» Eavesdropping

Eavesdropping on applications with MioStar 0.1

carrumba — Tue, 02 Nov 2010 14:07:20 +0000

Deutsch

Während den letzten zwei Wochen habe ich an einem neuen Tool gearbeitet, welches auf den Methoden des SkypeTrojaners aufbaut. Es sollen Programme überwacht und aus ihnen sensitive Daten extrahiert werden. Dazu müssen zwischen der laufenden Anwendung und dem Betriebssystem Zwischenfunktionen eingefügt, ge-hookt, werden. Bis ich die richtigen Funktionen gefunden hatte, hat zwar ein wenig Zeit gebraucht aber das Resultat ist zufriedenstellend und ich denke, dass ich auf dem richtigen Weg bin. Momentan lassen sich Passwörter aus Google Chrome, Apple Safari, Windows Live (Instant Messenger + Mail), GoogleTalk, FireFirefox und Thunderbird extrahieren. Zwar sind noch nicht alle Schwachpunkte optimal anfokusiert und der Datenabgriff könnte an treffsichereren stellen stattfinden, aber mit ein wenig mehr Zeit wird die Trefferquote, Zuverlässigkeit und der Umfang an abzuhörenden Programmen erweitert.

Am 3. November um 13.00 (Schweizerzeit) wird der Quellcode für MioStar 0.1 veröffentlicht. Interessierte dürfen gerne den Code herunterladen, durchschauen und Kritik anbringen.
In der selben Zeit habe ich den SkypeTrojaner für GoogleTalk umgeschrieben. Die Audiodaten werden mitgeschnitten, nach MP3 konvertiert und gespeichert. Dieser Quellcode folgt nächste oder übernächste Woche.

English

Hello,

The last 2 weeks I have been working on a new tool, which is based on the methods of the Skype trojan. The objective is to surveil programs and extract sensible data from them. In order to do so you have to plant function hooks between the running program and the operating system. It took a while until i found the correct functions, but the result is satisfying and i think that I am on the right track. At the moment it is possible to extract passwords from Google Chrome, Apple Safari, Windows Live (Instant Messenger + Mail), GoogleTalk, FireFirefox and Thunderbird . For some programs there are better ways of attacking them, but with a little more time the procedures can be optimized.
On the 3rd of November (1pm Swiss time) the MioStar source code will be relased. Those who are interested are welcome to download, explore, review and critizise it.
Within the same time I have rewritten the SkypeTrojan code that way it can intercept GoogleTalk conversations. The audio data gets intercepted, converted to MP3 and saved. This source code will be released in the coming weeks.

Report on SC Magazine about the Skype trojan (August 2009)

carrumba — Wed, 13 Oct 2010 15:04:42 +0000

Skype snooping trojan detected, August 31 2009

Source code for a new trojan has been released that has the ability to snoop on phone calls over the popular voice over IP (VoIP) program Skype.

Ruben Unteregger, a Swiss software engineer formerly with the software development company ERA IT Solutions, released the source code for the trojan Tuesday. Unteregger provided details about the trojan on his blog, Megapanzer, which he said can “…intercept all audio data coming and going to the Skype process.”

“What we’re looking at is something that could be considered the first ‘wiretap trojan,’” Karthik Selvaraj, an analyst at Symantec Security Response Team, wrote in a blog post Thursday.

The code, identified as Trojan.Peskyspy, has the ability to record audio from Skype calls, convert the audio to an MP3 file, encrypt it and send it back to the attacker, Symantec said.

“What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer,” Selvaraj wrote. “It does this by hooking various Windows API calls that are used in audio input and output.”

The trojan sniffs inbound and outbound audio as it travels between the PC’s audio device and Skype, Selvaraj explained. Outbound audio coming from a user’s microphone is captured before it even reaches Skype, and inbound audio is captured after it leaves Skype, but before it reaches the PC’s speakers.

“It gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level,” Selvaraj said. “Essentially, it sits below these security measures, recording the audio at the Windows level.”

The trojan does not rely on any issue in Skype itself and could potentially be crafted to exploit any VoIP program, Selvaraj said.

Though source code became publicly available Tuesday, Unteregger told German news outlet Gulli.com that the trojan actually had been in development since at least 2006.

As of now, the trojan has not been identified in the wild, Kevin Haley, director of Symantec Security Response, told SCmagazineUS.com on Friday. But now that source code has been released, there is a potential that attackers could add this trojan to their exploits.
The source code does not have any means of propagating itself, so an attacker would have to use social engineering to trick a user into installing it, or have physical access to the machine they wish to infect.

“For the most part, this is a tool that would be used in a targeted way at someone,” Haley said.

A Skype spokesperson told SCMagazineUS.com in an email statement Friday that Skype’s Information Security team is aware of Trojan.Peskyspy.

“Skype strongly recommends that users follow security best practices like maintaining an up-to-date anti-virus program, using a personal firewall and ensuring that their computer is current with patches to help defend against attacks such as this.”

Things to do for the next days …

carrumba — Fri, 01 Oct 2010 11:27:33 +0000

I’m still struggling to make SkypeTap (skype interception module) work on Win7. This week things just don’t go as smoothly as expected :/ As soon as I have a result (may it be positive or negative) I’ll let you know.

If it works I think a further post would be appropriate that shows in detail how to inject *something* into a process and what different approches exist to do that.

Hacker Spoofs Cell Phone Tower to Intercept Calls

carrumba — Mon, 02 Aug 2010 10:42:47 +0000

A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.

The device tricks the phones into disabling encryption and records call details and content before they’re routed on their proper way through voice-over-IP.

The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area.

“If you have the ability to deliver a reasonably strong signal, then those around are owned,” Paget said.

Paget’s system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system.

Doing this kind of interception “used to be a million dollars, now you can do it with a thousand times less cost,” Paget said during a press conference after his attack. “If it’s $1,500, it’s just beyond the range that people can start buying them for themselves and listening in on their neighbors.”

Paget’s device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget’s aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.

Cell phone eavesdropping enters script-kiddie phase

carrumba — Thu, 29 Jul 2010 13:19:50 +0000

Black Hat Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world’s most widely deployed mobile technology.

“The whole topic of GSM hacking now enters the script-kiddie stage, similar to Wi-Fi hacking a couple years ago, where people started cracking the neighbor’s Wi-Fi,” said Karsten Nohl, a cryptographer with the Security Research Labs in Berlin who helped spearhead the project. “Just as with Wi-Fi, where they changed the encryption to WPA, hopefully that will happen with GSM, too.”
The suite of applications now includes Kraken, software being released at the Black Hat security conference on Thursday that can deduce the secret key encrypting SMS messages and voice conversations in as little as 30 seconds. It was developed by Frank A. Stevenson, the same Norwegian programmer who almost a decade ago developed software that cracked the CSS encryption scheme protecting DVDs.

Find whole article here : Cell phone eavesdropping enters script-kiddie phaset

Czech experts uncover global virus network

carrumba — Thu, 18 Feb 2010 12:51:53 +0000

Czech security experts have uncovered a global network of devices attacked by computer viruses within which it was possible to wiretap and gain access to sensitive data, Jan Vykopal, head of the security project of Masaryk University, told CTK yesterday.

Modems were among the attacked devices as they are only poorly protected. The viruses were able to deflect the communication of Internet users to servers where they could be wiretapped, Vykopal said.

Vykopal’s colleagues along with experts from the Brno Military Academy and the Defence Ministry have uncovered the dangerous network.

“The assailants have denoted the network of the subjugated installations as Chuck Norris,” Defence Ministry spokeswoman Lucie Kubovicova said.

Experts said the network’s main threats included the gaining of various sensitive data such as access details for bank accounts, e-mail boxes, passwords to various services, social networks and users’ other personal data.

Besides, a number of computers and other installations connected through the Internet can be used for attacks on well secured servers as well, Vykopal said.

“We do not know whether the network we uncovered can also be used for this as we do not know the number of the devices that are included in it,” Vykopal said.

Secret code protecting cellphone calls set loose

carrumba — Tue, 29 Dec 2009 07:38:11 +0000

Cryptographers have moved closer to their goal of eavesdropping on cellphone conversations after cracking the secret code used to prevent the interception of radio signals as they travel between handsets and mobile operators’ base stations.

The code is designed to prevent the interception of phone calls by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels. Without knowing the precise sequence, would-be eavesdroppers can assemble only tiny fragments of a conversation.

At a hacker conference in Berlin that runs through Wednesday, the cryptographers said they’ve cracked the algorithm that determines the random channel hopping and have devised a practical means to capture entire calls using equipment that costs about $4,000. At the heart of the crack is open-source software for computer-controlled radios that makes the frequency changes at precisely the same time, and in the same order, that the cellphone and base station do.

“We now know this is possible,” said Karsten Nohl, a 28-year-old cryptographer and one of the members of an open-source project out to prove that GSM, the technical standard used by about 80 percent of the mobile market, can’t be counted on to keep calls private. The attack “is practical, and there are real vulnerabilities that people are exploiting.”

A spokeswoman for the GSM Association, which represents 800 operators in 219 countries, said officials hadn’t yet seen the research.

“GSM networks use encryption technology to make it difficult for criminals to intercept and eavesdrop on calls,” she wrote in an email. “Reports of an imminent GSM eavesdropping capability are common.”

The channel-hopping crack comes as the collective is completing the compilation of a rainbow table that allows them to decrypt calls as they happen. The table works because GSM encryption uses A5/1, a decades-old algorithm with known weaknesses. The table – a 2-terabyte list of known results that allows cryptographers to deduce the unique key that encrypts a given conversation – was developed by volunteers around the globe using giant clusters of computers and gaming consoles.

Watching encrypted Skype traffic with SkypeDLLInjector

carrumba — Tue, 04 Aug 2009 12:30:22 +0000


Tool name :	SkypeDLLInjector version 0.1

Description :	SkypeDLLInjector is a tool to demonstrate how DLL injection works. In this proof of concept it is applied to the Skype application. It consists of a loader application which remains running in the background and a DLL which will be injected into every newly started program via a system wide Windows hook. All what this tool does is interception the function calls recv() and send() to inspect the network data skype is sending and receiving. Because Skype traffic is encrypted only a small portion of the traffic is readable. But it could inspire you to create your own tools which eavesdrop other calls to intercept sensitive data (as the username and password for example).

Tested on :	Windows XP

Feedback :	In case you encounter any problems with the tool, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.

Downloads :	Binary \| Source

Tools for eavesdropping and video hijacking.

carrumba — Mon, 03 Aug 2009 20:20:53 +0000

Just found this article on cnet about eavesdropping and video hijacking.

Showing off technology that James Bond would love, two researchers at Defcon on Friday demonstrated tools that allow people to eavesdrop on video conference calls and intercept surveillance camera video.

An attacker needs to be in the same building as the victims to carry out the man-in-the-middle attacks over the network.

The free UCSniff tool, available in Linux and Windows versions, offers a slick graphical user interface for sniffing video, said Jason Ostrom, director of the Viper Lab at Sipera Systems. The tool basically tricks the voice-over-IP network carrying the video into sending the data packets to the attacker’s computer, he said.

This could be used to spy on people. For instance, an attacker could listen in on and record confidential conversations between an executive who is on a video conference call with another remote executive, according to Ostrom.

Read the full article here.