Interesting Conversation with a Hacker

I'm pretty sure noone here is going to support what he does. Having said that he isn't generally stealing money from consumers but from the credit card companies so it's a so-called 'victimless crime' and does express some conscience, so on the scale of criminals he's on a fairly low rung. As he makes clear that he doesn't plan on doing this in the long-term and would prefer to be working for Microsoft on improving security if they were interested in him I wouldn't want to see him in prison but made to pay reparations and steered to making positive contributions instead. As for telling him our defence strategies people like that are targeting large numbers of regular users not the security conscious - if they were none of what we do is exactly a deeply buried secret. As for UAC I have come across bypasses before although how he lays bare the extent of its weakness to the point of near irrelevance is quite shocking.

 

What is has got me wondering about is the best way to complete Sandboxie's protection with regards to passwords et al, we know you can limit outgoing connections for example but if as he says the malware is disguising itself as the browser process that kind of measure presumably wouldn't work. I'm also wondering whether GMER can really be as good as he claims: he makes out a single occasional scan to be a panacea. This amongst everything he said seems the most dubious to me.

 

Why? Plenty of hackers are smart, most of them like to brag about their skills, and plenty of them like to talk about security.

lol defense strategies? We're not saying "Here's the US DOD setup" we're telling him what our average home user runs. 99% of the people are running teh same ****, some AV.

Face value is all you get on the internet. Anyone is who they say they are.

I'm sure you have without realizing it. Any privilege escalation to Admin is a UAC bypass.

 

1. To beat the bad guys, sometimes you have to play with the bad guys. Also, this isn't a spy game. Most "bad hackers" are ego-filled and boasting (as is this guy), and usually come right out and tell you why they do what they do and how they do it. Nor is he really saying anything anyone in the industry didn't already know.

2. He, as well as most seasoned hackers already know what most people are running, hell, they know what the DOD runs. You're not telling him anything new by giving him your set up. Knowing that you have a very strong setup doesn't make breaking that setup any easier.

3. See numbers 1 and 2.

UAC is a weak link in the chain. Why? Because it is user-dependent. When do you normally see a UAC prompt? When you install software yourself, right? What if you think you have a clean file, or you really want/need this program, and it turns out to be dirty? As far as UAC is concerned, you told it that you wanted to continue, and now it's sitting back and shutting up.

Oh, and as far as your wishing him bad..you need reminded that some of the biggest names in cyber crime are working at Fortune 500 companies now and even in government positions. Also, for all we know, this person could be just blowing a lot of smoke and doesn't have control over the family TV, let alone any botnets.

 

I think you should not completely trust trust whatever he is saying " word by word" but cannot deny that he is saying some very very useful security issues.

Also, just being a hacker doesn't mean that you cannot trust him for what he is saying. May people working in security companies were hackers once.

 

imo uac is almost useless. the average user sees a pop up BUT they want to run whatever its notifying them about and they say yes and run it anyway. i am a tech by trade and from a long time experience the "average" user has little to no common sense and if they have it in their mind to use a certain file or visit a certain web site etc they will no matter what a pop up says. trust me on how many people come in and say "i just wanted to try it" or i wanted to view this one site and yeah i saw the pop up but i just thought it wanted to know if i really wanted to proceed... just like people NEVER READ when installing programs...then they call me because they have like 10 toolbars installed or something crazy... people today just dont think and this is why imo uac is useless. i deal with anywhere between 10-sometimes more than 50 people a day and i would guess 75+% is people that install all kinds of garbage and just have no idea just what they did..this is also the reason i personally would NEVER recc certain av's to people that always "ask" the user to decide because again in most cases they are going to say yes anyway and then any of this becomes a moot point...

things like comodo's always deny or similar imo are great IF YOU KNOW what you are doing.. but i would never install anything like them on a average users pc... i know EXACTLY what will happen one of two things either they simply get sick of seeing it and just allow everything (or just uninstall it) or they call screaming of how ridiculously annoying it is.. people dont want stuff like that..and its for this reason he makes a good point about av's... for many users they are in fact useless.

 

I don't think he poses a threat to any of us here at wilders, we who have 20 realtime security apps and 3 firewalls running, just to play hearts & freecell, and come to hang out on this forum

 

I'm not sure about that, if you read it they say firewalls are essentially a false sense of security provided you are behind a router. UAC is easy to bypass when the injectable is ran under the diguise of a trusted system process such as svchost.exe, explorer.exe, or picture this AvastSvc.exe or msmp.exe. It certainly seems possible that Comodo or other HIPS could be tricked the same way. He claims to do precisely that hundreds of times per day and makes $40-400 or more per day.

UAC to me still isn't worthless as the popup may catch other tricks you could be lulled into, but the real reason why I leave it on is for IE Proteted Mode and registry virtualization.


On to another subject, I stated on a few forums around 2007 that I reformatted my machine with an Original XP disk which of course didn't have Service Pack 2/Firewall, it also of course included IE6. This machine wasn't behind a router as I went online to update windows I noticed it running funny, ran 2 or 3 scanners which indicated to me within that 10 minutes this machine was already infected beyond the point of return, we are talking thousands of infections.

I quickly though "duh no firewall I will reformat and install SP2 and make sure firewall is on before this touches the internet". I did exactly that and as I am installing apps and downloading apps I again I went online maybe 20 minutes. Again my spider sense kids in and I scan the machine thoroughly and it showed to be heavily infected again. The culprit? A few minutes online with good old IE6, possibly in tandem with unpatched windows. I've posted this experience on a couple forums and had several people tell me its not possible to become infected simply from connecting to the internet.

Long story short I was relieved to see him say this as it confirmed what I've been saying since 2007 - "Most malware comes from exploit packs (browser driveby), because a steady amount of 10% of the traffic still uses unpatched ie6, resulting in instant infection. It's the most economic way."

Laslty, I also heard about the youtube sensation on here "languy99". He has some fun malware tests he posts on youtube but is obsessed with 0 day protection. Someone should email him a link to that particularly this quote - "If you get infected, it's due to one of two things - a.) you're a high profile target with millions of dollars worth of things to steal, or b.) it's your fault and you got yourself infected. Zero-day exploits which passively infect your system without you knowing are reserved for those who fall into the first category. If your net worth or your connected assets is not worth millions, you will never be the target of a zero-day. Once a zero day is used, it's out in the open and can be patched. You only have one guaranteed attack with it. With good zero days going for a couple hundred grand on the black market, hackers wont waste that on your every day user. Would someone pay $300,000 to hack you and ONLY you? If no, then you shouldn't worry about zero days."

 

One thing is for sure, I would use only virtual CC online which would be useless within a day or after my transaction.

 

The only thing I've seen in his comments that I fully disagree with is that 0-days are reserved for special targets. Other than that, yeah, he's pretty much spot on. As far as Languy, hopefully by now he's a past memory

 

excellent idea

 

Also, a good thing is that most ( or many ) bank offer this feature for free now as part of their internet banking facility.

 

Some of you think you are playing Law & Order Criminal Intent with this guy but remember that Robert Goren "plays" into the criminal's mind when they are already chained to the table anyway. This guy is in the wild and going strong, so he claims.

As for UAC, I need not argue that anymore and do a reenactment of that other long thread I ran months ago. All I will say is I have yet to be linked to any information that provides any proof whatsoever that User Account Control can be bypassed when it is set to Always Notify...now by bypassed I mean actually bypassed to the point where a hacker/malware found a way to get around it so you never even saw a prompt. Tricking someone via social engineering to elevate I don't consider a true bypass. Now, if they find a way to make UAC show a trusted process wanting to elevate when it is really malware, I also don't consider that a TRUE bypass because you still have a choice, even though the user is likely to make the wrong choice almost for certain.

So by true bypass I mean, OMG, I never even saw a prompt, and now it has full admin rights to my system. Yeah, I've never seen a POC of that happening on Always Notify (but I HAVE seen POC of that happening on the lesser settings!) And it's in my somewhat expert opinion if you maintain a default deny environment, such as with a Software Restriction Policy or AppLocker, and you reasonably know what you are doing, the malware won't even get that far because it simply cannot execute. When it tries to, you can sit back and sip soda as you enjoy smiling at the "This program has been blocked by group policy" message. The same idea applies with Sandboxie. It doesn't matter if it elevates, because it's trapped and can't get out.

As of the hacker mentioning that he can still get access to your passwords. Well, that depends I do believe. Take Firefox for example. If you save passwords and you're silly enough not to use a STRONG MASTER PASSWORD, then yes, he will be able to possibly exploit the browser to get your passwords. If you do use a MASTER PASSWORD though, Firefox encrypts the passwords in all recent versions.

Perhaps he isn't talking about that - perhaps he is talking about someone who has been browsing with a sandbox and picked up a keylogger that's now running in the sandbox and they then go visit a banking site. Correct, Sandboxie won't protect you from that. It protects the OS from the contents in the box, but not the box from stuff in the box. If you are concerned about that, there is Trusteer Rapport and SafeOnline/Identity Shield from Prevx/Webroot. The easiest solution, however, is to always wipe the sandbox and load a fresh browser when you visit your banking/secure sites.

 

You can spend a minute searching for privilege escalation exploits and you'll come up with plenty.

There are escalation exploits once in a while.

And even if you use a master password (I don't care how strong) all of your passwords are in plaintext as soon as you enter that password. Assuming you have Firefox open (this is a fair assumption considering where exploits come from and what users do with their computers) it's all in plaintext.

TrusteerRapport is easily bypassed but also not relevant since the attacker only needs read access to the password file.

 

Wait...what?!

No they're not. They don't become plaintext until you go to options > master password > show passwords and then it makes you enter it again before it actually decrypts them for your viewing.

And when you open Firefox and it asks for the master password so it can autofill passwords you can also hit cancel though I don't think that decrypts them it just autofills them on log ins.

As for privilege escalation exploits, they do exist, but as for if that is a true UAC bypass I'm not so sure. Also, a default deny environment would naturally stop those dead in their tracks to because they can't exploit your privileges if they cannot run in the first place! All the more reason to use a default deny environment!

 

Uh, how do you think you log into your websites? They get decrypted when you do this.

Of course it is. That's like... the definition of bypassing UAC.

No. edit: no point expanding further on that actually

 

Sorry I misunderstood what you meant about Firefox. What I meant was users ideally should NOT enter the master password unless it is a fresh browser that which is going to be used for secure/bank browsing. So what I meant as a solution is, if you are doing general browsing then don't enter the master password and everything is encrypted, if that makes sense.

Your last paragraph confuses me (and now you've edited it out...yes you should expand on that because saying "no" alone doesn't make sense). Are you saying Anti-Executable / SRP / AppLocker is easy as **** to bypass? How can you say that? I don't quite understand what you are talking about. Default deny pretty much can yield near-full protection so long as you don't get socially engineered into running something that is malware in disguise. If it cannot execute, it can't do any harm.

 

Enter password, visit exploit site, they get everything. If you're doing general browsing why would you not enter your MP? How are you going to log into sites?

I edited my post because I don't feel like going into it...

but they stop specific things and it's not like there's any restrictions on IPC (that aren't already built in, thankfully to prevent shatter attacks.) I don't see them as being viable, just really annoying.

 

This has already been discussed if you are referring to what I think you are...

Some people questioned the efficacy of Windows Software Restriction Policy because they felt that it wasn't as strong as anti-executables since AEs know about other types of EXEs as well as EXEs in disguise and renamed to other extensions. However, this myth has been busted. SRPs will protect you from anything that executes...

An EXE downloads and tries to execute....blocked.
A PDF exploit tries to download/run something...blocked
An HTML exploit tries to redirect and download/run something...blocked
A Java exploit tries to download/run something...blocked

No matter how something tries to execute; no matter what path it takes to reach it's goal of execution, a software restriction policy / applocker / AE will block it.

Now this is something I REALLY have NEVER seen any proof-of-concepts on that successfully bypass it, not to mention on a Windows Vista/7 machine. The only thing is this doesn't help you with social engineering obviously.

You don't see this approach to security being viable? How. It blocks "99.99%" of threats which is ultimately, theoretically higher than any anti-malware application can achieve...ever.

 

Or maybe he is kind of a person who wants to convert Windows users to Linux or MAC..
Because i think some people will switch or stick to linux after reading this article

Linux

 

Now that my friend is what I hope people don't do. Especially not for Mac OS X.

Switching OS is not the solution. Learning how to be secure with whatever OS you use is.

 

Programs have address space. Hacked programs share that address space with shellcode. Shellcode never has to drop a payload onto the disk. Shellcode can do whatever the program can do, it is the program. AE's don't stop programs from running when they're already running.

I think you can follow the logic here.

 

I won't even start the OS conversation lol

 

So, give me some examples of prevalent malware in the wild that does this?

And how can it hack one of my programs already running if it never runs itself? In other words...yeah they don't all need to drop a payload...but how is it going to exploit something if it never runs anything?

And for this to work, that means not only would it have to bypass the default deny mechanism...it would also have to exploit it's way to high enough prvillege to do that injection to other processes...AND it would have to also bypass any Windows mitigations such as those provided by EMET. Also, this approach relies on the fact that you have attack surface in the first place, so if you don't have let's say Java installed, and you keep everything up-to-date, those holes may be closed anyway.

EDIT: Though I should mention that since I am hardcore on layered approaches, I use SRP as well as full-time browser sandboxing, so even if there was an exploit that somehow didn't need to execute anything, it would be contained within my sandbox. So it would have to bypass a lot of delicious, wholesome layers of security before it could do any harm. And then once it did, I would notice it, and I would revert my system back from a previous image. And if my house burned down and my backup drive with it, I'd use the one I have stored in an off-site location. But you can't be too paranoid, because there are more important things in life. I'm happy with the level of protection that SRP provides which (aside from social engineering), for intermediate to advanced users, it comes as close to 100% as you're going to get from ANY security mechanism.

 

+1
Common sense is the most important thing!!
I have seen so many people who wants to download fonts and keeps clicking on EXEs