Here we illustrate some data theft attacks which can really be used in the wild.
a. with trojan demo:
This demo illustrates an "in the fly data theft attack" : once executed, it launches calc.exe, lists My Documents folder files and reports them (HTML) to Trustware servers.
b. with Finjan JPG:
Once executed, the JPG copies all My Document folder files to a desktop folder called "you have been hacked":
c. with Slurp and windows explorer:
Slurp is a demo wich illustrates that a simple command line executable file can list all specific files (pdf, xml etc) in a few seconds.
But as this demo does not record and steal them to an external drive (USB drive for instance), we'll copy as an example a folder(an xml and a jpg file) called "confidentiel" on an external usb key via windows explorer.
d. with DeviceRobber (Renamed because it can really be used in the wild, in public computers for instance):
This demo was recently published and is detected by none AV on Virus Total (05/08/2006) and recently (while updating this article) only by Fortinet:
Once executed, DeviceRobber.exe searches for any connected USB key, and since one device is detected, it copies all files available in this key and creates a folder where it is registred (in My documents/Mes Documents in our case): this folder contains the USB stick original files!
The folder that we have recorded in our USB key for the last Slurp test (named "confidentiel"):
We launch DeviceRobber and then connect the USB key:
DeviceRobber records and copies the "confidentiel" folder to My Documents/Mes Documents folder on the hard drive (shown as 20068 in relation to the date):
If we explore this folder, we get the same file as those recorded previously on the USB key!
e. Data theft via an HTTP R.A.T:
In a private LAN, we use an administrator RAT whic let us a total access to all external drives of the remote computer.
We install the RAT on the target host (here 192.168.1.3 for the computer B) and we have access to it via Firefox launched on the computer A (192.168.1.4 for instance):
As it shown on the next image, we have access to running processes, a screenshot of the remote desktop and external drives:
We're interested in the "confidential" folder stored in the USB key:
NB. these tests show that it's necessary to harden the system and to apply a strong policy restriction (can be done via the registry, encryption, biometric or with specialized products like solutions provided by MobilGov, DeviceLock or DeviceWall).
The next articles are related to the USB sticks as a vector of threats:
- "USB memory sticks pose new danger" from Computerworld,
- "Social engineering, the USB way" from Darkreading.
For more information about the security of USB devices, it can be suited to take a look at this article:
"A simple guide to securing USB memory sticks" on net-security.