Windows 8 – Social Engineering, Remote Shells and the Weakest Security Link
Windows 8 security features have been vastly improved over Windows 7 and XP. And it will stop many attacks that still work in the older versions of Windows. But with all of it’s advances the main security weakest link still remains – the user.
I have installed and supported Microsoft products from MS Dos 2.2 to the current systems. But I do confess, as with Windows ME and Vista, I am no fan of Windows 8. But I must admit, it is more secure than Windows 7. But, like it’s predecessors, it has one fatal flaw.
It let’s users run programs.
Granted it does it’s best to warn them that the “uber cool” program that they MUST have probably isn’t safe. Even stopping them when they had it sent to them via e-mail and they tried to run it.
As we see here:
This ends the malicious social engineering e-mail attack attempt. Some user’s would accept defeat at this point, and hit the big “OK” button, which returns the user to the safety of the desktop. So, foiled again in their attempt to ruin your day, they leave their desktop and go to find a printer that they can jam.
But this just won’t do for the determined user. You know, the one who’s sole purpose in life is to circumvent every security feature that you try to protect them with. So, of course, they hit the small “more info” link on the security message above. And Windows 8 gives them one more chance to stop the attack:
And, as you know, most users will promptly see the error of their ways, and select “Don’t Run”.
Okay, who am I kidding?
Of course they are going to hit “Run Anyway”. They came this far, why stop now? Besides, their life would not be fulfilled without installing the “Christmas Caroling Puppies” app that the accompanying e-mail said was very cool and that they had to see.
Luckily, there were no calls to the IT Support desk (two weeks later) complaining that our user’s system is crashing and running really slow. Because, in this simulated attack, the built in Microsoft Anti-Virus stopped the backdoored file from running.
As you can see from the above, even though the user made a bad mistake of trying to run an executable file they received from an unsolicited e-mail (or visiting a suspicious site), Windows 8 still tried to warn them of danger.
But all the extra security warnings may not be the case if Windows 8 doesn’t see anything suspicious with the malicious file. As in our next sample case.
Okay, same situation, our user gets an unsolicited e-mail about Christmas Puppies. Of course the user opens and runs the attachment. But this time, nothing seems to happen. No warnings or anything. So our bored user heads out to find a server to crash. Besides, it is 4pm on Friday, what else is there to do?
But what the unsuspecting user doesn’t know, is that the file was a backdoored program that allowed a remote connection to an attacker’s system. A Backtrack 5 system in our case.
And on the attacker’s system a new session appears:
As you can see, the attacker connects to the remote system, and runs “sysinfo” to see what version of Windows the victim is using:
He then checks the running processes:
Grabs a screenshot of the users Desktop (see image at top of post), and then kicks off a remote keyscan:
Hmm… Looks like our user returned, hit the left “Windows” key, then wrote “this is a test” and hit the “return” key. The attacker didn’t get anything important from the keyscan, so he just decides to drop to a full remote shell:
The attacker has full control of the box and can do whatever he wants, including using this box to attack other systems on the network. All from our user allowing a malicious e-mail attachment to run. And as this attack was not detected by Windows 8 security, the user was offered no extra help in choosing the best course of action in stopping the attack.
This was a fully updated install of Windows 8 with the latest Java installed and the built in Firewall and Anti-Virus enabled. As you can see, no matter how good the security products are – and Windows 8 is very good – many times the security of your network is in the hands of your users.
Train them well.
~ by D. Dieterle on December 4, 2012.