Windows 8 – Social Engineering, Remote Shells and the Weakest Security Link

Windows 8 Screenshot in Backtrack 5

Windows 8 security features have been vastly improved over Windows 7 and XP. And it will stop many attacks that still work in the older versions of Windows. But with all of it’s advances the main security weakest link still remains – the user.

I have installed and supported Microsoft products from MS Dos 2.2 to the current systems. But I do confess, as with Windows ME and Vista, I am no fan of Windows 8. But I must admit, it is more secure than Windows 7. But, like it’s predecessors, it has one fatal flaw.

It let’s users run programs.

Granted it does it’s best to warn them that the “uber cool” program that they MUST have probably isn’t safe. Even stopping them when they had it sent to them via e-mail and they tried to run it.

As we see here:

Windows Protected your PC

This ends the malicious social engineering e-mail attack attempt. Some user’s would accept defeat at this point, and hit the big “OK” button, which returns the user to the safety of the desktop. So, foiled again in their attempt to ruin your day, they leave their desktop and go to find a printer that they can jam.

But this just won’t do for the determined user. You know, the one who’s sole purpose in life is to circumvent every security feature that you try to protect them with.  So, of course, they hit the small “more info” link on the security message above. And Windows 8 gives them one more chance to stop the attack:

Unknown Publisher

And, as you know, most users will promptly see the error of their ways, and select “Don’t Run”.

Okay, who am I kidding?

Of course they are going to hit “Run Anyway”. They came this far, why stop now? Besides, their life would not be fulfilled without installing the “Christmas Caroling Puppies” app that the accompanying e-mail said was very cool and that they had to see.

Luckily, there were no calls to the IT Support desk (two weeks later) complaining that our user’s system is crashing and running really slow. Because, in this simulated attack, the built in Microsoft Anti-Virus stopped the backdoored file from running.

As you can see from the above, even though the user made a bad mistake of trying to run an executable file they received from an unsolicited e-mail (or visiting a suspicious site), Windows 8 still tried to warn them of danger.

But all the extra security warnings may not be the case if Windows 8 doesn’t see anything suspicious with the malicious file. As in our next sample case.

Okay, same situation, our user gets an unsolicited e-mail about Christmas Puppies. Of course the user opens and runs the attachment. But this time, nothing seems to happen. No warnings or anything. So our bored user heads out to find a server to crash. Besides, it is 4pm on Friday, what else is there to do?

But what the unsuspecting user doesn’t know, is that the file was a backdoored program that allowed a remote connection to an attacker’s system. A Backtrack 5 system in our case.

And on the attacker’s system a new session appears:

Sessions 1

As you can see, the attacker connects to the remote system, and runs “sysinfo” to see what version of Windows the victim is using:

sysinfo

He then checks the running processes:

Process List

Grabs a screenshot of the users Desktop (see image at top of post), and then kicks off a remote keyscan:

Keyscan

Hmm… Looks like our user returned, hit the left “Windows” key, then wrote “this is a test” and hit the “return” key. The attacker didn’t get anything important from the keyscan, so he just decides to drop to a full remote shell:

Win8shell

Game Over!

The attacker has full control of the box and can do whatever he wants, including using this box to attack other systems on the network. All from our user allowing a malicious e-mail attachment to run. And as this attack was not detected by Windows 8 security, the user was offered no extra help in choosing the best course of action in stopping the attack.

This was a fully updated install of Windows 8 with the latest Java installed and the built in Firewall and Anti-Virus enabled. As you can see, no matter how good the security products are – and Windows 8 is very good – many times the security of your network is in the hands of your users.

Train them well.

Bitdefender Security for Windows 8 Released

A few days ago Bitdefender released a new version of it’s award winning security software – Bitdefender Windows 8 Security. This release is the first Anti-Virus security program built especially for Windows 8.

If you are familiar with Bitdefender’s Internet Security Suite 2013, then the features will look very familiar to you. Sure, it has the award winning Anti-Virus and phishing defense, Firewall, Intrusion Detection System, Social Media and Online Banking/ Shopping protection. But there are several new features built in just for Windows 8.

Probably one of the top features is the Early Start-Up Scanner that loads Bitdefender first so that it can defend against malicious software from infecting your computer during start-up. Also very important is Bitdefender’s new support for Windows 8 Apps. And scanning is also quicker with Scan-Boost technology.

Bitdefender’s feature set far surpasses the built in Microsoft Anti-Virus. Their Windows 8 Security program costs $74.95 for for up to 3 PC’s for a Year. If you are still not convinced, and want to take it for a test drive you can download a free trial version from their website.

Bitdefender Windows 8 Security – Check it out!

Windows 8 Open Source Memory Analysis Fail

Wow, spent a lot of time yesterday trying to do some memory analysis on Windows 8 with a couple open source tools…

And completely failed.

I wanted to analyze a suspended Win8 virtual machine’s memory and see what information could be pulled from it. I know VMWare has a “vmss2core” utility that will do the trick. Of course I had Windows 8 in a Virtualbox VM. No problem, I exported and imported to VMWare Workstation with no problems. Okay, it hung up on first boot in VMWare, but a hard reset and everything was right as rain on the next boot.

Next I suspended the VM, grabbed the .vmem and the .vmss suspension files and tried to run it through vmss2core:

C:\VM>vmss2core.exe -W windows8.vmem windows8.vmss
vmss2core version 812388 Copyright (C) 1998-2012 VMware, Inc. All rights reserved.

Unrecognized .vmss file (magic f000ff53).

Unrecognized .vmss file… Okay, not to be deterred, I rebooted the Windows 8 VM and took a snapshot. Vmss2core also works with snapshots!

Same error.

I actually read the help features for Vmss2core and realized that it has a “-W8” command for Windows 8! Doh!

Used that… Same error…

Okay, bothered now, but still undeterred, I figured I would just boot the system up and run MoonSols DumpIt command to get a copy of the active RAM. Then I can use the memory dump output and feed it into Volatility!

Or so I thought…

DumpIt works great for grabbing a full copy of your active RAM so you can analyze it for artifacts. Simply Download the file, and place it where you want it – USB drive, hard drive etc. Then just run the command, and the full active memory of the system will be saved in the same directory.

I ran DumpIt in Windows 8 and it worked flawlessly:

Yeah! Now all I need to do is take the .raw memory dump file and feed it into the memory analysis program Volatility. And I should be able to see tons of information and artifacts including network connections, users, services and other goodies!  🙂

I started out by using the imageinfo command. This command returns the exact operating system level to Volatility so that it correctly maps memory locations with services when you use the more advanced commands.

(I created a whole series on using volatility to perform analysis on Windows 7 last year)

When I ran Volatility, it was unable to determine the OS level. I was using the latest version that just came out this month. A quick search on their website and it looks like Wind0ws 8 functionality will not be out for several more months…

Well, that was the final brick wall for me. I had other things to do and had to walk away from it at that point.

Anyone have any ideas or know of any other open source memory analysis tools like Volatility that will work with Windows 8?