Professional Documents
Culture Documents
Related terms:
Dynamic Payload
An attacker may hide a malicious payload as an executable apk/jar inside the
APK resources. After installing the app, it opens the malware payload and loads
DexClassLoader API (if the payload is a jar file) and executes dynamic code. The
malware may persuade the user to install the embedded apk by pretending to be a
significant update. BaseBridge and Anserverbot are two malware classes that use this
technique. However, other classes of malware do not plant a malicious payload as a
resource; instead, they download them from a remote server and bypass detection.
DroidKungFuUpdate is a notorious example of dynamic payload malware. Usually,
these techniques cannot be detected using static analysis methods [8].
Logic Attacks
Mike Shema, in Seven Deadliest Web Application Attacks, 2010
• Poor JSON parsers might execute JavaScript from a malicious payload. Parsers
that use eval() to extract JSON or mashups that share data and functions expose
themselves to vulnerabilities if JavaScript content isn't correctly scrubbed.
• XPATH injection targets XML-based content (www.packetstormsecuri-
ty.org/papers/bypass/Blind_XPath_Injection_20040518.pdf).
• Lightweight Directory Access Protocol queries can be subject to in-
jection attacks (www.blackhat.com/presentations/bh-europe-08/Alonso-Para-
da/Whitepaper/bh-eu-08-alonso-parada-WP.pdf).
A common trait among these attacks is that the vulnerability arises due to piecing
data (the content to be searched) and code (the grammar of that defines how the
search is to be made) together in a single string without clear delineation between
the two.
Intrusion Investigation
Eoghan Casey, ... Andy Johnston, in Handbook of Digital Forensics and Investiga-
tion, 2010
2.1.1 Repackaging
It is one of the most common techniques that malware authors use to piggyback
malicious payloads into popular applications. In essence, malware authors may
locate and download popular applications, disassemble them, enclose malicious
payloads, and then reassemble and submit the new applications to Google Play and
alternative markets. Users are vulnerable by being enticed to download and install
these infected applications.
Signal-to-Noise Ratio
Will Gragido, ... Daniel Molina, in Blackhatonomics, 2013
Later, viruses looked to celebrate a specific event, to a certain extent. The mali-
cious payload of the Michelangelo virus, for instance, was only triggered on the
birthdate of the renaissance artist, remaining dormant in the system for weeks or
months prior to its release. There was a certain artistic provenance regarding the
thoughtfulness of this virus’s developers. I’m not sure that it was a critical global
issue that people did not realize Michelangelo was born on March 6, but the virus
definitely called attention to that specific date in 1990 by celebrating the artist’s
birthday through mayhem.2 The media gave attention to the issue because nothing
like the Michelangelo virus had been seen before. It was, literally, newsworthy and
intellectually motivated, and despite the potential damage it caused to the average
computer user, all data on the drive was respectfully maintained. It only impacted
the boot sector of the hard drive or floppy.
Perpetrators back in the 1980s were looking to highlight their skills and mastery over
the computer operating system and applications. They could co-opt behavior from
the system beyond the design specifications, and that made them proud of their
accomplishments. Some of the more benignly intentioned hackers were looking
to correct what they saw as flaws in design or function, and intended to pressure
vendors into correcting these errors. They hunted for bugs and sought to improve
the ecosytem, even if their ways to the means were questionable. Others were merely
looking to leverage vulnerabilities in the system to draw attention to themselves.
In a way, when viruses were more interested in propagating merely to do harm
to operating systems, they were more like Lindsay Lohan, acting out merely to
be noticed, without causing real harm to others, except for the odd accusation of
shoplifting. They came in with a big brass band, almost immediately notifying the
infected target of their presence by flooding the target with information, changing
boot sectors to prevent the system from returning after a reboot, or changing
wallpapers and colors on the screen. They were nuisance viruses, but they were
easily identified, as the main motivator of the malware developer was to gain instant
personal notoriety. In fact, many of these viruses, as well as Web page defacements,
were literally signed by the perpetrators, in the same way that artists sign their
masterpieces. As well, because of their simple intent, the correction was often just
as simple: Rewrite the boot sector, as with the Michelangelo virus, and you regain
access to your fully operational system. Merely copy back the file index.html, and
your Web page is magically back. Copy win.ini back from a location where it was
thoughtfully left behind by the hacker, and your system is automatically back in
business.
As the main motivator has now shifted from fame to fortune, however, the focus
has shifted to stealth, and to losing your hacking self within the system’s inherent
noise. No drums, brass bands, and cymbals are wanted now, because they only
attract undue attention. Simply stated, if a cybercriminal can create an ATM-specific
Trojan and stay in the system undetected for one day, he or she may be able to
collect 50 credit card numbers and their respective PINs. If the cybercriminal can
remain undetected in the ATM for a week, we are talking about 400 credit cards and
PINs. After a full year, we are talking about a complete revenue stream that is easy
to monetize and extremely difficult to prosecute. With the amount of data that
is being transferred in each transaction, the purloined data becomes a very small
amount of noise to detect within the system’s signal.
A clear, insidious, and dangerous example of this can be found in the Stuxnet attacks,
now known to have been perpetrated by unfriendly countries against Iran’s nuclear
infrastructure, where we see a new use for malware as a laser-targeted weapon of an
undeclared and potentially illegal cyber war. The developers of the malware sought
to insert themselves into a specific brand of programmable logic controllers (PLCs)
that were likely to be used in a nuclear reactor’s centrifuge. Interestingly enough, not
all of the PLCs were susceptible to the attack. A vaccine was included in the malware
for those PLCs in friendly geographic areas. The compromised PLCs were mostly
found in countries that were like-minded to Iran, such as Venezuela and Ecuador,
but not in Colombia, for example (see Figure 4.1).
These PLCs were reconfigured to report back normal settings, while they were
accelerating the hardware to the point where they actually caused damage to the
centrifuge infrastructure. The operators were dumbfounded because their dash-
boards all showed readings that were within the expected parameters, but the
centrifuge was being damaged. This kind of malice aforethought goes well beyond
the opportunistic hackers of yore and into a much deeper and more dangerous
model of cyber warfare that requires investment levels far beyond those of typical
script kiddies. In the case of Stuxnet and Duqu, we now have clear and concise
evidence that these weapons were developed by the United States government, and
that they were deployed deliberately, if irresponsibly, upon the global interconnected
community. Moreover, the government’s admitting to having released those cyber
weapons has quietly unleashed a new era of global war, where escalation will yield
mutually assured destruction, a concept not considered seriously since the 1980s at
the height of the nuclear arms race. Pandora’s Cyber Box is now open for business.
Countries will now be forced to develop offensive cyber war capabilities, in essence
making them compete with cybercriminals for hacking resources.
The fact that command and control communications could be hidden within the
normal traffic for those devices also speaks to the sophistication of their develop-
ment. The malware was designed and developed with a keen focus on minimizing its
impact on available resources. A PLC, for all intents and purposes, can be considered
a dumb device by today’s standards. A PLC, much like the tiny brain that allows the
windshield wipers in a car to operate at multiple speeds and intermittently, is limited
by its design parameters and is intended for a particular purpose, and as such, we
would not expect that same PLC to easily go beyond its defined parameters. In this
particular case, a foreign entity was able to remotely reconfigure these PLCs, and
still manage to remain undetected for months, which speaks to extremely advanced
programming and quality assurance, factors that are rarely found in “normal virus-
es.” In other words, the signal ratio of today’s advanced malware ecosystem is much
lower, and easily hidden within normal traffic noise.
The net result of Stuxnet is that 20 percent of the Iranian centrifuges were physically
damaged under the very watchful eye of the facility’s monitors. Their only grievous
sin was to trust their monitoring equipment, and not realize that their infrastructure
had been severely infiltrated and compromised. Like in every Mission Impossible film,
an effective false facade was deployed to fool the sentries, while foreign entities,
unfriendly to their efforts, had managed to deliver an incredibly efficient, highly
stealthy, and incredibly effective weapon. The element of surprise could not have
been greater. The plot was not new, but the theater of operation was.
The reason I say this is because Kaspersky Labs found this code and once the code is
brought out of the wild, it can be deconstructed and sent back into the wild targeting
the sender. It’s like capturing a live Tomahawk missile and reprogramming it to
return home and explode.
While nobody can actually capture a live flying Tomahawk missile and do that, it’s
not impossible with computer code. This is more like capturing a Tomahawk, making
10,000 copies, and reprogramming them all to return home and explode. The United
States will end up becoming the target of the attacks thanks to its own code.
John C. Dvorak
The latest cyber weapon to be discovered that has similarities to Stuxnet, Duqu, and
Flame has been dubbed Gauss by researchers at Kaspersky Lab. The scary aspect
of this malware, first deployed in September 2011 and discovered in June 2012,
is that it may actually be the first documented use of a government-grade cyber
weapon, repurposed for cybercriminal deeds as a Banking Trojan.[2] This apparent
code-cousin of Stuxnet and Flame is aimed at stealing personal information, specif-
ically banking information, but leverages some of the same geographic controls of
previous versions, including targeting machines in specific time zones. While Flame
attacked mostly Iraqi address space, Gauss seems to be more focused on Lebanon.
Different modules of Gauss serve the purpose of collecting information from end
users’ Internet browsers, including the history of visited Web sites and passwords.
Additionally, data on infected machines is sent to the attackers, including specifics
regarding network interfaces, the computer’s drives, and BIOS information. Lastly,
the Gauss module is also capable of stealing data from the clients of several Lebanese
banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and
Credit Libanais, as well as specifically targeting users of Citibank and PayPal.
According to Kaspersky Lab, there are “strong resemblances and correlations be-
tween Flame and Gauss”.[3] This type of activity is more aligned to cybercrime
than it is to cyber espionage or cyber terrorism. As such, it would appear that this
type of cyber threat has leveraged the infrastructure of a government-sponsored
super-malware, and has reverse-engineered the code so that it can be aimed at
normal users. Unlike other weapons of war, when code is used to create a cyber
weapon of these proportions, the code is sent over open channels. As such, mere
mortals can intercept the code. When the code can be intercepted, even when it is
encrypted and packed, it can easily be reverse-engineered with tools available online
by any hacker with time and initiative.
At the risk of sounding like an alarmist, the possibility of this type of cyber weapon
having its payload altered by a relatively skilled hacker presents a nearly incredible
hazard to society at large. A powerful cyber weapon such as Stuxnet attacking
Internet banking transactions is a definite risk. However, leveraging it to attack
critical infrastructure through SCADA systems creates a much greater danger. With
the knowledge that Stuxnet already had to attack PLCs, the risk to all critical in-
frastructures by subtle reprogramming of the payload is potentially catastrophic.
The potential commercialization of such weapons, as intimated by John Dvorak,
will create a rather disturbing problem for those that originally created the cyber
weapons, and couldn’t manage to harness their power once it was unleashed. “At
the end of the day, there will be a government hearing and questions will be asked
as to why this code was released in the first place. There will be no good answers.”[2]
They started using multiple forms of hiding, in order to make it more difficult for
the anti-malware programs to detect them. One of the first changes implemented
to try to subvert anti-malware programs was polymorphism. In a polymorphic
virus, each new iteration of the malware takes on a new characteristic, without
impacting the main code. As such, it becomes harder to identify it with simple
pattern matching.
By packing and encrypting the malware, cybercriminals escalated the arms race once
again. With these techniques, they were often able to bypass base detection. These
were the days of “Pray and Spray,” when there was little targeting being done by
attackers, and they mainly looked to reach the largest possible attack surface.
The packed and encrypted payloads forced the smart anti-malware providers to
migrate to a heuristic engine so that the malware behavior could be detected,
regardless of the path it took to reach the system.
With more stable attack platforms, the command and control channel requires
less redundancy and self-healing features to be included. As such, the amount
of unecessary chatter between systems can be cut down substantially. When the
attack platform was made up of slow and unstable dial-up connections, IP addresses
changed constantly in the compromised systems, and a lot of CRC checks and re-
dundancy were required to ensure the control of the attack platform was maintained.
As such, the best way to manage a large botnet was through multiple bot herders,
controlled by bot masters that leveraged multiple layers of hierarchy to grow the
systems much like a military battalion has numerous divisions.
As we move from cybercrime to cyber warfare, we see that the same tools the
criminals used, when orchestrated and massified, can become a weaponized and
powerful force for attacks between countries. In the same ways that the first knives
yielded the swords of battle and the first guns begat rifles and tanks, we now arrive
at a crucial crossroads in mankind’s advancement. Will Stuxnet be the opening salvo
in a cyber escalation that will only take us to mutually assured destruction? Or will
it be, like the lessons of nuclear war, a weapon used once and then held back, due
to the fears of unleashing it on humankind?
Here is a list of legitimate events that can grab the attention of our target, which can
be used along with an attachment containing a malicious payload:
• A court order
If the e-mail is written in a way that indicates a change to their insurance has been
made, then the target is more likely to click on the attachment than if the e-mail
is purporting to simply provide information. Regardless of which approach we use,
we should restrict the number of e-mails sent out to as few as possible, in order to
remain undetected and appear more legitimate.
Note
Human psychology is an interesting thing; if we state in our e-mail that the target
is required to open an attachment to obtain further information, they may become
cautious and not click on the attachment. However, if we state that the attachment
is simply “additional information,” they may not click on it due to indifference. From
a ninja hacking perspective, it may make more sense to accept the less risky option,
and use verbiage within our e-mail that doesn't insist the victim act on the new
information, and simply let curiosity work in our favor, or to disguise our actions
with more plausible explanations, such as “for security purposes, we have encrypted
the attachment…”
One additional note is that any attachment sent to the target victim must appear
legitimate. We must have text within the attachment that actually relates to the mes-
sage subject and e-mail content, such as a resume (with malware) sent to a human
resources department. If we know which insurance agency is used by the target
company, we may be able to find suitable documents on the Internet. Otherwise,
federal or state documents might be just as suitable for our attacks. As an example,
the U.S. General Accounting Office has a searchable index of insurance information
that impacts government employees, small business owners, veterans, and so on. A
list of usable PDF documents can be found by visiting www.gao.gov/docsearch/lo-
cate?&keyword=health+insurance
The tool is executed by simply running SET from within its installed directory. After
execution, you will be presented with a menu of options that allow you to choose
the type of attack to perform or a few other options such as updating the tools. In
our case, we'll select the “Spear-Phishing Attack Vectors” option. This is shown in
Fig. 4.4.
We'll then choose the “Perform a Mass Email Attack” option to perform an automat-
ed attack. A number of options are available for exploits. In this case, we'll accept the
default of a PDF-embedded EXE. You can then encode this exploit into an existing
PDF file or create a blank PDF for the attack. For our example, we'll let the tool create
a new blank PDF file. Next, we need to choose which payload we'd like to use for the
attack. A Meterpreter reverse TCP is always useful, so we'll go with that option and
select the port we want to use. After these selections are done, SET will begin to
generate our exploit as shown in Fig. 4.5.
FIGURE 4.5. SET Exploit Generation.
With the exploit and payload created, SET then moves on to the transmission of
the attack. We are given the option of renaming our template and then are able to
choose whether to email it to a single address or use a mass mailer. This is shown
in Fig. 4.6. For this example, let's send to a single address.
FIGURE 4.6. SET Spear-Phishing Transmission Options.
We then are presented with the option of creating our own email template or using
one of the predefined templates included with the tool. The predefined templates
include a number of options, all of which are formulated to cause a successful
social-engineering attack due to their contents and wording. After choosing your
template, you are prompted for the email address of the target and then presented
with the choice of using Gmail or your own mail server/open relay for the attack. If
using Gmail, you are then prompted for your Gmail ID and password. The email is
then sent and the results presented to the screen. This is shown in Fig. 4.7.
FIGURE 4.7. SET Email Sent
Lastly, if needed, SET will prompt you to set up a listener to listen for a connection
after the exploit has been executed. With that listener created, you can now wait
for the target to execute the code. If successful, you'll have a Meterpreter session
granting you access to the target's machine.
Social Engineering
Dr.Patrick Engebretson, in The Basics of Hacking and Penetration Testing (Second
Edition), 2013
There are plenty of other attack vectors within SET, from the social-engineering
attacks; option 3 allows you to generate a universal serial bus thumb drive with a
malicious payload. When plugged in, an autorun script will kick in and execute the
payload. A downfall to this attack is the target needs to have autorun enabled for this
to work. Most companies automatically disable this feature. Option 4 allows you to
create a payload and a listener. This would be useful if you already have access to
a computer and want to deploy one of SET’s payloads that are more obfuscated in
order to evade AV better. You can simply create the payload, copy the file over, double
click or execute it and have it connect back to the listener automatically. Option 5
allows you to send mass e-mails from an e-mail list you may have. This is pretty
simple but supports the ability to use HTML e-mails and send mass e-mails to a
company.
Option 8 allows you to create your own WiFi access point out of your computer
including a DHCP and DNS server. When the victim attempts to go to an individual
website, they are redirected back to your computer with the SET attacks. You could
create a captive portal that says you need to accept the Java applet before you can
continue. This is always a good option when targeting a corporation as a penetration
tester.
Option 9 allows you to create your own QRCode that once scanned, redirect the
scanning machine to your SET (attack) computer. Figure 5.15 is an example that
directs the scanner’s browser to TrustedSec.
The last menu, option 10 includes the Powershell attack vectors. Powershell was
briefly mentioned in the Java applet section of this chapter but Powershell is Really
Powerful! It is an amazing tool from a post exploitation perspective and a number
of the leading Powershell folks like Carlos Perez, Matthew Graeber, Josh Kelley, and
David Kennedy have done a significant amount of development on this front. A
number of these attacks have been included into SET. The Powershell attacks are a
series of code attacks that can be executed once you have already compromised a
system. SET will automatically generate the code for you, and rewrite it to bypass
execution restriction policies.
Psychological Weaknesses
Thomas Wilhelm, Jason Andress, in Ninja Hacking, 2011
Baiting
According to legend, a (probably fictional) hero in the Ninjutsu history named Sasuke
Sarutobi was training with a master swordsman, who offered Sasuke the following
advice: “Don't you have your eyes in your back? How handicapped you are! You'll
be a failure unless you know how to defend your weak point, even if you know the
unguarded point of your opponent. The secret of defense in martial arts is to always
be alert. Unless one knows his own weak point, he can never be certain that the weak
point of his opponent is not a decoy.”1
Baiting is the practice of offering a desirable item to the target, either directly or by
simply leaving it for them to find, as a delivery mechanism for a generally malicious
payload. Such a tool can be seen in the classic story of the Trojan horse used during
the siege of Troy:
Wearied of the war,and by ill-fortune crushed, year after year,the kings of Greece, by
Pallas' skill divine,build a huge horse, a thing of mountain size,with timbered ribs of fir.
They falsely sayit has been vowed to Heaven for safe return,and spread this lie abroad.
Then they concealchoice bands of warriors in the deep, dark side,and fill the caverns of
that monstrous wombwith arms and soldiery.2
In broad strokes, the Greeks constructed a giant wooden horse, filled it with soldiers,
and then appeared to leave. After they were gone, the Trojans, taking the horse as a
trophy of their victory, brought it inside the city walls. When night fell, the soldiers
left the horse and opened the gates to allow the Greek army, who had returned
under cover of darkness, in to destroy the city. The tactic of the Greeks has since
been applied to modern times through the vehicle of technology.
Trojans in Software
The process of using a Trojan horse in software is simple; create a simple application,
perhaps a flash game and release it via the Web or e-mail. While your victims are
busy flinging elves about, run a process in the background that scans for credit card
numbers on the machine, sends out spam e-mail, downloads other malware, or
most anything else that we would care to do.
Trojans can also be attached to more complex applications, even commercial ones
such as Microsoft Office. In this case, instead of creating software specifically
as a vehicle for our Trojan, we simply integrate it into the install routine of the
host software. Many install applications conveniently have the capability to install
software dependencies already, so, if present, we can add our package to the list and
have it install silently in the background.
If the ability to integrate our Trojan with the installer is not present or overly
difficult, we can write a wrapper for the host installer. In this case, we replace
the actual executable file for the software install with our own, which will install our
Trojan for us silently, then call the actual software installer from ours.
The library of methods for inserting Trojans is vast and has been developing for
several decades now. The Zukin has a great deal of information and expertise in
developing malware to fall back on, merely by browsing the Internet. Software devel-
opment tools and libraries have been tuned over the years, and creating malware is
now a considerably easier task than it once was. Researchers have also been working
for some time on the other side of the malware issue. Both sources of information
will prove invaluable to the Zukin planning such a software-based attack.
Trojans in Hardware
Trojans resident in hardware are often just a slight variant of a software implementa-
tion, running on or stored on a hardware device. This can be as simple as a USB flash
drive or as complex as a completely custom operating system running on a phone
or media device. The benefit in running such tools on hardware is in the additional
lure for the target to actually use the device.
USB Trojan devices are very simple indeed. We create our Trojan software, with no
particular need for even a game or program to disguise it and place it on the USB
device.
This can either be the ubiquitous flash drive, as shown in Figure 10.1, or a larger
USB hard disk, either will work just fine. We then create an autorun file, which will
be processed by the host machine when the device is plugged in, thus running our
Trojan software automatically.
Figure 10.1. A Trojaned USB Device.
Tip
It should be clear that USB Trojans will generally only work on a Windows-based
machine. Even on the proper system, it is possible that the autorun functionality
may be turned off for removable drives. While this could conceivably be made to
work on an OS X or Linux/UNIX system, the attempt is very likely to fail. Researching
your target first will help determine the viability of this type of attack in a given
environment.
The U.S. military had such large issues with exactly this sort of attack that, in 2008,
the Department of Defense banned removable media and storage devices from use
in government computers.3 At the time, this was done to prevent the spread of
worms that used removable media to transport themselves, but, as of the time of
this writing, the ban has been relaxed only slightly and such media is only allowed
under very controlled conditions.
Trojans can also be placed on more complex computing devices such as phones
or portable media players. Such devices generally present a relatively limited view
of the user interface to the user, so hiding a Trojan in the background would not
be a difficult task, given sufficient programming skill. Many such devices
have comparatively vast amounts of storage that could be utilized for the storage
of the actual Trojan code, as well as information that might be cleaned from a host
computer. The vast majority of these device also have USB connections to allow them
to transfer data between the mobile device and a computer, thus providing us with
another mechanism to infect, either from the mobile device to the computer or vice
versa.
When using such devices, we also need to take care that they have not been
reversed on us and are not being used to provide us false information. In a security
conscious and highly technical target, it is entirely possible that our activities could
be noticed and turned against us. As with all software tools used by the Zukin, we
need to carefully test and validate the behavior of any tools that we send out into a
noncontrolled computing environment. Trojaned USB devices make excellent tools
for penetration tests. By using them, we can test security in a variety of areas in one
strike, including social engineering, antimalware tools, network security, and others,
depending on the way that they are used.
The Con
The con, otherwise known as a confidence trick or a scam, often used by the
attacker, called a con man, to separate the victim, called the mark, from money or
property. Cons have likely existed for the majority of known history and have been
well recorded for hundreds of years. While the goal of the Zukin should not be to
gain money for personal reasons, such tactics can be used to strip a target of their
resources or provide an opportunity for them to be publically ridiculed or discredited
for their gullibility.
The mark, the victim of the con, is often chosen because of their greedy nature,
making them a much easier target for such tactics. The infirm or elderly are also
common targets, as they tend to have impaired judgment. The goal of the con man is
to leave the mark completely unaware that anything is out of the ordinary, until they
have been able to make their exit with the target of their labors, generally money.
Con men often use assistants in their efforts, commonly referred to as shills. The
shill, while actually working with the con man, pretends to be an interested third
party, such as a customer or investor. The shill is used to goad the mark into taking
action when they might be hesitant to do so, by pretending to be very interested in,
or compete for, whatever the con man is offering.
Warning
The con should be used with great caution. Not only can a con require a great
deal of social engineering skill, but it has the potential to backfire in a way that is
disproportionate to its gain. When a con has been discovered, our Zukin may be
in physical danger or may be arrested, and information on our operation may be
compromised. We should take care to plan cons out thoroughly and make sure that
all of the players are familiar with and skilled at their tasks. Such tactics may be
appropriate in a penetration testing environment, but we would need to be careful
to obtain permission before using them.
There is a virtually limitless variety of cons available for use to the Zukin. Though
many cons focus specifically on separating the mark from their valuables, many
cons are easily adapted to fit our tactics. In many cases, they can be invaluable for
distracting, discrediting, embarrassing, or blackmailing our target.
The Spanish Prisoner con, a story of great antiquity, repeated in both the filmA and
the short story,B of the same name, has a premise that should be familiar to most
anyone that is even slightly Internet savvy. In this con, the con man tells the mark
that his compatriot has been imprisoned in Spain, and that he is raising money to
get him released. The con man tells the mark that he will allow him to contribute
money to the cause, in exchange for which he will be richly rewarded. Once the con
man gets the money from the mark, he learns that a problem has come up and more
money will be required. This continues until the mark is out of funds or refuses to
contribute further, at which point the con man disappears.
This same general formula is used in the present day Nigerian 419 scams, generally
revolving around money needing to be moved out of a country. In this case, a large
share of it is offered to the mark if they will provide funds to pay for the transfer
fees. Such scams are referred to as Nigerian 419 scams, as a very large percentage
of them originate from that country.
The Spanish Prisoner and its variants can be useful to the Zukin when we are looking
to separate our target from their resources or to discredit them if we are looking to
have them removed from a particular position. Such cons can be very effective at
moving large amounts of money or valuables.
The Melon Drop is a much smaller scale and simpler scam than the Spanish Prisoner.
In this case, the con man, carrying a package containing an already broken item,
glass works well, will bump into the mark and fall down, ostensibly breaking the
contents of the package. At this point, the con man will berate the mark, often
loudly so as to draw a crowd. The con man will demand that the mark replace the
contents, often setting a price far above the actual value. Though the story may
be apocryphal, this scam is supposedly called the Melon Drop, due to its success
using cheap watermelons and targeting Japanese tourists, the price of watermelons
in Japan being rather high. While the Melon Drop has very limited potential for
financial gain, it is an excellent tactic to use for a delay or diversion. The Zukin can
very loudly rant at the target about their broken item for some time and the gathered
crowd can cover a variety of activities. Cons such as the Melon Drop can also be of
great aid in social engineering scenarios, as they can cause the target to become
flustered and distracted, thus more easily taken in.
Scam Baiting
On the flipside of baiting, we have scam baiting, also known as counter scamming.
The potential exists here for the Zukin to arrive on either side of a baiting situation,
either as the one being bated or the one doing the baiting. Scam baiting refers to
the situation where the baiting target realizes what is going on and decides to turn
the tables on the attacker. This happens frequently with crudely constructed scams,
like the Nigerian scam, discussed later in this chapter.
The goal of scam baiters is generally to inconvenience and humiliate, often publical-
ly, the scammer, all the while wasting their time and resources whenever possible.
Successful scam baiters have even managed to reverse entire scams and collect large
sums of money from scammers (oddly enough, often from the Nigerians).
Note
For those of you interested in the world of scam baiting, quite a bit of information
can be found on the Internet, including documentation of such tactics being used
against scammers. One of the more famous sites on the subject is 419eater.com,
equipped with scam baiting tips, videos, and a forum.
For purposes of the Zukin, we need to be aware, of running a scam or con, that
the other party may very well discover the true situation. We need to be vigilant in
ensuring that we are not being led into a counter scam.
Stings
While scam baiting is generally done at the hands of the amateur or vigilante, law
enforcement agencies have been known to use this tactic as well, commonly referred
to as a sting operation or just sting. In the case of a sting, such tactics are used to
catch people who are in the midst of violating the laws for which the agency has
jurisdiction. The legality of this practice varies, but it is permitted in some countries.
Such activities, when successful, often appear in the media. The television show To
Catch a PredatorC is a reality show based on the baiting and subsequent arrest of
pedophiles attempting to rendezvous with the actors that pose as underage girls. The
pedophiles are then shown being questioned and arrested on national television.
Similar publicity has been enjoyed by the participants in many similar incidents.
As we have said many times now, it is very important to research a target or a resource
very carefully before approaching. Sting operations such as these would, of course,
be very bad news for the Zukin that had the misfortune to be caught up in them and
would destroy the covert nature of the operation, at the very least. If we stick to safer
and simpler cons, such as the Melon Drop, we can greatly limit the consequences of
being detected. In this case, if there is an issue, we can simply walk away, as nothing
inherently illegal has been done.
Trojan Horses
For a malicious program to accomplish its goals, it must be able to do so without
being shut down by the user or administrator of the computer on which it’s running.
Concealment is a major goal of a malware creator. When a malicious program is
disguised as something innocuous or desirable, users may be tempted to install
it without knowing what it does. When reflecting on history, the documented first
use of the Trojan horse was when the Greeks gave their enemies (the Trojans) a gift
during the Trojan War. The gift (a gigantic wooden horse) was given in peace so that
the Trojans would bring it into their stronghold, but at night, when the city slept, the
Greek soldiers snuck out of the back of the horse and attacked and then captured
the city of Troy.
This is how the Trojan horse exploit performs. The Trojan horse will appear harmless
enough for the recipient to install, because it hides its true intention, which is based
on malicious activity. The Trojan horse conceals a harmful or malicious payload
within its seemingly harmless shell. The payload may take effect immediately and
can lead to many undesirable effects, such as deleting all of the user’s files, or
more commonly, installing further harmful software on the user’s system for future
payloads.
Tools and Traps…
Note
Hackers typically use backdoors to secure remote access to a computer, while
attempting to remain hidden from casual inspection. To install backdoors hackers
use either a Trojan horse or a computer worm, with the payload being the backdoor
routine.
Trojan horses known as droppers are used to initiate a worm outbreak, by injecting the
worm into users’ local networks. Spyware is commonly distributed as a Trojan horse,
bundled with a piece of desirable software that the user downloads from the Web,
or from a peer-to-peer file-sharing network such as LimeWire (www.limewire.com).
When the user installs the software, the spyware is installed alongside it. Spyware
authors who attempt to act legally may include an End User License Agreement
(EULA) which states the behavior of the spyware in loose terms, but with the
knowledge that users are unlikely to read or understand it.