Integrated computer systems such as laptops and low-end computers have introduced audio recording devices into the workplace. Virtually all newer notebook computers have built in microphones and the software and hardware to operate them.
What is a Trojan Horse? According to the CERT Coordination Center of Carnegie Mellon University, a Trojan Horse is an "apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend".
For a Trojan to be successful it needs to meet several basic objectives:
- Access: Gain access to client machine usually by unsuspecting client action.
- Stealth: Remain hidden. Give as few clues to its existence as possible.
- Purpose: Perform desired malicious intention (may perform legitimate function as a cover).
In this case the objective is to secretly record sound through the target machine's integrated microphone and transfer the resultant data to an external source.
Objective 1. Access:
Ideally the installation of a Trojan would happen as part of the standard install on a computer. Either integrating the Trojan into the operating system itself or with any software or drivers associated with a hardware device.
A common method is to disguise the Trojan as a desirable application or file. The popular "I Love You" virus disguised itself as a text file attachment to an email message. Nimda disguised itself as an attachment named Readme.exe and used various web server exploits. More recently, various Trojans have been discovered with the installation of popular filesharing programs such as KaZaa.
Objective 2 Stealth.
Ideally the application would run as a "service" in Windows. Services are applications that are run every time Windows is started. Services typically have no user interface and can only be seen using Windows Task Manager or Service Manager. Unfortunately, to successfully run as a service the installation program must access the Local Machine Registry, an operation that requires Windows administrative privileges.
There are several other methods of starting a program when Windows starts. One popular method is to add a shortcut to the executable to the User's "Startup" folder under their user profile. Another is to add a task to windows "Scheduled Tasks". Yet another is to design the application as a COM Add-In, a feature that allows an executable DLL to be installed and run without administrative privileges.
Optionally execute recorder in response to voice sounds. Maybe even be a little smarter and try to limit activity to only the target(s) I'm interested in. Perhaps find out if my intended target owns a specific block if IP addresses or resides on a particular domain. Then check to make sure their client application is installed on the correct target before operating.
Objective 3. Purpose:
In this instance the objective would be to transfer the recorded sound to an outside source. One problem with this is that most sound media formats are relatively large. A better method would be to convert the sound recording to text format, which is easily compressed. Just a few years ago this would have been a troublesome task, but with the ever increasing popularity of Speech-To-Text applications such as IBM's ViaVoice, Dragon Naturally Speaking, United Research Lab's Wave To Text and Microsoft's Speech API (SAPI) the task can be accomplished with off the shelf components. Future versions of Microsoft Windows may include the functionality as part of the ".Net Platform".
Another method would be to design or otherwise obtain an audio codec that creates a sound file that is small in size yet understandable. To experiment we could simply use built in Windows Media codecs and record in 8 KHz 8-bit mono (~7kb/sec).
The computer hardware industry began integrating hardware devices such as modems, networking cards, video and audio into the PC mainboard in an effort to drive down the prices of fully featured computer systems. Mainboard chipset manufacturers (Read Intel) created a standard specification for operating these devices called "Audio Codec 97" or simply AC97. In Microsoft Windows operating systems, this specification is implemented via a built in Multi-Media subsystem. This subsystem is referenced through API calls to "mmsystem.dll(16 Bit)" or "Winmm.dll(32 Bit)" and more recently through API wrappers in the DirectX DirectSound extensions. These API's make accessing multimedia hardware devices simple. A quick search of my favorite code website Planet SourceCode reveals several example projects for using the microphone. Here is an example project for C++ Developers.
Decisions...decisions...where to go from here. I'll start making some assumptions.
If I had access to a bunch of money and really wanted to put Trojans into a bunch of computers I'd covertly buy out or infiltrate a company such as ESS Technology. ESS provides the multimedia chips and drivers/driver SDKs that wind up in integrated solutions such as Dell and Compaq notebooks. Most big companies and governments stick to the big computer manufacturers anyhow.
I don't have a bunch of money so I'll stick to creating a desirable application or COM Add-In. Perhaps something like a file sharing client, messenger client or handy tool. Hmmm...what about an Add-In for outlook to search a list of news websites for a keyword and download the content into Outlook? Even better, an Add-In to convert any Webpage to PDF and email the file as an attachment? Well, think about it. For now I'll just assume some sort of Add-In.
I'll skip converting the sound to text for now. If the rest works OK I'll test performance and consider adding the feature.
So the basic routine of the application will be something like this:
- Start Application. (Perform any legitimate tasks based on user interaction)
- Check for internet connection.
- Check to make sure client meets Trojan target criteria (IP address or Domain).
- If client is correct then begin monitoring for voice (maybe something fancy like ensuring sound is in the human voice range)
- If voice is detected begin recording until voice stops.
- At predetermined intervals/chunks of voice recorded, encode voice data into suitable format for transport.
- Open connection to server website and send data. (Choices to make here because of firewalls. Best to stick to HTTP port 80 and maybe check for proxy server settings if possible. SOAP anyone?. Thanks to MS I think Win2K and UP come with XMLHTTP installed. By using the built in tunneling protocol the data transmission should be transparent to the firewall.
So what do you think? Seem feasible? Can anyone think of any showstoppers? Worth doing?
If you're interrested and want to do a little research ,here is a link to a website with example code for various Trojans and other expliots.
BTW, I'm not a (malicious) hacker and have never written a Trojan. This is mostly an exercise to show the dangers of too much platform integration and giving too little thought to security.