Wednesday, September 27, 2006

Anyone that has ever visited a Mac-centric website or seen a commercial can tell you that Windows machines are subject to thousands of pretty nasty worms, trojans and viruses. Keeping a personal computer secure is a big job. If you multiply that times the 2500 servers and workstations at a company the size of mine (by no means the largest) you can imagine how managing virus mitigation in an Enterprise is a massive undertaking.
The way corporate environments generally do this is through a central management server.
Norton, McAffee and TrendMicro all make solutions that remotely manage anti-virus programs on remote systems.
In real-time, the workstations and servers are scanned, patched and cleaned and reports are generated. The central server pushes out virus pattern files and ensures minimal impact from the latest threats.

Want to know how to break that?
At this point, I'm going to have to ask anyone evil to stop reading.

Seriously, Darrell.

Ok. Here is what happens:

1. Some viral nastiness arrives on a workstation and is discovered by the Anti-virus Management Server
2. The virus is quarantined and the workstation is repaired if possible
3. The virus definition file is transferred to the Management Server to be added to an update list

That's nice. After a while "Workstation [userwenttoagamblingsite] has been cleaned" messages start to become almost comforting.
"The management server is looking out for us," we think. And we are right.
After being added to the master list, the definition is deployed to the definitions folder on all managed systems in the environment so that the client can be aware and shut down the virus if it ever turns back up. But it shouldn't, since we have our friend the Management Server.

Viruses have become more sophisticated while becoming smaller. Some of the earlier viruses were big nasty executables easily blocked and quarantined. Find one. You can pick one of these up on just about any file-sharing network, either through a direct search or by pulling down media files until one happens to be infected. Both methods could take about the same amount of time.
You will need to package the virus with a few things, but all are smaller than a circa-2004 virus.
Release the virus (with some additional components) onto a corporate network.
The old virus will be quickly caught - no damage done - and removed to a secure location. It gets interesting after it is copied to the definitions folder on the Management Server.
The additional things we added to the virus start doing their thing. A small batch file calling the "at" command can, in turn, call a utility that renames the extension on a virus definition file (generally *.dat) back to *.exe or *.cmd. A quick Google search returned over a thousand places to get those utilities and most are free and under 20kb in size. Don't forget to package that with your old-school vintage virus. Also, you may want to avoid registering the freeware with your actual email address.
So now you have a reactivated virus in the definition folder on the Management Server. Guess what the ONLY location never scanned for viruses on an Anti-virus Management Server is?
This extension change registers as a change in the Management Server definitions folder, so the newly renamed file is pushed to the definition folders on all work stations and servers.
The remote definition folders are also never scanned.
Congratulations! In less than a minute (network bandwidth permitting) you now completely own an entire corporate I.T. environment. Feel free to blue-screen them, or remotely control them, or send spam or steal data. Whatever. You run your virus as the Anti-Virus Management Server.

It should be noted that this tactic will only work on systems that can run the client for an Enterprise Anti-virus product. These systems are Windows 95, all four versions of Windows 98, Windows ME, Windows 2000, Windows 2003 and Windows XP. Since licensing is done by workstation, anti-virus companies want to make sure they can get paid for as many workstations as possible.
Clients have already been developed for Windows Vista too, Darrell.


Joe said...

Where's the bitterness? Where's the angst?

You drank their purple Kool-Aid, didn't you? You're now one of "them".

Baby burner!

Garrick said...

Purple Kool-Aid is good! And it was sugar-free!

Not drinking it just seems rude!

Andrew Rhodes said...

I find it interesting that you got a new job but the hijinks and posts have not changed...


Darrell Davis said...

I didn't read anything. I won't try anything... Sellout!

Darrell Davis said...

And I read about a couple of them. Damn these kids are good now days, before we just went after the processor or Autoexec, and maybe Bios if it was a newer system. (think 95 people, hard bios) Nowadays these kids ain't even playing around. I've destroyed so many system just sending a...
nevermind. I think it's great you posted a "Hello sir, we're with the FBI might. Might we have a word" on your blog. You did leave out a couple of loop holes.

Garrick said...

I left out some minor details to prevent a copy/paste compromise of random systems/corporations.

If someone knows the exact steps and bits of code all I've done is suggest a possible misuse which makes this an official "Internet Security" article.

I'm all about the public good. And cartoons. The public good and cartoons. And this chair . . .