Skip Navigational Links
LISTSERV email list manager
LISTSERV - LIST.UVM.EDU
LISTSERV Menu
Log In
Log In
LISTSERV 17.5 Help - ACS-STAF Archives
LISTSERV Archives
LISTSERV Archives
Search Archives
Search Archives
Register
Register
Log In
Log In

ACS-STAF Archives

November 2000

ACS-STAF@LIST.UVM.EDU
Menu
LISTSERV Archives LISTSERV Archives
ACS-STAF Home ACS-STAF Home
ACS-STAF November 2000
Log In Log In
Register Register
Subscribe or Unsubscribe Subscribe or Unsubscribe
Search Archives Search Archives
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
10/31 : How to hack into Microsoft: a tutorial
From:
Steve Cavrak <[log in to unmask]>
Reply To:
ACS staff discussion list <[log in to unmask]>
Date:
Wed, 1 Nov 2000 09:39:01 -0500
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (169 lines) 
How you hack into Microsoft: a step by step guide

By: Thomas C Greene in Washington

Posted: 31/10/2000 at 12:42 GMT

http://www.theregister.co.uk/content/1/14344.html

Microsoft's recent sacking at the hands of unskilled malicious crackers
has engendered a vast cloud of false scent from company flacks, who in
past days have progressively shrunk their damage assessments. According to
company sources, the intruders had access for only 12 days, not six weeks
as first reported, and did not corrupt any software in development.

Others note that, twelve days or not, the intruders can't have helped
stealing the source code for the new versions of Windows ME/2K and Office,
and might well have implanted back doors, laying the foundation for easy
remote exploitation once the finished products reach the marketplace.

So, were the walls of the castle breached? Was the digital diadem of
William Perfidious defiled by the grubby hands of the unwashed? Or did a
handful of malicious kiddies manage nothing more than to give the Kingdom
of Gates a scare? We don't pretend to know; but we're going to walk you
through the likely steps the intruders would have taken, and let you
decide how much damage they might, or might not, have done.

Barbarians at the gate

Network security becomes increasingly difficult as point-and-drool
cracking tools proliferate. So many painfully easy-to-use appz have been
developed in recent years that persistence is now a far more reliable
predictor of success than skill: even a newbie cracker can succeed by
using pat scripts and casting his nets wide enough.

The Microsoft intrusion was almost certainly not the work of elite
hackers; if it had been, we would not now be reporting it. What we're
going to detail below is how a fool can (and did) sack the Magic Kingdom.

Everything the newbie cracker needs to break in to the Microsoft
Developers' Network is readily available on the Web following a brief
search. Here's how you go about it: First, you'll download a Trojan which
can be distributed via e-mail. QAZ, which was used in the M$ attack, is a
fine choice because it will automatically copy itself throughout shared
folders on a LAN. It's a malicious backdoor program masquerading as the
familiar Microsoft utility Notepad.

Once activated, QAZ searches for notepad.exe and copies itself in place of
the standard Notepad file, while simultaneously re-naming it note.com. The
beauty here is that when someone executes their Trojanised Notepad, it
also launches note.com, or the original Notepad, so the application
appears to behave normally to the user. It then searches the entire LAN
for additional copies of notepad.exe to infect.

To get it implanted on a LAN in the first place, you need to feed it to
someone dense enough to execute it. It's easy enough to distribute as an
e-mail attachment, but not everyone will fall for it. Thus there are two
chief obstacles to getting started, neither of which is terribly difficult
to overcome.

First there is social-engineering - that is, baiting the victim. The
wording of the e-mail message has got to make executing the attached
program both desirable and sensible. Presenting it as a software patch or
upgrade is a common stratagem, though there are others. Zipping it and
naming it PornCollection.zip or DirtyJokes.zip is another.

If the e-mail message makes sense in context of the attachment, and if
it's sent to enough potential victims, the combined laws of probability
and human nature ensure that some dumb bastard will activate the
payload. And with QAZ, you only need one victim; it will propagate on its
own.

Your second obstacle is anti-virus software. Not a tough one either,
despite all the glowing claims of heuristic genius touted by anti-virus
vendors. We took several of the most popular Trojans: Back Orifice,
SubSeven, NetBus and Hack'a'Tack, and first verified that our copy of
Norton AntiVirus would detect them, both as-is and zipped. We then
compressed them using a sweet little developer's tool called NeoLite and
ran Norton AntiVirus again.

Not one Trojan was detected, because NeoLite alters the signatures used by
anti-virus manufacturers to identify malicious code. Only the Trojan Deep
Throat, which we received already compressed by NeoLite, was detected,
presumably because it's usually distributed in that form and its
compressed signature is known. And the beauty of NeoLite is that it's
self-extracting. No third-party software like WinZip need be loaded on the
victim's machine for the compressed programs to be executed.

On the inside

Once you've managed to infect a machine on the target LAN, QAZ will e-mail
you the IP automatically, activate WinSock and wait for a connection on
port 7597. Simply check your mail, connect, and, voila, you're in. We're
assuming you have the sense to use a Web-based e-mail account for QAZ to
communicate with, which you will have opened with fictitious personal
data, and that you know the basics of concealing your computer's IP.

Now you'll need to swim around inside the LAN sharkwise until you find
yourself a nice, juicy target. Be patient; as the Trojan spreads, more
machines will come on-line for you to connect to. Check them all
thoroughly. What you're looking for is a box to which you can connect
directly, and which is trusted by your ultimate target - some machine with
valuable data on it.

You can pretty well assume that any box containing real treasures will be
protected by a firewall. You probably won't be able to connect directly to
it with a Trojan, but that's all right. There are other machines on the
LAN which your target box will trust. So find out which of the boxes to
which you can connect might themselves be plugged into something sweet,
like another box with the source code for Win-2K, par example. The
strategy here is to leapfrog from machines which you own, to the one you
want to own.

Where do you want to go today?

Now you've got access to a machine with interesting, valuable data. Let's
say it's on the MS Developers' Network, and contains the source code for
Win-2K. What's your next move?

It would make sense to download the code first so that if you're suddenly
discovered and shut out, you'll at least have something to show for your
efforts. Source code is jealously guarded and of course extremely valuable
to Microsoft's competitors. Owning it can be immensely profitable for you,
especially if you know a sleazy development house in a country with
virtually no piracy enforcement, like in Russia, say, or anywhere in East
Asia.

You might also wish to implant malicious code of your own in the source to
make it easy to exploit once it reaches market, or, alternatively, examine
it closely for weaknesses already coded into it, to get a jump on the
competition once it ships. A lot of valuable data gets served up on these
products; merely knowing where the weaknesses are before the security
industry catches on can lead to considerable riches.

So how difficult would that be? Obviously, profiting from such an
intrusion requires skill; though as we've illustrated, getting inside the
network is child's play. You might be a dangerous cracker, and one so
clever that as part of your social-engineering strategy you've
deliberately opted to use common tools and techniques to conceal your
true, terrifying capabilities. But then again, you might not.

More likely you're a young fool with virtually no skills and little
ambition, snapping up toolz and appz from the Web and feeling your way
blindly towards the cracker pantheon. You'll do no harm because you don't
know how to do harm, but you'll think quite highly of your insignificant
achievements. You'll recall your modest exploits with fondness, boast
about them in IRC h4x0r chatrooms hoping to impress some k1dd13 even lamer
than yourself, and get busted by one of the hundreds of Feds who regularly
hang out in these venues.

And that, more than anything, is what Microsoft is fervently hoping. ¨

Related Stories

MS hacked! Russian mafia swipes WinME source?
Redmond strives to cram Great MS Hack back in box
MS blocks staff dial-in access after 'minor' hack




--
  _______
||       | Stephen J. Cavrak, Jr.      [log in to unmask]
 |*     |  Assistant Director for      http://www.uvm.edu/~sjc/
 |     /   Academic Computing Services Phone:  802-656-1483
 |    |    University of Vermont       Fax:    802-656-0872
 |   |     Burlington, Vermont 05405   North:  44o 28' 33"
 ----                                  West:   73o 12' 45"

ATOM RSS1 RSS2

LIST.UVM.EDU CataList Email List Search Powered by LISTSERV