What I am about to discuss is nothing new. But the lack of user education on this matter has prompted me to try and explain why a tool like EvilGrade is so dangerous.
Lets role play real quick. You are an IT professional within a large organisation. You stay up to date with security threats and are vigilant when it comes to your company’s security. You are smart enough not to open any email attachments from anyone unless you were expecting it (a targeted spear phish attack from another staffer’s email address is a real threat, and you know it)
So we have established you are a security minded IT professional. You practise due diligence with your work, ensuring everything is as secure as it can be within the budget constraints and managerial roadblocks in your way.
So being a security minded person, you know that patch management is critical. You know that applications like Adobe (reader, flash) and plugins like Java are constantly being used by hackers to get inside networks. Every time your computer asks you to update Adobe/Flash/Java… or even Windows Update, what do you do? You click ‘yes’… right?
Herein lies the problem. A big problem. If you haven’t figured it out yet, or don’t know what EvilGrade is… it is an exploitation framework made solely to deliver fake updates to end systems. It can be configured for a long list of applications. With a little ARP cache poisoning and DNS spoofing (i.e. using Ettercap on the LAN), an attacker can send a fake update alert, for the application of his choosing, to a person of his choosing (you).
What have we learnt over the years? Most ‘standard users’ won’t click yes to update their applications within a business sense. As a matter of fact, if proper patch management was in place, a user would never see this. The standard user can easily be conned into opening an attachment from a trusted source, but they might not click ‘update’ when the pop-up arises. But this isn’t the case for you, the security minded IT professional. You will see an update dialogue box, and you will more than likely click ‘yes’.
What happens when you click ‘yes’? The standard ‘your computer is now owned and a keylogger has started in the backround, waiting for you to log into that Domain Controller/Firewall’ is what happens.
How can this happen?
Well lets say an attacker has gotten a foothold inside of your network. They might of used one of the techniques described here http://backtosecurity.com/2011/username-devil-group-local-admin/
Regardless of the entry point, an attacker is on your network. Hell, he might of just plugged into an RJ45 jack in the wall in the boardroom and got a DHCP address (or got in through your weak Wifi). He does not need to be authenticated to anything for this to work (not even locally).
From either his machine or a compromised host on the network, he configures EvilGrade for the attack. He determines what application you will most likely hit ‘yes’ to update. He will probably choose Java, Flash or Adobe Reader.
He will then scan the network and figure out what the IP address is of the person he wishes to attack (you). He sets up Ettercap and will start sending ARP poison packets to your host (this is your host, not the switch – harder to defend). This will re-populate your computers ARP table with a malicious entry which makes your computer believe the attacker’s machine is the default gateway. All of your traffic will start going via the attacker (he could set up a sniffer here also, but how many passwords are cleartext these days?).
Once your traffic is traversing the enemy’s box, he will then DNS spoof the update domain details that your machine will see. So for example, he will make ‘update.windows.com’ go to the IP address of his own PC. He will then shoot off the custom-crafted packets from EvilGrade, prompting your screen to display the update dialogue box for his chosen application. Once you click yes, pending on what payload he configured, he will get a remote shell on your machine, and from there he can do anything he wants. Keylogger is more than likely considering it’s the most effective way of getting high privilege domain accounts of unsuspecting IT employees.
Don’t automatically assume that that your application and operating system updates are legitimate.
If proper patch management was in place, an update dialogue box on your machine should be a warning within itself. You could then check your computer’s ARP table and DNS settings to ensure everything is fine.
Security is a defence in depth strategy. There are many layers of security controls that need to be in place for the security posture of an organization to work. If all of the best practise security recommendations out there were in place for a network, this type of attack would have minimal chance of succeeding. But sadly we don’t see these best practises being implemented as much we’d like to see.