Main » 2011 » Март » 16 » Social Engineering "road apple»
11:42
Social Engineering "road apple»

2 years ago made the following publication:
<----------------->
conducted an interesting experiment, I want to share an experience that would people learn from others' mistakes. Experiment from the legendary "social engineering", a method called "road apple".

This method of attack is an adaptation of a Trojan horse, and is to use
physical media. An attacker could throw an infected CD, or flash, in a place where the carrier can easily be found (bathroom, elevator, parking). Counterfeited by the official media, and is accompanied by the signature, designed to cause curiosity.
Example: An attacker can throw a CD, provided with a corporate logo and link to the official website of the company goals, and provide him with the words "salary guideline of Q1 2007. The disc can be left on the floor of the elevator or the lobby. Officer may unknowingly pick up the disc and insert it into the computer to satisfy your curiosity, or just a Good Samaritan will carry the disc to the company.

Source citation: www.wiki.inattack.ru / wiki / Sotsialnaya_inzheneriya

The theory of the method

All this seemed to me very interesting and it was decided to try out. I chose the familiar organization (whose name is not mentioned for obvious reasons) and began planning. Agreed that it will be a CD, which will be posted immediately, the very apple. In the software part of it represented the two independent programs:
1. Apple's installer, which referred autorun.ini our CD
2. Apple itself.
As far as I know from prior studies around the office is Kaspersky AntiVirus with the Anti-hacker and, respectively, with built-in firewall. Ie removal of information through the network becomes a problematic issue, a decision which was "started up the forest." Initially the idea was to confine ourselves to sending SMS to your phone content such as "Hello form Apple: Mission completed", but the firewall has spoiled the pleasure. If we ourselves can not send a notice would have to make the authorized user to contact us. Resolved, that the apple will not be any spyware or destructive features. Apple itself performs 2 functions: to create a text message to the C: \ ap.txt and changed the titles of all the available windows and buttons to "see C: \ ap.txt». The message was the text of the greeting, an explanation that how it happened and "to properly remove the software, contact ...", thereby increasing the chances of feedback from my legitimate users, under penalty of payload for not properly removed. Yes, the function was created properly remove, but it is actually quite possible to remove the materials at hand, without fear for the integrity of the system =). Given that there is KAV, quite likely was intercepted function hidden install the registry, so other than it made an instant force start of Apple, although it is firing the installer.

The practice of the method

All that stuff written on the CD-R, it remains only to add an attractive label on the disc. After consulting with colleagues (thanks to them), nothing is more curious than the calling of the word "Apple" does not come up with =). Originally, the plan was to penetrate into the territory of the organization and leave the disc on a windowsill in the bathroom +), but the reliability of this plan left a large shadow of doubt. The idea is that whoever is found to drive in the organization of personnel, the drive must be transmitted to the system administrator for further investigation (for that is designed). But in practice may be quite different ... It was then decided to resort to cunning and agree with the protection of the organization that would drive the apple handed himself into the hands of system administrators with a description of what the disk was found by chance at the scheduled window sill =). On the appointed day I arrived in the organization, agreed with the guard, made all his deeds and happily went home, expect the next few days, the feedback the office with me.
Alas, the system administrator did not bother to contact me, but I contacted them myself and found out all the details of what happened. As it turned out, the protection is successfully transferred disk system administrator and he has successfully put it into the CD-ROM with the MS Windows operating system with non-disabled startup, which led to the successful launch of Apple's installer. But then began unforeseen problems. Their intrusion detection system (IDS) has raised alarm at the stage of compulsory launch of Apple and Apple system contamination was prevented. Ie the only mistake was in not using secure algorithms for programming, which are considered "suspect" for the PSB.

Conclusions

Hitrosozdanny drive hit by the destination disk inserted in the affected system, automatically run Apple, but intrusion detection systems placed it in the snow face ...
In general, the 2 results:
1. The principle itself is Apple's worked, running it took place.
2. Intrusion Detection System lit Apple.

Conclusion: if a professional approach to programming the Apple adapted for the conditions of life of the victim, the chance of success is very high. On the other hand, the experiment teaches us many things, how not to get themselves to such tricks.

<----------------->

The publication was in March 2008go. Barely 2 years as that organization called me was the new system administrator, and demanded an explanation and accountability for their actions:) Casus lay in the fact that no written idea or source code I do not have and the demands of "proper instructions" on Removal tell me there was nothing. Well said about where to look.
This is how happens: suddenly it took 2 years to fully implement planned;)
Views: 925 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: