Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
I Spy

By n8f8 in Technology
Mon Feb 11, 2002 at 05:37:18 PM EST
Tags: Security (all tags)
Security

The other day I was reading an article about Microsoft dedicating the entire month of February to securing Windows. As I was pondering this it popped into my mind that the best way to get away with something sneaky is sometimes to make that something very obvious. This led me to ask myself, what would be an easy method to compromise a company's security. Keyloggers and root exploits aside, I think I came up with an idea for something interesting. A Trojan to secretly record voice communications via a PC's microphone.


Integrated computer systems such as laptops and low-end computers have introduced audio recording devices into the workplace. Virtually all newer notebook computers have built in microphones and the software and hardware to operate them.

What is a Trojan Horse? According to the CERT Coordination Center of Carnegie Mellon University, a Trojan Horse is an "apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend".

For a Trojan to be successful it needs to meet several basic objectives:

  1. Access: Gain access to client machine usually by unsuspecting client action.
  2. Stealth: Remain hidden. Give as few clues to its existence as possible.
  3. Purpose: Perform desired malicious intention (may perform legitimate function as a cover).

In this case the objective is to secretly record sound through the target machine's integrated microphone and transfer the resultant data to an external source.

Objective 1. Access:

Ideally the installation of a Trojan would happen as part of the standard install on a computer. Either integrating the Trojan into the operating system itself or with any software or drivers associated with a hardware device.

A common method is to disguise the Trojan as a desirable application or file. The popular "I Love You" virus disguised itself as a text file attachment to an email message. Nimda disguised itself as an attachment named Readme.exe and used various web server exploits. More recently, various Trojans have been discovered with the installation of popular filesharing programs such as KaZaa.

Objective 2 Stealth.

Ideally the application would run as a "service" in Windows. Services are applications that are run every time Windows is started. Services typically have no user interface and can only be seen using Windows Task Manager or Service Manager. Unfortunately, to successfully run as a service the installation program must access the Local Machine Registry, an operation that requires Windows administrative privileges.

There are several other methods of starting a program when Windows starts. One popular method is to add a shortcut to the executable to the User's "Startup" folder under their user profile. Another is to add a task to windows "Scheduled Tasks". Yet another is to design the application as a COM Add-In, a feature that allows an executable DLL to be installed and run without administrative privileges.

Optionally execute recorder in response to voice sounds. Maybe even be a little smarter and try to limit activity to only the target(s) I'm interested in. Perhaps find out if my intended target owns a specific block if IP addresses or resides on a particular domain. Then check to make sure their client application is installed on the correct target before operating.

Objective 3. Purpose:

In this instance the objective would be to transfer the recorded sound to an outside source. One problem with this is that most sound media formats are relatively large. A better method would be to convert the sound recording to text format, which is easily compressed. Just a few years ago this would have been a troublesome task, but with the ever increasing popularity of Speech-To-Text applications such as IBM's ViaVoice, Dragon Naturally Speaking, United Research Lab's Wave To Text and Microsoft's Speech API (SAPI) the task can be accomplished with off the shelf components. Future versions of Microsoft Windows may include the functionality as part of the ".Net Platform".

Another method would be to design or otherwise obtain an audio codec that creates a sound file that is small in size yet understandable. To experiment we could simply use built in Windows Media codecs and record in 8 KHz 8-bit mono (~7kb/sec).

Implementation:

The computer hardware industry began integrating hardware devices such as modems, networking cards, video and audio into the PC mainboard in an effort to drive down the prices of fully featured computer systems. Mainboard chipset manufacturers (Read Intel) created a standard specification for operating these devices called "Audio Codec 97" or simply AC97. In Microsoft Windows operating systems, this specification is implemented via a built in Multi-Media subsystem. This subsystem is referenced through API calls to "mmsystem.dll(16 Bit)" or "Winmm.dll(32 Bit)" and more recently through API wrappers in the DirectX DirectSound extensions. These API's make accessing multimedia hardware devices simple. A quick search of my favorite code website Planet SourceCode reveals several example projects for using the microphone. Here is an example project for C++ Developers.

Decisions...decisions...where to go from here. I'll start making some assumptions.

If I had access to a bunch of money and really wanted to put Trojans into a bunch of computers I'd covertly buy out or infiltrate a company such as ESS Technology. ESS provides the multimedia chips and drivers/driver SDKs that wind up in integrated solutions such as Dell and Compaq notebooks. Most big companies and governments stick to the big computer manufacturers anyhow.

I don't have a bunch of money so I'll stick to creating a desirable application or COM Add-In. Perhaps something like a file sharing client, messenger client or handy tool. Hmmm...what about an Add-In for outlook to search a list of news websites for a keyword and download the content into Outlook? Even better, an Add-In to convert any Webpage to PDF and email the file as an attachment? Well, think about it. For now I'll just assume some sort of Add-In.

I'll skip converting the sound to text for now. If the rest works OK I'll test performance and consider adding the feature.

So the basic routine of the application will be something like this:

  1. Start Application. (Perform any legitimate tasks based on user interaction)
  2. Check for internet connection.
  3. Check to make sure client meets Trojan target criteria (IP address or Domain).
  4. If client is correct then begin monitoring for voice (maybe something fancy like ensuring sound is in the human voice range)
  5. If voice is detected begin recording until voice stops.
  6. At predetermined intervals/chunks of voice recorded, encode voice data into suitable format for transport.
  7. Open connection to server website and send data. (Choices to make here because of firewalls. Best to stick to HTTP port 80 and maybe check for proxy server settings if possible. SOAP anyone?. Thanks to MS I think Win2K and UP come with XMLHTTP installed. By using the built in tunneling protocol the data transmission should be transparent to the firewall.
  8. Repeat

So what do you think? Seem feasible? Can anyone think of any showstoppers? Worth doing?

If you're interrested and want to do a little research ,here is a link to a website with example code for various Trojans and other expliots.

BTW, I'm not a (malicious) hacker and have never written a Trojan. This is mostly an exercise to show the dangers of too much platform integration and giving too little thought to security.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Windows Security Is
o The best in the industry. 3%
o On par with competitiors. 2%
o Good and improving. 4%
o Needs work. 31%
o A joke. 57%

Votes: 85
Results | Other Polls

Related Links
o Trojan Horse
o KaZaa
o IBM's ViaVoice
o Dragon Naturally Speaking
o United Research Lab's Wave To Text
o Speech API (SAPI)
o "Audio Codec 97"
o DirectX DirectSound
o Planet SourceCode
o Here
o ESS Technology
o Dell and Compaq
o SOAP
o XMLHTTP
o link
o Also by n8f8


Display: Sort:
I Spy | 30 comments (28 topical, 2 editorial, 0 hidden)
Securing input devices (5.00 / 1) (#1)
by sigwinch on Mon Feb 11, 2002 at 02:34:33 AM EST

This sort of attack is fairly well-known in security circles, but unfortunately as a theoretical attack which people have a tendency to sweep under the rug. IMHO your discussion of the practical details of how to do the attack are a Good Thing.

--
I don't want the world, I just want your half.

Task Manager (5.00 / 1) (#2)
by demi on Mon Feb 11, 2002 at 02:37:01 AM EST

Wouldn't a lot of the trojan/virus propagation issues with Windows be mitigated slightly if Task Manager was a little bit more informative? It seems like every time I clean up the computer (every month or so), when I run X-Setup I find that there are always 1 or 2 new little spyware or leechware proggies that have been running without me knowing about it. It's not obvious like Comet Cursor or Real StartCenter, because there is no tray icon or telltale program name among the 20-30-ish processes running at any given time. I'm not a professional sysadmin, but I am a lot better than most people about keeping my system clean, and yet they seem to slip through my defenses somehow.

I remember reading in a forum somewhere that one of the P2P clients runs a spyware process that's named 'Explorer.exe', as opposed to 'explorer.exe' for Windows Explorer, I think. I could be getting that all wrong though. If you wrote your trojan to assume a homologous name of a critical Windows service, probably you could fool a lot of semi-computer literate people and lusers too.



Stealth (3.00 / 1) (#4)
by n8f8 on Mon Feb 11, 2002 at 04:47:29 AM EST

That is a component of maintaining "Stealth". Give the executible a name that looks harmless. A funner thing to do would be to give it a name similar to the Norton RTV scan process.

i know when you compile an appilcation there are field for gicing descriptions to the applications. Maybe adding a "mandatory" description field and the date the executible was loaded on the machine would help.

Sig: (This will get posted after your comments)
[ Parent ]
It's been done (4.75 / 4) (#3)
by sakusha on Mon Feb 11, 2002 at 02:46:26 AM EST

It's already been done, but only by accident. Sun shipped a series of workstations with the microphone turned on by default, and accidentally left it net-accessible. They had to release a patch to close the security hole, without the patch anyone could listen in to any affected workstation and the user would never know.

Provide links (4.00 / 2) (#11)
by juahonen on Mon Feb 11, 2002 at 05:51:10 AM EST

Try to provide links to back your claims.

The incident happened on 1993, by the way. There's also the CERT advisory



[ Parent ]
The U.S. Military warned of this in 1999 (none / 0) (#24)
by ramses0 on Tue Feb 12, 2002 at 02:47:05 AM EST

Interesting reference. Everything old is new again. ;^) What I want to do is hook my radio card up to an ogg-caster software, and then wire up my camera with motion-detection software (apt-get install motion) and have it switch over from radio to microphone when motion is detected. Hee hee. Fun stuff, but I don't have time to play with it like I once did. What I wouldn't give sometimes to be a college student again. :^)

--Robert
[ rate all comments , for great ju
[
Parent ]

Voice recognition (3.50 / 2) (#6)
by Hopfrog on Mon Feb 11, 2002 at 04:58:53 AM EST

Voice recognition does not come into question for this method for the next 5 years at least.
1.) Most VR engines at the moment have to be trained.
2.) They do not work at any distance or when there is background noise.
3.) Preinstalled mics are usually of bad quality, and do not give you enough data to actually process a voice from the sound signals, unless one reduces backgrośnd noise, and speaks slowly and clearly into the mic.

Hop.

You are a scary person (4.83 / 6) (#7)
by Tatarigami on Mon Feb 11, 2002 at 05:02:16 AM EST

...And don't think I haven't noticed that my webcam has started rotating to follow me around the room, even when it's not turned on!

Brrruuuhahahaha! (3.50 / 2) (#12)
by n8f8 on Mon Feb 11, 2002 at 05:51:42 AM EST

Hey, and quit picking your nose. Man you really ought to dust off that monitor.

Sig: (This will get posted after your comments)
[ Parent ]
Two probs (none / 0) (#9)
by iwnbap on Mon Feb 11, 2002 at 05:31:25 AM EST

Voice recognition is flakey; you'd be better getting some kind of heuristic recogniser for voice data, (e.g. trained neural net or something - I've no idea how well that would work in practice) so keyclicks, music, background noise are not recorded. Then put that though some kind of lossy codec; GSM would probably be ideal.

Then you've the problem of getting the content out. If you do every computer in an office, one will be detected. My suggestion would be to email it out to some kind of temporary account, and not access that account directly.

A far better bet for just doing damage/making people paranoid is just to do a search on the disks of the shop looking for every document labelled "balance sheet" or "profit and loss", and email that to the local tax enforcement agency, with a subject "Keep confidential - my employer is evading his taxes!". Similarly look for every document with "credit card" in it and submit it to alt.stolen.credit.card.numbers, and any document with the words "payroll" or "salary" gets mailed to all staff.





Good points (none / 0) (#10)
by n8f8 on Mon Feb 11, 2002 at 05:47:07 AM EST

I've never really tried using Voice Recognition objects. I just thought that converting the voice to a much more compressable format like text would be ideal. I know getting the content into a small bundle should be feasible. The sound would not have to be high fidelity. Just understandable.

The problem of getting the data out could be addressed in several ways. HTTP tunneling is just one that came to mind because I've played with it before. You mention email -maybe even better but unfortunatly I know that Outlook2000 SP2 added a feature that pops a warning when the add-in messes with the email unless the add-in is digitally signed. Maybe calling CDO directly would be another method. Another factor would be making sure the data was sent to many different locations to minimize tracability and pattern recoginition.

Sig: (This will get posted after your comments)
[ Parent ]
I don't get it ... (5.00 / 1) (#13)
by DeHans on Mon Feb 11, 2002 at 08:49:35 AM EST

Is this a rant about Micro$oft $ecurity?

Is this a request for comments on Trojans?

Is this the start of a new Trojan?

If all you are interested in is the hypothetical power of trojans on Windows, why not look into the one and only "official" trojan: Back Orifice 2K. They have already covered the "access" and "stealth" part. Apart from that, BO2K is extensible by plugins. Just write your "grab and send audio data" plugin, fire up BO2K and you're done.

Irrelevant SGI Anecdote (none / 0) (#14)
by Blarney on Mon Feb 11, 2002 at 09:43:47 AM EST

We use a lot of Silicon Graphics machines in the Chemistry department that I work in. These are centrally administered - research assistants like me, and even professors, do not have root - we just use them the way that the sysop sets them up for us. Now, these machines come equipped with a microphone by default, which can be remotely piped to a file or perhaps even shared over the NFS.......

Well, our SGI microphone is buried in a drawer somewhere. I never need to record audio anyway, and I don't see any reason why the sysop should be able to (though he is a good guy).

Fun things to do with /dev/audio =) (none / 0) (#26)
by WWWWolf on Tue Feb 12, 2002 at 07:10:52 AM EST

I learned this from E2 (I think from under "Catting weird things to /dev/audio"...)

The writeups mentioned spying by reading from microphone remotely. (with stuff like sox and netcat it's easy, I guess.)

They also mentioned stuff like using remote shell to play stuff on the remote machine. The Haunted Workstation!

I did this once when a friend was visiting. Since I needed to go to work, and needed to access my own machine from work, I gave him quick course on How To use Mozilla and left. In work, I ssh'd to the machine and played sound effects =) (and one short piece of music: "Kettu, kettu...")

-- Weyfour WWWWolf, a lupine technomancer from the cold north...


[ Parent ]
Before you go crazy working on this... (5.00 / 2) (#15)
by wiredog on Mon Feb 11, 2002 at 10:03:28 AM EST

Remember that the US Secret Service reads this site. Lee Maletesta got questioned by them after he posted a comment on bombs. Imagine the fun they'll have reading this story and pulling people in for questioning. Especially these days.

Peoples Front To Reunite Gondwanaland: "Stop the Laurasian Separatist Movement!"
Yeah ... (5.00 / 1) (#16)
by Bad Mojo on Mon Feb 11, 2002 at 10:08:44 AM EST

They might want to patent it or hire you. :)


-Bad Mojo
"The purpose of writing is to inflate weak ideas, obscure pure reasoning, and inhibit clarity. With a little practice, writing can be an intimidating and impenetrable fog!"
B. Watterson's Calvin - "Calvin & Hobbes"

[ Parent ]
I am glad they do (none / 0) (#20)
by mami on Mon Feb 11, 2002 at 03:37:56 PM EST

makes me feel safe.

[ Parent ]
What a hacker would hear from my computer (5.00 / 3) (#17)
by Torgos Pizza on Mon Feb 11, 2002 at 10:22:24 AM EST

"Eat my panzer! Yeah, take that! Argh! Stupid flamethrower. Where did I put my Dr. Pepper? Aaah! No way that grenade got me. Haha! That's right... walk right into my crosshairs. Damn sniper! How the heck did he get me?"

Bomb has been planted!

"Wha? How did that engineer get by me? Defuse the bomb someone! Dang it, why did I switch to soldier? Stupid team! I'm switching next round..."

==========

Even if someone planted a trojan like this on my machine, they would only hear some cursing, some sound effects from my game and that's it. Unless you read out loud, this is one of the most ineffective hacks for information gathering that there is. Most of the time, I'm just sitting there clicking away and when I do talk it's just your regular water cooler chatter.

This hack has some limited uses. I can only see it being used for a meeting of some kind: board meeting, stock holder, managerial, etc. Pulling that off would be impressive, however unlikely.

I intend to live forever, or die trying.

Not Sure I Agree (none / 0) (#21)
by fuzzcat on Mon Feb 11, 2002 at 04:02:42 PM EST

It all depends on the computer this trojan would get installed on. What if it made its way to a member of management who holds confidential meetings in his office?

It sounds kind of far-fetched, but in my experience, it's usually the managers who would be most likely to install a program that later turns out to be a trojan. Depending on how many clients you got installed, your chances of getting something interesting might actually not be that bad.

[ Parent ]

All about targetting (none / 0) (#22)
by Torgos Pizza on Mon Feb 11, 2002 at 05:18:03 PM EST

I think that we can all agree it depends on what machine it installed on. Having this trojan just randomly attaching itself to computers isn't going to turn up anything. It would be akin to randomly monitoring a telephone call somewhere in the US. You might get some voyeur kicks out of it, but you'd probably only learn that Aunt Martha had surgery on her gall bladder and Uncle Cletus is thinking about buying another pig or two for the farm. Yawn...

Distribution would have be targeted to specific machines and corporations. You'd have to know specific information on the machines and the locations, or have a good filtering program of some type to go through the hundreds of files generated to find keywords mentioned. A hacker's carnivore if you will. At this point we're getting pretty sophisticated and we're talking about corporate espionage or government monitoring. I think that making the trojan might be easy compared to all the relative trash you'd have to filter through to get something of value.

I intend to live forever, or die trying.
[ Parent ]

Client-Server (none / 0) (#23)
by n8f8 on Mon Feb 11, 2002 at 06:06:55 PM EST

Mostly I talked about the Client, but there would have to be some sort of server version as well. Perhapse a client could contact the server on install and say "here I am". The client would then do nothing unless a message was recieved from the server to begin recording.

Sig: (This will get posted after your comments)
[ Parent ]
The Targetting in the Trojan (none / 0) (#28)
by fuzzcat on Wed Feb 13, 2002 at 08:14:01 AM EST

I think that we can all agree it depends on what machine it installed on. Having this trojan just randomly attaching itself to computers isn't going to turn up anything.

You're absolutely right -- if the trojan were truly distributed randomly. I don't think that distribution is really going to be random though.

Imagine this scenario:

  • IT department feels that instant messaging clients are too insecure for operation on machines owned by the site since the text is sent in an unencrypted stream.
  • Director of IT department sends out a memo to all departments in the company warning them not to install instant messaging clients.
  • Managers in the company inform employees under their watch about the memo and the new company policy regarding instant messaging clients.
  • (Most) employees don't want to anger their supervisor and don't install any IM clients.
  • Manager (not understanding why IM clients are banned from the company) decides that there is no harm in installing an IM client on his computer just to talk to his friend across the building about "work-related" matters.
  • Manager installs the trojan disguised as a handy new IM client with just the features that the manager is looking for.

I would call this a pointless academic exercise, but this is exactly what has happened in my workplace (minus the bit about the program being infected by a trojan). Nearly all of upper management in my office uses various IM clients. When you pair that with the fact that managers (in my office, at least) have nicer computers that (1) would be more likely to have a microphone installed and left on, and (2) would make them much less likely to notice any performance degradation due to CPU cycles being used by the trojan, then this becomes a rather ripe hunting ground for sound files containing private information.

[ Parent ]

Firewalls (none / 0) (#18)
by ucblockhead on Mon Feb 11, 2002 at 12:20:36 PM EST

Since you are only sending data out, I don't think firewalls are much of an issue.

But as others have said, I can think of much nastier things to do, like, say, stealing financial information.

How many people actually use microphones anyway?
-----------------------
This is k5. We're all tools - duxup

Let's make it really interesting... (none / 0) (#19)
by paddymick on Mon Feb 11, 2002 at 01:40:19 PM EST

Let's integrate the trojan with Outlook/Exchange so that it can scan the user's schedule for meetings that meet a predetermined criteria (with certain people for instance). The virus would then be set to record based on the schedule of the meeting. This would be especially interesting if the meeting happened to be a video/telecoference that was using Internet access anyway. I see possibilities here. Financial information, pshaw! I want insider information! He he he.
Man is a stranger everywhere.
Problems in my case... (none / 0) (#25)
by WWWWolf on Tue Feb 12, 2002 at 06:40:31 AM EST

I live alone. I'm not the type that often speaks to himself. So... what might the spies hear when I boot to Windows today?

"Think, MacGyver, think..."

...or some incoherent garbage when the speech-to-text tries to transcribe Finnish spoken with amusing tones.

In the late evening it might even be able to figure out that FBI is uncovering the US government conspiracies. Fascinating!

And at that point they've probably figured out that VIRTUALDUB.EXE is apparently doing something interesting with MSVFW32.dll / AVICAP32.dll / whatever, I'm not sure of the exact details on how that program works =)

-- Weyfour WWWWolf, a lupine technomancer from the cold north...


Already done, in a better way (5.00 / 1) (#27)
by JonesBoy on Tue Feb 12, 2002 at 10:41:16 AM EST

NetBus was a trojan that went around quickly in the end of 1999. You could search subnets for afflicted computers, have admin access, view the screen, and get soundbytes from the microphone. Programs like Netbuster came out to find these people and send fun stuff back at them instead of your real screen and mic sound.

One big problem that you are forgetting is detectability. If this program was written, it looks like it would use a lot of processor time on the voice recognition and compression. If every machine connected to the server and started streaming audio, that would also be detected by the network admins. "why is the net so slow. Oh, every computer is connected to one server, streaming data. Who owns that server?" How about infection? How do you propose to limit the spread and detection of this?

I mean, a virus/trojan is one thing, but combining it with corporate sabotage, spying, etc. is like volunteering to be the digital-pearl-harbor poster-boy. If someone tried this, they may as well mail out a handwritten invitation for the FBI to beat some well-deserved sense into them.

Anyway, your proposal (even as a mental exercise), no offense, is pretty feeble and poorly thought out.


Speeding never killed anyone. Stopping did.
Sun Vulnerability (none / 0) (#29)
by taerom on Tue Feb 19, 2002 at 05:07:04 PM EST

This sort of vulnerability appread in SunOS 4.1.x. The /dev/audio device node had default modes of 666, so anybody with access to the system could eavesdrop. Details can be found in this CERT advisory (item III).

Trojan (none / 0) (#30)
by oddrune on Mon Mar 18, 2002 at 05:05:51 PM EST

What is a Trojan Horse? According to the CERT Coordination Center of Carnegie Mellon University, a Trojan Horse is an "apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend".

According to that definition, all software from Microsoft must be a trojan.

I Spy | 30 comments (28 topical, 2 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!