Thursday, 25 September 2008

Ways to attack your users

So, hacking. What is it? Well, let’s try a dictionary definition.

The Mirriam-Webster online diction says:

to write computer programs for enjoyment b: to gain access to a computer illegally

Ok, I would argue that a program can be hacked together for a number of reasons, not just for enjoyment and that a program written for enjoyment may be created with properly structured methods. The second definition holds more water though maybe you could argue that penetration testing is hacking and not illegal except perhaps in Germany. The German government passed a law making the possession of certain software tools illegal in the same way that it is illegal in many places to wander around the streets with a set of lock picks and a crowbar. Well, I can see some good points in this law but some of the tools that hackers use and that security professionals use are the same bit of binary. This is a tricky one. If you pass a law designed to control criminals and honest men alike, the criminals will break the law (it is a job requirement) and the honest men will either obey it to no good purpose or become criminals and break the law.

Anyway, hacking is gaining access to a computer system against the user’s wishes. Perhaps that is a better definition. However, a new study casts some doubts on that definition too. When is access to the computer granted? Well, from the point of view of the computer, when the access is requested or initiated from a legitimate and authorised user account. That makes sense; how else could it decide? What does this mean in practice? That code is running in the context of the user. This could be a cross side scripting attack or a buffer overrun but let us consider the most common case, the case that is occurring on your computer right now. This page has a tiny and quite harmless bit of Jscript running which is part of the navigation bar logic. If you are running on an older operating system then it will be running under your user account. If you are running Vista or Server 2003 or Server 2008 and you haven’t monkeyed around with the security settings for the browser then it will be running in a more limited context but my code (well, OK, technically Google’s code) is running on your computer. Of course, even if the script were malicious, there are only certain things that script on a page can do. The really powerful things require you to do them from a binary format executable, an EXE or a DLL or something else like that. A script can use some of these that are marked as safe for scripting and a lot of security updates in the past have simply been to mark some component as not being safe for scripting. A script can’t add a new binary. That requires user action.

What exactly is “user action”? It is clicking on a button saying that the user trusts the component that wants to install or following a link or just clicking OK on a dialog. A script can open a window and display HTML. That is a perfectly legitimate thing for a script to do and a lot of the web wouldn’t work if it couldn’t – you have to allow popups from some sites. However, what happens if it creates a Window that looks for all the world like a legitimate dialog? Oooh… well, you have to rely on the user spotting that it isn’t the real deal.

How likely is the user to always spot that a dialog is not the real deal and click on it anyway? According to a study at the North Carolina State University, users who had been specifically warned and who were being careful successfully spotted the fakes 37% of the time. Yes, just under two thirds of the spoofs were accepted as real. There are some more details here at the NCSU site

Most malware (and remote access tools, the holy grail of hacking, are just another type of malware) is installed by the user inadvertently.
How can these windows be used? Well, there are a number of ways. One of the most common is to have a dialog with a bitmap on it that looks like a dialog but the whole thing (including the window borders, the close button and all) is just a big button that takes you somewhere that you didn’t want to go. A popular use is to display what looks like a system warning that you have malware. Follow the helpful link and it will try to download an application. Most users approve the download because “Windows” asked them to install it so it must be safe. “Windows antivirus 2008” and the 2009 version do exactly that. Pop onto Yahoo answers some time to see how many people clicked “yes”. There are multiple sites offering removal instructions but the ones at Bleeping Computer seem pretty good to me.

Antivirus 2009 doesn’t just use that technique though. It also uses the good old codec download trick. This is very much the same principle. A video is created which pop up a dialog or displays in the video window that it needs a codec and handily gives you a link to the codec. The first malware to do this was our old friend Zlob. There is no honour among thieves and the idea has been copied widely. Does the link actually take you to a codec? ‘fraid not.

Next blog or within a few entries at worst, I will be talking about how downloadable components are spoofed.

Now, if you are a developer and you have read this far, you may be wondering what was of value to you in this blog. Well, that is a decision that you have to make but consider that the users who fall for these basic tricks are probably very like the people who run your application. Scary thought, eh? Someone has to have a healthy level of paranoia and it seems clear that it had best be you.

Signing off

Mark Long, Digital Looking Glass Ltd

No comments: