An info stealer is malware that steals credentials or files from its victims.
Info stealers don’t require admin rights to perform their task, and can be designed to evade or bypass AV, HIPS, DLP and other security software.
I helped out a friend testing his environment with a PoC PDF info stealer I designed (I will not publish it).
This PDF document exploits a known vulnerability, and executes shellcode to load a DLL (embedded inside the PDF document) from memory into memory. This way, nothing gets written to disk (except the PDF file). The DLL searches the My Documents folder of the currect user for a file called budget.xls, and uploads it to Pastebin.com.
My PDF info stealer was succesful: file budget.xls was posted to Pastebin.com
Preventing an info stealer from operating is not easy. The Windows operating system is designed to give user processes unrestricted access to the user’s data. It’s only starting with the Windows Vista kernel and Windows Integrity Control that a process can be assigned a lower level than user data and be restricted from accessing it. Lowering the Integrity Level of Acrobat Reader will help us in this case, but if I exploit an Excel vulnerability (or just use macros, without exploiting a vulnerability), the integrity levels will not protect us.
Neither is preventing data egress easy. OK, you can decide to block Pastebin.com. But can you block all sites that can be posted to? Like Wikipedia? And if you can, do you block ICMP packets?
To protect confidential data, don’t let it be accessed by systems with Internet access. That’s not very practical, but it’s reliable. Or use strong encryption with strong passwords (not the default RC4 Excel encryption). The info stealer will have the extra difficulty to steal the password too.
I know this is obvious advice, but it’s not easy protecting data from carefully designed info stealers on Windows.
View full post on Didier Stevens
Related Posts
- Info Stealer targets Jailbroken iPhones
A week has barely passed since the first iPhone worm (Worm.iPhoneOS.Ikee) came ‘rickrolling’ into our collective awareness, and now we already have its first official copycat!A new Trojan has been spo... - Frisky Solitaire – Another Info Stealer
Marcus Murray gave a great talk at TechEd Berlin 2009: “Hack-Proofing Your Clients Using Windows 7 Security”. In one of his demos, he showed a trojaned Excel spreadsheet. The spreadsheet w... - Important preliminary info on Anti-Malware 5.0: Name change
Important preliminary information on Anti-Malware 5.0: Name change Emsisoft Anti-Malware - New Freeware mode - a-squared Free becomes the Emsisoft Emergency Kit
Full story: a-squared - English... - Mobile device makers react differently to attack info, researcher says
When a researcher at an ethical-hacking firm discovered mobile devices from Apple, Google, RIM and HTC had a flaw in them that would allow an attacker using malicious Web code to freeze them up and c... - New info on Stuxnet
Stuxnet continues to make headlines. The New York Times published a long story on the latest findings, including these:President George Bush started an experimental cyber attack program again... - Google Agrees To Hand Slap for Revealing Info in Buzz (NewsFactor)
NewsFactor - Google has reached a settlement in the class-action suit over privacy issues relating to its Buzz social-networking program. Under terms of the settlement, the search giant will establish... - Name changing program is a Windows LIVE ID stealer
Microsoft has a strict policy on rude names for their XBox Gamertags. If you call yourself Spanky McBumpants (you might want to jazz that up in your head a little), they’ll force you t... - iPhone user privacy at risk from apps that transmit personal info
The user data collected by some iOS apps can be correlated to real-world identities, posing a privacy risk to iPhone, iPod touch, and iPad users. According to research from Buc... - How to remove Privacy Info
Malwarebytes’ Anti-Malware detects and removes a new application called Privacy Info.
How do I know if I am infected with Privacy Info?
This is how the main screen of the rogue application looks... - Browsers’ private modes leak info, say researchers
Browsing the Web in "private mode" isn't as private as users think, a researcher said today.
View full post on Computerworld Security News...
Posted on 02 May 2010. Tags: Info, Stealer
[...] c’est quand Didier Stevens y intègre un programme pour voler des informations sensibles. Ce billet montre comment un « simple » fichier PDF est capable de chercher puis de transmettre [...]
Very interesting and somewhat disturbing for those tasked with preventing data leakage. Thank you for posting this.
(Its a shame people seem to have fixated on the mechanism you have used, PDF, rather than the more worrying concept it demonstrates).
At the moment it does seem like encryption is the only real mitigtion against this – assuming it can workout unexpected file names.
@Irgendwer No, I just call SHGetFolderPath with CSIDL_PERSONAL to get the absolute path to My Documents.
Interesting technique…
Is there a string in the dll looking for “My Documents”?
No, even if I call this a PoC, the payload is still an info stealer, I’m not publishing this. And the DLL can be adapted to collect several files.
Any way of releasing the payload itself, So it loads a certain dll into the memory to search for important files in which you gave it to search e.g. passwords.xls, secret.txt, http://ftp.txt could it search for more than one file or do you have to edit shellcode each time?
[...] people have asked me about de details of the vulnerability I exploited in my PDF Info Stealer PoC. But that’s not important. It’s not about the exploit, it’s about the payload: [...]
@Christoph Schmees It’s not about the vulnerability or the exploit, but about the payload. Like I wrote: I can do this with Office vulnerabilities too, or even without any vulnerability, just social-engineering you to open a spreadsheet and execute macros. I use an old Adobe Reader vulnerability (util.printf) to execute the info stealer payload, but like I said, that’s just because it’s easy for me to do so.
The exploit targets *Adobe* reader, right? What about other free PRF readers such as Foxit or PDF-XChange? Are they immune? If so, it should be pointed out that this is about an *Adobe* weakness, not a general PDF weaknes!
@Rich Actually, I exploit an old vulnerability, util.printf. I made a PDF because that’s the easiest for me to make with my tools.
Like I wrote, this can be done by exploiting another application like Office, or even with plain macros and some SE.