messages to generals that
were wrapped around a rod of wood of a very particular diameter. The receiver of
the message, by using an identical diameter dowel, could easily read the message.
This method of encryption, called the Scytale cipher, was first utilized by the Spartans
and the ancient Greeks to transport information during battles.

Encryption, to this date, remains classified as a dual-use technology, and certain

controls are still in place for the export of those technologies.’[4]

Polymorphism, Packing, and Encryption

As malware became more widely known, and anti-virus programs became more
capable of detecting malware through patterns, the criminal element found a need
to make these programs harder to identify as they attempted to enter target systems.

They started using multiple forms of hiding, in order to make it more difficult for
the anti-malware programs to detect them. One of the first changes implemented
to try to subvert anti-malware programs was polymorphism. In a polymorphic
virus, each new iteration of the malware takes on a new characteristic, without
impacting the main code. As such, it becomes harder to identify it with simple
pattern matching.

By packing and encrypting the malware, cybercriminals escalated the arms race once
again. With these techniques, they were often able to bypass base detection. These
were the days of “Pray and Spray,” when there was little targeting being done by
attackers, and they mainly looked to reach the largest possible attack surface.

The packed and encrypted payloads forced the smart anti-malware providers to
migrate to a heuristic engine so that the malware behavior could be detected,
regardless of the path it took to reach the system.

The Need for Hierarchical Frameworks in Malware

The first botnet found in the wild was Bagle, discovered in 2004. Botnets differ from
worms in their intent and use. While a worm looks to grow and expand through
contact in a sort of “mine is bigger than yours” contest, a botnet actually installs
command and control channels so that the bot herder can use the infected and
compromised systems for a specific purpose, such as a denial of service or click
attack intended to drive up their competition’s cost of sales. Today, botnet machines
are increasingly being used to lease attack surfaces against specific targets, instead
of trying to pilfer money from innocent victims. In a very evolutionary fashion,
cybercriminals have decided that there is less risk in leasing the tools for attacking
than in trying to steal directly from their victims. Bagle actually had an integrated
SMTP engine, which allowed it to convert any compromised machine into a mail
server so that it could spam other users.

With more stable attack platforms, the command and control channel requires
less redundancy and self-healing features to be included. As such, the amount
of unecessary chatter between systems can be cut down substantially. When the
attack platform was made up of slow and unstable dial-up connections, IP addresses
changed constantly in the compromised systems, and a lot of CRC checks and re-
dundancy were required to ensure the control of the attack platform was maintained.
As such, the best way to manage a large botnet was through multiple bot herders,
controlled by bot masters that leveraged multiple layers of hierarchy to grow the
systems much like a military battalion has numerous divisions.

The Impact of Broadband

As broadband connectivity expands and the stability of attack platforms improves
drastically, attackers quickly realize they can have the same impact with 20,000
compromised broadband users as they could previously with 400,000 unstable
dial-up users. When network connectivity reaches universities, we see that now
the same attack can be perpetrated with 2,000 strategically placed machines with
ample bandwidth. As such, the logistical traffic required is substantially less, and the
signal aspect of the attack versus the noise of management improves dramatically.
In this case, the attackers essentially did the same thing as corporate America: They
eliminated middle management posts. Now, with very few super nodes, strategically
injected into compromised systems with ample bandwidth, the size of modern
botnets can grow to hundreds of thousands of machines, creating an attack potential
that can easily erode the best of connectivities, as exemplified by the Anonymous
attacks discussed in Chapter 3. It is worthwhile to point out that many of the
Anonymous attack systems were not technically compromised. Ideologically minded
people volunteered their systems, as well as their botnets, to attack a common
enemy.

As we move from cybercrime to cyber warfare, we see that the same tools the
criminals used, when orchestrated and massified, can become a weaponized and
powerful force for attacks between countries. In the same ways that the first knives
yielded the swords of battle and the first guns begat rifles and tanks, we now arrive
at a crucial crossroads in mankind’s advancement. Will Stuxnet be the opening salvo
in a cyber escalation that will only take us to mutually assured destruction? Or will
it be, like the lessons of nuclear war, a weapon used once and then held back, due
to the fears of unleashing it on humankind?

As we move from cyber war to cyber terrorism, and specifically, to state-sponsored

cyber terrorism, the need for stealth deployment and configuration becomes critical
to the success of these targeted attacks. In the same ways that missing weaponry
from armies becomes the tool of the trade for cyber weapons dealers, they will now
have super-cyber weapons in their arsenal to offer to the highest bidder, who without
the proper moral compass can achieve great damage in assymetric battle. In the
hands of a group that does not respect international treaties and conventions, cyber
weapons such as Stuxnet can take us back to the Stone Age, destroying the very
infrastructure that we rely on for water, electricity, and communications, in the blink
of an eye.

> Read full chapter

Exploitation of Current Events

Thomas Wilhelm, Jason Andress, in Ninja Hacking, 2011

Change or Loss of Insurance

The cost of insurance continues to climb, and yet is an important consideration for
most family bread-winners. The loss of insurance, or a potential increase in the cost,
could negatively impact a family and is therefore a potentially effective attack vector
when e-mailing a target victim with attached malware.

Here is a list of legitimate events that can grab the attention of our target, which can
be used along with an attachment containing a malicious payload:

• Change in legal marital status

• Change in number of dependents

• Change in employment status

• Change in work schedule

• Change in a child's dependent status

• Change in place of residence or worksite

• Change in your health coverage or spouse's coverage

• Change in an individual's eligibility for Medicare or Medicaid

• A court order

If the e-mail is written in a way that indicates a change to their insurance has been
made, then the target is more likely to click on the attachment than if the e-mail
is purporting to simply provide information. Regardless of which approach we use,
we should restrict the number of e-mails sent out to as few as possible, in order to
remain undetected and appear more legitimate.

Note
Human psychology is an interesting thing; if we state in our e-mail that the target
is required to open an attachment to obtain further information, they may become
cautious and not click on the attachment. However, if we state that the attachment
is simply “additional information,” they may not click on it due to indifference. From
a ninja hacking perspective, it may make more sense to accept the less risky option,
and use verbiage within our e-mail that doesn't insist the victim act on the new
information, and simply let curiosity work in our favor, or to disguise our actions
with more plausible explanations, such as “for security purposes, we have encrypted
the attachment…”

One additional note is that any attachment sent to the target victim must appear
legitimate. We must have text within the attachment that actually relates to the mes-
sage subject and e-mail content, such as a resume (with malware) sent to a human
resources department. If we know which insurance agency is used by the target
company, we may be able to find suitable documents on the Internet. Otherwise,
federal or state documents might be just as suitable for our attacks. As an example,
the U.S. General Accounting Office has a searchable index of insurance information
that impacts government employees, small business owners, veterans, and so on. A
list of usable PDF documents can be found by visiting www.gao.gov/docsearch/lo-
cate?&keyword=health+insurance

> Read full chapter

Client-side attacks and human weak-

nesses
Jeremy Faircloth, in Penetration Tester's Open Source Toolkit (Third Edition), 2011

4.2.3.1.1 Spear-phishing attack

A spear-phishing attack using SET allows us to craft and send email addresses to
either a single person or a group of people with malicious payloads attached. There
is also functionality available to spoof your email address from within the tool.

The tool is executed by simply running SET from within its installed directory. After
execution, you will be presented with a menu of options that allow you to choose
the type of attack to perform or a few other options such as updating the tools. In
our case, we'll select the “Spear-Phishing Attack Vectors” option. This is shown in
Fig. 4.4.

FIGURE 4.4. SET Main Menu.

We'll then choose the “Perform a Mass Email Attack” option to perform an automat-
ed attack. A number of options are available for exploits. In this case, we'll accept the
default of a PDF-embedded EXE. You can then encode this exploit into an existing
PDF file or create a blank PDF for the attack. For our example, we'll let the tool create
a new blank PDF file. Next, we need to choose which payload we'd like to use for the
attack. A Meterpreter reverse TCP is always useful, so we'll go with that option and
select the port we want to use. After these selections are done, SET will begin to
generate our exploit as shown in Fig. 4.5.
FIGURE 4.5. SET Exploit Generation.

With the exploit and payload created, SET then moves on to the transmission of
the attack. We are given the option of renaming our template and then are able to
choose whether to email it to a single address or use a mass mailer. This is shown
in Fig. 4.6. For this example, let's send to a single address.
FIGURE 4.6. SET Spear-Phishing Transmission Options.

We then are presented with the option of creating our own email template or using
one of the predefined templates included with the tool. The predefined templates
include a number of options, all of which are formulated to cause a successful
social-engineering attack due to their contents and wording. After choosing your
template, you are prompted for the email address of the target and then presented
with the choice of using Gmail or your own mail server/open relay for the attack. If
using Gmail, you are then prompted for your Gmail ID and password. The email is
then sent and the results presented to the screen. This is shown in Fig. 4.7.
FIGURE 4.7. SET Email Sent

Lastly, if needed, SET will prompt you to set up a listener to listen for a connection
after the exploit has been executed. With that listener created, you can now wait
for the target to execute the code. If successful, you'll have a Meterpreter session
granting you access to the target's machine.

> Read full chapter

Social Engineering
Dr.Patrick Engebretson, in The Basics of Hacking and Penetration Testing (Second
Edition), 2013

Other Options Within SET

Head back into the main menu within the social-engineering attacks as shown in
Figure 5.14.
FIGURE 5.14. Inside the social engineering menus.

There are plenty of other attack vectors within SET, from the social-engineering
attacks; option 3 allows you to generate a universal serial bus thumb drive with a
malicious payload. When plugged in, an autorun script will kick in and execute the
payload. A downfall to this attack is the target needs to have autorun enabled for this
to work. Most companies automatically disable this feature. Option 4 allows you to
create a payload and a listener. This would be useful if you already have access to
a computer and want to deploy one of SET’s payloads that are more obfuscated in
order to evade AV better. You can simply create the payload, copy the file over, double
click or execute it and have it connect back to the listener automatically. Option 5
allows you to send mass e-mails from an e-mail list you may have. This is pretty
simple but supports the ability to use HTML e-mails and send mass e-mails to a
company.

Option 6 is one of my personal favorites, the Arduino attack vectors. Arduino is

a C derivative and allows you to program microcontrollers. One device called the
“teensy” from prjc.com allows you to program a device to be anything you want.
Within SET, you have the ability to program this board to be a mouse and a keyboard.
Once programmed, you can plug it into a computer and it will bypass the autorun
functionality because it emulates a keyboard and opens a backdoor on the computer.
This is an incredibly powerful technique and allows you to gain complete control
and use the machine with a full meterpreter shell. There are also a number of other
attacks and payloads inside this option. Option 7 allows you to spoof short message
service text messages as long as you have an account with the providers.

Option 8 allows you to create your own WiFi access point out of your computer
including a DHCP and DNS server. When the victim attempts to go to an individual
website, they are redirected back to your computer with the SET attacks. You could
create a captive portal that says you need to accept the Java applet before you can
continue. This is always a good option when targeting a corporation as a penetration
tester.

Option 9 allows you to create your own QRCode that once scanned, redirect the
scanning machine to your SET (attack) computer. Figure 5.15 is an example that
directs the scanner’s browser to TrustedSec.

FIGURE 5.15. Creating a QRCode through SET.

The last menu, option 10 includes the Powershell attack vectors. Powershell was
briefly mentioned in the Java applet section of this chapter but Powershell is Really
Powerful! It is an amazing tool from a post exploitation perspective and a number
of the leading Powershell folks like Carlos Perez, Matthew Graeber, Josh Kelley, and
David Kennedy have done a significant amount of development on this front. A
number of these attacks have been included into SET. The Powershell attacks are a
series of code attacks that can be executed once you have already compromised a
system. SET will automatically generate the code for you, and rewrite it to bypass
execution restriction policies.

> Read full chapter

Psychological Weaknesses
Thomas Wilhelm, Jason Andress, in Ninja Hacking, 2011

Baiting
According to legend, a (probably fictional) hero in the Ninjutsu history named Sasuke
Sarutobi was training with a master swordsman, who offered Sasuke the following
advice: “Don't you have your eyes in your back? How handicapped you are! You'll
be a failure unless you know how to defend your weak point, even if you know the
unguarded point of your opponent. The secret of defense in martial arts is to always
be alert. Unless one knows his own weak point, he can never be certain that the weak
point of his opponent is not a decoy.”1

Baiting is the practice of offering a desirable item to the target, either directly or by
simply leaving it for them to find, as a delivery mechanism for a generally malicious
payload. Such a tool can be seen in the classic story of the Trojan horse used during
the siege of Troy:

Wearied of the war,and by ill-fortune crushed, year after year,the kings of Greece, by
Pallas' skill divine,build a huge horse, a thing of mountain size,with timbered ribs of fir.
They falsely sayit has been vowed to Heaven for safe return,and spread this lie abroad.
Then they concealchoice bands of warriors in the deep, dark side,and fill the caverns of
that monstrous wombwith arms and soldiery.2

In broad strokes, the Greeks constructed a giant wooden horse, filled it with soldiers,
and then appeared to leave. After they were gone, the Trojans, taking the horse as a
trophy of their victory, brought it inside the city walls. When night fell, the soldiers
left the horse and opened the gates to allow the Greek army, who had returned
under cover of darkness, in to destroy the city. The tactic of the Greeks has since
been applied to modern times through the vehicle of technology.

The Modern Trojan Horse

The Trojan horse is alive and well today and is used regularly to spread malware and
various other maliciously oriented tools. The basic technique is still the same; using
an interesting item of hardware or software to lure in the target, then delivering
the payload quietly in the background. Trojans do have application in penetration
testing, but we need to be sure that we are able to maintain control of their activities.

Trojans in Software

The process of using a Trojan horse in software is simple; create a simple application,
perhaps a flash game and release it via the Web or e-mail. While your victims are
busy flinging elves about, run a process in the background that scans for credit card
numbers on the machine, sends out spam e-mail, downloads other malware, or
most anything else that we would care to do.

Trojans can also be attached to more complex applications, even commercial ones
such as Microsoft Office. In this case, instead of creating software specifically
as a vehicle for our Trojan, we simply integrate it into the install routine of the
host software. Many install applications conveniently have the capability to install
software dependencies already, so, if present, we can add our package to the list and
have it install silently in the background.

If the ability to integrate our Trojan with the installer is not present or overly
difficult, we can write a wrapper for the host installer. In this case, we replace
the actual executable file for the software install with our own, which will install our
Trojan for us silently, then call the actual software installer from ours.

The library of methods for inserting Trojans is vast and has been developing for
several decades now. The Zukin has a great deal of information and expertise in
developing malware to fall back on, merely by browsing the Internet. Software devel-
opment tools and libraries have been tuned over the years, and creating malware is
now a considerably easier task than it once was. Researchers have also been working
for some time on the other side of the malware issue. Both sources of information
will prove invaluable to the Zukin planning such a software-based attack.

Trojans in Hardware

Trojans resident in hardware are often just a slight variant of a software implementa-
tion, running on or stored on a hardware device. This can be as simple as a USB flash
drive or as complex as a completely custom operating system running on a phone
or media device. The benefit in running such tools on hardware is in the additional
lure for the target to actually use the device.

USB Trojan devices are very simple indeed. We create our Trojan software, with no
particular need for even a game or program to disguise it and place it on the USB
device.

This can either be the ubiquitous flash drive, as shown in Figure 10.1, or a larger
USB hard disk, either will work just fine. We then create an autorun file, which will
be processed by the host machine when the device is plugged in, thus running our
Trojan software automatically.
Figure 10.1. A Trojaned USB Device.

Tip
It should be clear that USB Trojans will generally only work on a Windows-based
machine. Even on the proper system, it is possible that the autorun functionality
may be turned off for removable drives. While this could conceivably be made to
work on an OS X or Linux/UNIX system, the attempt is very likely to fail. Researching
your target first will help determine the viability of this type of attack in a given
environment.

The U.S. military had such large issues with exactly this sort of attack that, in 2008,
the Department of Defense banned removable media and storage devices from use
in government computers.3 At the time, this was done to prevent the spread of
worms that used removable media to transport themselves, but, as of the time of
this writing, the ban has been relaxed only slightly and such media is only allowed
under very controlled conditions.

Trojans can also be placed on more complex computing devices such as phones
or portable media players. Such devices generally present a relatively limited view
of the user interface to the user, so hiding a Trojan in the background would not
be a difficult task, given sufficient programming skill. Many such devices
have comparatively vast amounts of storage that could be utilized for the storage
of the actual Trojan code, as well as information that might be cleaned from a host
computer. The vast majority of these device also have USB connections to allow them
to transfer data between the mobile device and a computer, thus providing us with
another mechanism to infect, either from the mobile device to the computer or vice
versa.

SHINOBI-IRI (Stealth and Entering Methods)

USB devices are not the only tools that we can use to carry out such attacks. We can
utilize most anything with storage space that connects to a computer for similar
attacks, including phones, digital picture frames, MP3 players, and other similar
hardware. We will discuss this further in Chapter 16, “Sabotage.”

When using such devices, we also need to take care that they have not been
reversed on us and are not being used to provide us false information. In a security
conscious and highly technical target, it is entirely possible that our activities could
be noticed and turned against us. As with all software tools used by the Zukin, we
need to carefully test and validate the behavior of any tools that we send out into a
noncontrolled computing environment. Trojaned USB devices make excellent tools
for penetration tests. By using them, we can test security in a variety of areas in one
strike, including social engineering, antimalware tools, network security, and others,
depending on the way that they are used.

The Con
The con, otherwise known as a confidence trick or a scam, often used by the
attacker, called a con man, to separate the victim, called the mark, from money or
property. Cons have likely existed for the majority of known history and have been
well recorded for hundreds of years. While the goal of the Zukin should not be to
gain money for personal reasons, such tactics can be used to strip a target of their
resources or provide an opportunity for them to be publically ridiculed or discredited
for their gullibility.

The mark, the victim of the con, is often chosen because of their greedy nature,
making them a much easier target for such tactics. The infirm or elderly are also
common targets, as they tend to have impaired judgment. The goal of the con man is
to leave the mark completely unaware that anything is out of the ordinary, until they
have been able to make their exit with the target of their labors, generally money.

Con men often use assistants in their efforts, commonly referred to as shills. The
shill, while actually working with the con man, pretends to be an interested third
party, such as a customer or investor. The shill is used to goad the mark into taking
action when they might be hesitant to do so, by pretending to be very interested in,
or compete for, whatever the con man is offering.

Warning
The con should be used with great caution. Not only can a con require a great
deal of social engineering skill, but it has the potential to backfire in a way that is
disproportionate to its gain. When a con has been discovered, our Zukin may be
in physical danger or may be arrested, and information on our operation may be
compromised. We should take care to plan cons out thoroughly and make sure that
all of the players are familiar with and skilled at their tasks. Such tactics may be
appropriate in a penetration testing environment, but we would need to be careful
to obtain permission before using them.

There is a virtually limitless variety of cons available for use to the Zukin. Though
many cons focus specifically on separating the mark from their valuables, many
cons are easily adapted to fit our tactics. In many cases, they can be invaluable for
distracting, discrediting, embarrassing, or blackmailing our target.

The Spanish Prisoner

The Spanish Prisoner con, a story of great antiquity, repeated in both the filmA and
the short story,B of the same name, has a premise that should be familiar to most
anyone that is even slightly Internet savvy. In this con, the con man tells the mark
that his compatriot has been imprisoned in Spain, and that he is raising money to
get him released. The con man tells the mark that he will allow him to contribute
money to the cause, in exchange for which he will be richly rewarded. Once the con
man gets the money from the mark, he learns that a problem has come up and more
money will be required. This continues until the mark is out of funds or refuses to
contribute further, at which point the con man disappears.

This same general formula is used in the present day Nigerian 419 scams, generally
revolving around money needing to be moved out of a country. In this case, a large
share of it is offered to the mark if they will provide funds to pay for the transfer
fees. Such scams are referred to as Nigerian 419 scams, as a very large percentage
of them originate from that country.

The Spanish Prisoner and its variants can be useful to the Zukin when we are looking
to separate our target from their resources or to discredit them if we are looking to
have them removed from a particular position. Such cons can be very effective at
moving large amounts of money or valuables.

The Melon Drop

The Melon Drop is a much smaller scale and simpler scam than the Spanish Prisoner.
In this case, the con man, carrying a package containing an already broken item,
glass works well, will bump into the mark and fall down, ostensibly breaking the
contents of the package. At this point, the con man will berate the mark, often
loudly so as to draw a crowd. The con man will demand that the mark replace the
contents, often setting a price far above the actual value. Though the story may
be apocryphal, this scam is supposedly called the Melon Drop, due to its success
using cheap watermelons and targeting Japanese tourists, the price of watermelons
in Japan being rather high. While the Melon Drop has very limited potential for
financial gain, it is an excellent tactic to use for a delay or diversion. The Zukin can
very loudly rant at the target about their broken item for some time and the gathered
crowd can cover a variety of activities. Cons such as the Melon Drop can also be of
great aid in social engineering scenarios, as they can cause the target to become
flustered and distracted, thus more easily taken in.

Scam Baiting

On the flipside of baiting, we have scam baiting, also known as counter scamming.
The potential exists here for the Zukin to arrive on either side of a baiting situation,
either as the one being bated or the one doing the baiting. Scam baiting refers to
the situation where the baiting target realizes what is going on and decides to turn
the tables on the attacker. This happens frequently with crudely constructed scams,
like the Nigerian scam, discussed later in this chapter.

The goal of scam baiters is generally to inconvenience and humiliate, often publical-
ly, the scammer, all the while wasting their time and resources whenever possible.
Successful scam baiters have even managed to reverse entire scams and collect large
sums of money from scammers (oddly enough, often from the Nigerians).

Note
For those of you interested in the world of scam baiting, quite a bit of information
can be found on the Internet, including documentation of such tactics being used
against scammers. One of the more famous sites on the subject is 419eater.com,
equipped with scam baiting tips, videos, and a forum.

For purposes of the Zukin, we need to be aware, of running a scam or con, that
the other party may very well discover the true situation. We need to be vigilant in
ensuring that we are not being led into a counter scam.

Stings

While scam baiting is generally done at the hands of the amateur or vigilante, law
enforcement agencies have been known to use this tactic as well, commonly referred
to as a sting operation or just sting. In the case of a sting, such tactics are used to
catch people who are in the midst of violating the laws for which the agency has
jurisdiction. The legality of this practice varies, but it is permitted in some countries.
Such activities, when successful, often appear in the media. The television show To
Catch a PredatorC is a reality show based on the baiting and subsequent arrest of
pedophiles attempting to rendezvous with the actors that pose as underage girls. The
pedophiles are then shown being questioned and arrested on national television.
Similar publicity has been enjoyed by the participants in many similar incidents.

As we have said many times now, it is very important to research a target or a resource
very carefully before approaching. Sting operations such as these would, of course,
be very bad news for the Zukin that had the misfortune to be caught up in them and
would destroy the covert nature of the operation, at the very least. If we stick to safer
and simpler cons, such as the Melon Drop, we can greatly limit the consequences of
being detected. In this case, if there is an issue, we can simply walk away, as nothing
inherently illegal has been done.

> Read full chapter

Microsoft Vista: The Battle Against Mal-

ware Lives On
In Microsoft Vista for IT Security Professionals, 2007

Trojan Horses
For a malicious program to accomplish its goals, it must be able to do so without
being shut down by the user or administrator of the computer on which it’s running.
Concealment is a major goal of a malware creator. When a malicious program is
disguised as something innocuous or desirable, users may be tempted to install
it without knowing what it does. When reflecting on history, the documented first
use of the Trojan horse was when the Greeks gave their enemies (the Trojans) a gift
during the Trojan War. The gift (a gigantic wooden horse) was given in peace so that
the Trojans would bring it into their stronghold, but at night, when the city slept, the
Greek soldiers snuck out of the back of the horse and attacked and then captured
the city of Troy.

This is how the Trojan horse exploit performs. The Trojan horse will appear harmless
enough for the recipient to install, because it hides its true intention, which is based
on malicious activity. The Trojan horse conceals a harmful or malicious payload
within its seemingly harmless shell. The payload may take effect immediately and
can lead to many undesirable effects, such as deleting all of the user’s files, or
more commonly, installing further harmful software on the user’s system for future
payloads.
Tools and Traps…

Rootkits, Backdoors, and Keyloggers

Malware can be very nasty, especially when it and its payload are concealed. For
instance, consider the use of rootkits, backdoors, and keyloggers: Rootkits A rootkit
is a form of malware that hides its presence on the target host. Now used as a general
term, its original meaning was to define a set of tools installed by an attacker on
a UNIX system, where the attacker had gained administrator (root) access. Today
rootkit is used as a general term to describe any concealed malware on any type
of system, such as UNIX or Windows. Rootkits act by modifying the host OS so
that the malware is hidden from the user. Rootkits will remain undetected and can
prevent a malicious process from being reported in the process table. Backdoors
A backdoor is a routine used to sidestep the normal authentication procedure
found on most systems to keep them secure. Backdoors are just as dangerous as
rootkits. Generally, backdoors are network-aware programs that allow access from
an attacker into the target system without the target system's user knowing about
it. A backdoor is a method of bypassing normal authentication procedures. Many
software manufacturers preinstall backdoors on their products to provide technical
support for customers. The malware version performs the same function, but is
definitely not used to provide you with any help. Keyloggers A keylogger is a form
of malicious software that monitors what a user types on his keyboard. This will
generally lead to the compromise of sensitive information, such as user credentials
(usernames and passwords) and other sensitive data. Sometimes keyloggers are also
implemented in hardware connected to the back of a PC or server without the user’s
knowledge.

Trojans can be very cleverly disguised as innocuous programs, utilities, or screen-

savers. A Trojan can also be installed by an executable script (JavaScript, a Java applet,
ActiveX control, etc.) on a Web site. Accessing the site can initiate the program’s
installation if the Web browser is configured to allow scripts to run automatically.
Trojans can use the default behavior of Windows to disguise their true nature.
Because the file extension (the characters that appear after the last dot in a filename)
are hidden by default, a hacker can name a file something such as harmless.jpg.exe
and it will appear in Windows Explorer as harmless.jpg, seeming to be an innocent
graphics file, when it is really an executable program. Of course, double-clicking it
to open the “harmless picture” will run the program. Trojans that are designed to
allow hackers to gain unauthorized access across a network, such as Back Orifice
and NetBus, are sometimes called remote access Trojans (RATs). Back Orifice, Back
Orifice 2000, NetBus, and SubSeven were the most commonly used Trojans of
their time, although literally hundreds exist. Newer Trojan horses, such as Xombe
 and Dloader-L, both of which arrive as an executable attachment in spam e-mail
messages claiming to come from windowsupdate@microsoft.com, are meant to
wreak havoc by fooling you into thinking that the attachment legitimately came
from Microsoft. Because the spoofed e-mail address “seemed” legitimate, many
were fooled into executing the attachment, which can be thought of as any system
administrator’s nightmare.

Note
Hackers typically use backdoors to secure remote access to a computer, while
attempting to remain hidden from casual inspection. To install backdoors hackers
use either a Trojan horse or a computer worm, with the payload being the backdoor
routine.

Trojan horses known as droppers are used to initiate a worm outbreak, by injecting the
worm into users’ local networks. Spyware is commonly distributed as a Trojan horse,
bundled with a piece of desirable software that the user downloads from the Web,
or from a peer-to-peer file-sharing network such as LimeWire (www.limewire.com).
When the user installs the software, the spyware is installed alongside it. Spyware
authors who attempt to act legally may include an End User License Agreement
(EULA) which states the behavior of the spyware in loose terms, but with the
knowledge that users are unlikely to read or understand it.

> Read full chapter

ScienceDirect is Elsevier’s leading information solution for researchers.

Copyright © 2018 Elsevier B.V. or its licensors or contributors. ScienceDirect ® is a registered trademark of Elsevier B.V. Terms and conditions apply.