Why are you still hacked
The theme of this small article was inspired by a small discussion on the habr, which I witnessed. One discussion participant was an ardent supporter of the Linux OS and argued that if all ordinary users were transferred to Linux, then everything would just hurt - and they wouldn't break it and the data wouldn't be stolen.
In this short essay, I will try to explain in simple language how you can theoretically be hacked. I can do without complex terms, for ordinary users, the article will give a colorful idea about cracking the OS, and more advanced users will read technical information between the lines. I believe that the user of any OS, and even more so those who are involved in this work, needs to understand that professional viruses are not an executable file that they renamed into a document and ask you to run it. And not always blocking macros will not allow an attacker to execute code on your system.
You know, the last time I became a participant in such discussions was still in school in the distant 9-10 class. Then I was an ardent fan of Windows, and my friend used Linux, then after a while I started developing for Linux - and everything changed, I became a Linux fan and publicly agitated everyone to switch to it. I lead to this, if your opponent is hindered to debate on a similar topic in this vein, just remember those two students. I myself use both operating systems, and have not been a supporter of such holivars for a long time, I have servers running on Linux Debian, but I’m writing this text on a Windows 8 PC. Then there will be a lot of negative about Linux, but it is not associated with any fanatical beliefs, I just want to objectively tell and convince that it doesn’t matter what OS you are using - they can hack you everywhere.
')
How hobbling the Windows OS ...
... as far as the holes in Windows OS can be argued for years, but I wonder how safe Linux is? If you ask Linux lovers, and if you have an antivirus, then only laughter will be in response. The argument is that Linux was created by professionals, and everything is protected by default. Here we plant our beloved dog for Ubuntu and you can not worry about its data. You can ... bye.
Generally there are two things that are endless, the universe and fools. Everything is clear with the universe, but what about the last ones? Here's how to explain to different Windows users that you cannot work without antivirus protection? And how to explain to the creators of domestic mega-SZIs that it is impossible to protect against hacking with an access matrix and that hacking is not always: “Suddenly, process A writes the file autorun.exe, but this stream is blocked by the access matrix and means the system is protected.”
Your security looks good only in theory. Suppose you are the very user of Ubuntu (one of my favorite distributions), you install this OS on your favorite dog's PC, Bob. Then many people say the following: if Bob receives the message myDocument.docx, then even if it turns out to be an executable file, and he launches it according to the instructions, nothing will happen - because for most of the actions a root password is needed. Are you seriously? Are you defending from the invasion of representatives of junior classes? Or is it from the attackers who are members of criminal groups that control large financial flows and simply mow loot on their fellows?
Dear representatives of domestic unnamed SZI and authors of many textbooks on information security, when you say that if you literally quote: “Word prohibits the execution of macros, and prohibits its process of recording to disk and working with the registry, the system is 100% protected” think so?
Let's order everything
Once upon a time, when Linux was just emerging, its users were mostly professionals. But over time, convenient for the simple user in the work distributions appeared and the number of housewives users began to grow. And what does any housewife do? That's right, it makes online payments, and where there is money, people flock there like bees for the honey of various scum, who wants to improve their finances for free. 90% of housewives use Windows - and viruses are developed for this OS, and only at least 20-30% of housewives will switch to Linux, then large funds will be poured in immediately for the development of malware. And reports from anti-virus companies show a slow but increasing number of such programs.
Ok, back to Bob, the only reason for not worrying about their security is that the development of a Trojan for its OS is unprofitable. But this way is economically unprofitable, the possible income of the attackers will be less than expenses. How long will this go on is a big question.
But still, technically, how is it possible that Bob is hacked and the data is lost? If Bob’s security is that nobody needs him and the viruses under his OS are not yet written, then this is a game of Russian roulette.
Alice
Alice, Bob's girlfriend, knows that Bob’s account has a tidy sum of coins, the key lies on Pinocchio’s PC, and they, together with Pinocchio, decided to think two of them. What they need for this: a small start-up capital, direct hands of Pinocchio and a little courage.
Alice knows that Bob is using Ubuntu 14 LTS. How is the process of hacking Bob? He, like most users, believes that Alice will send him a file with an attachment, which he will be asked to run, and since he considers himself an expert in the PC area and he will not launch the file, then of course his data is safe!
Mnogohodovochka from Pedro
Then Alice goes to some nameless and common resource and buys from Pedro a vulnerability in Bob’s favorite browser for the Nth amount of greens. Pedro not only provides Alice with technical information about the vulnerability, but also sends an example of how to launch for Pinocchio (Alice's accomplice).
The vulnerability that Alice receives is a zero-day vulnerability in Google Chrome browser. For example, recently opened holes CVE-2015-1233 or CVE-2014-3177, CVE-2014-3176, CVE-2013-6658 and how many of them have not yet been closed and are known only in limited circles - a big question.
As can be seen from the description of vulnerabilities, Alice can run the code in the context of the process and it will work not only on Windows, but also on Linux and Mac OS. Vulnerabilities are taken for example at random.
Action
Pinocchio makes a script and writes the shell-code there, which should be executed on the target system - Bob's PC. To do this, he needs to somehow pass the link. The first option with the post Alice and Pinocchio immediately shoals - Bob is a cautious user and does not open links from the mail. Then they decided to improvise a bit. They know that Bob is not an ordinary person and doesn’t suffer from paranoia ... well, that’s not the short story; for simplicity, Bob just followed the link - Alice persuaded.
After Bob visited the link in the context of the process of his browser, a small code that Buratino wrote was written - just a few commands that later downloaded the body of the virus and switched to its execution. But of course. Bob is sure that Alice just shows him his photos, no files are loaded on the disk, there are no warnings, nobody asks for root passwords.
Raise privileges
After the development of Pinocchio began to perform its first instructions on the processor Bob, the question became, what to do next? In the theory of Bob, even if an infection occurs, he will have nothing, Bob put a complex password for root, and suddenly he will not enter it by any means.
Pinocchio with Alice provided such a question and decided it in advance. The same Pedro told them that he has a couple of zero-day vulnerabilities in the Linux kernel, like fresh vulnerabilities in kernel versions 3.17 and 3.14 - CVE-2014-9322, CVE-2014-3153.
After reading the description of the vulnerabilities, Pinocchio realized that they would allow him to execute the code in the context of the Bob OS kernel. And all he needs is for his malicious application to use these fresh holes and execute code in ring-0.
As long as the unsuspecting Bob is looking at Alice's photographs, Pinocchio’s code has already seriously invaded the spaces of his system and neither the antivirus (it simply doesn’t exist) or anything else can not even display the invasion message. Since Pinocchio decided not to stop there, he went further. Having reached the lowest level of Bob’s OS in which only trusted code is supposed to be executed, Pinocchio began searching for a file that is responsible for starting the OS. As soon as the software from Buratina found this file, it modifies it so that when the Bob PC restarts, the Buratina code continues to run.
Rootkit
And so Pinocchio and Alice got access to Bob's PC under the control of the Linux OS, but how can they hide their presence? Bob is not a fool and every 5 minutes check the integrity of the system files of the OS. To do this, Pinocchio decided that they would overwrite the code of the operating system itself, which is loaded into the memory of Bob's PC, but how? After all, if the same actions are carried out on the Windows OS, then one small system component will detect this and force the PC to restart.
Bob doesn’t worry about his safety - even if the code of the attacker is executed in the kernel, then in recent versions of the Linux kernel, the system memory areas are write-protected. Even if Pinocchio tries to overwrite the OS code in RAM, the processor will generate an error and the PC will reboot.
Then Pinocchio opened the documentation on the processor, which is on Bob's PC and began to study ... He knows that the architecture of the processor is Bob x86, but what does it give? After all, the pages it needs in the kernel are write protected. Then Pinocchio drew attention to the register cr0 - a small block of memory in which data is stored with which the processor operates. And what will happen if I set the 16th bit to zero, quickly rewrite the necessary kernel methods and immediately restore the register - Buratino thought. And he did, as it turned out, if you reset this bit to zero, you can temporarily disable write protection.
Thus, Pinocchio gained full control over Bob’s OS, and then found the vulnerability and fixed it, but the program code that was stuck in this way in Bob’s OS could not be detected. Every minute integrity monitoring shows that not a single file in the system has been changed - the Buratina program simply replaces it when reading. There are no new processes - the malicious process is simply hidden and if there are solutions on another OS that have long since discovered such techniques, then there is no such thing under Bob’s OS.
In general, the conclusion, Alice and Buratino took pity on Bob ... and deleted all his files. Oh well, seriously, never be so fanatically confident of anything. I tried in a light form and without technical terms to state the essence of the problem. Such as Pinocchio's advice not to write more viruses, to make all Pedra come out and pass all unpublished vulnerabilities into public access to fix them, and Bob to believe less bearded gnomes, do not click on the left links and think with your head. And use the OS that you like! Absolutely safe is nothing. I hope everyone cheered up a bit)
PS If it is interesting, then I can write a small article with examples in C about the interception of kernel functions in the latest version of the Linux Kernel.
In this short essay, I will try to explain in simple language how you can theoretically be hacked. I can do without complex terms, for ordinary users, the article will give a colorful idea about cracking the OS, and more advanced users will read technical information between the lines. I believe that the user of any OS, and even more so those who are involved in this work, needs to understand that professional viruses are not an executable file that they renamed into a document and ask you to run it. And not always blocking macros will not allow an attacker to execute code on your system.
You know, the last time I became a participant in such discussions was still in school in the distant 9-10 class. Then I was an ardent fan of Windows, and my friend used Linux, then after a while I started developing for Linux - and everything changed, I became a Linux fan and publicly agitated everyone to switch to it. I lead to this, if your opponent is hindered to debate on a similar topic in this vein, just remember those two students. I myself use both operating systems, and have not been a supporter of such holivars for a long time, I have servers running on Linux Debian, but I’m writing this text on a Windows 8 PC. Then there will be a lot of negative about Linux, but it is not associated with any fanatical beliefs, I just want to objectively tell and convince that it doesn’t matter what OS you are using - they can hack you everywhere.
')
How hobbling the Windows OS ...
... as far as the holes in Windows OS can be argued for years, but I wonder how safe Linux is? If you ask Linux lovers, and if you have an antivirus, then only laughter will be in response. The argument is that Linux was created by professionals, and everything is protected by default. Here we plant our beloved dog for Ubuntu and you can not worry about its data. You can ... bye.
Generally there are two things that are endless, the universe and fools. Everything is clear with the universe, but what about the last ones? Here's how to explain to different Windows users that you cannot work without antivirus protection? And how to explain to the creators of domestic mega-SZIs that it is impossible to protect against hacking with an access matrix and that hacking is not always: “Suddenly, process A writes the file autorun.exe, but this stream is blocked by the access matrix and means the system is protected.”
Your security looks good only in theory. Suppose you are the very user of Ubuntu (one of my favorite distributions), you install this OS on your favorite dog's PC, Bob. Then many people say the following: if Bob receives the message myDocument.docx, then even if it turns out to be an executable file, and he launches it according to the instructions, nothing will happen - because for most of the actions a root password is needed. Are you seriously? Are you defending from the invasion of representatives of junior classes? Or is it from the attackers who are members of criminal groups that control large financial flows and simply mow loot on their fellows?
Dear representatives of domestic unnamed SZI and authors of many textbooks on information security, when you say that if you literally quote: “Word prohibits the execution of macros, and prohibits its process of recording to disk and working with the registry, the system is 100% protected” think so?
Let's order everything
Once upon a time, when Linux was just emerging, its users were mostly professionals. But over time, convenient for the simple user in the work distributions appeared and the number of housewives users began to grow. And what does any housewife do? That's right, it makes online payments, and where there is money, people flock there like bees for the honey of various scum, who wants to improve their finances for free. 90% of housewives use Windows - and viruses are developed for this OS, and only at least 20-30% of housewives will switch to Linux, then large funds will be poured in immediately for the development of malware. And reports from anti-virus companies show a slow but increasing number of such programs.
Ok, back to Bob, the only reason for not worrying about their security is that the development of a Trojan for its OS is unprofitable. But this way is economically unprofitable, the possible income of the attackers will be less than expenses. How long will this go on is a big question.
But still, technically, how is it possible that Bob is hacked and the data is lost? If Bob’s security is that nobody needs him and the viruses under his OS are not yet written, then this is a game of Russian roulette.
Alice
Alice, Bob's girlfriend, knows that Bob’s account has a tidy sum of coins, the key lies on Pinocchio’s PC, and they, together with Pinocchio, decided to think two of them. What they need for this: a small start-up capital, direct hands of Pinocchio and a little courage.
Alice knows that Bob is using Ubuntu 14 LTS. How is the process of hacking Bob? He, like most users, believes that Alice will send him a file with an attachment, which he will be asked to run, and since he considers himself an expert in the PC area and he will not launch the file, then of course his data is safe!
Mnogohodovochka from Pedro
Then Alice goes to some nameless and common resource and buys from Pedro a vulnerability in Bob’s favorite browser for the Nth amount of greens. Pedro not only provides Alice with technical information about the vulnerability, but also sends an example of how to launch for Pinocchio (Alice's accomplice).
The vulnerability that Alice receives is a zero-day vulnerability in Google Chrome browser. For example, recently opened holes CVE-2015-1233 or CVE-2014-3177, CVE-2014-3176, CVE-2013-6658 and how many of them have not yet been closed and are known only in limited circles - a big question.
As can be seen from the description of vulnerabilities, Alice can run the code in the context of the process and it will work not only on Windows, but also on Linux and Mac OS. Vulnerabilities are taken for example at random.
Action
Pinocchio makes a script and writes the shell-code there, which should be executed on the target system - Bob's PC. To do this, he needs to somehow pass the link. The first option with the post Alice and Pinocchio immediately shoals - Bob is a cautious user and does not open links from the mail. Then they decided to improvise a bit. They know that Bob is not an ordinary person and doesn’t suffer from paranoia ... well, that’s not the short story; for simplicity, Bob just followed the link - Alice persuaded.
After Bob visited the link in the context of the process of his browser, a small code that Buratino wrote was written - just a few commands that later downloaded the body of the virus and switched to its execution. But of course. Bob is sure that Alice just shows him his photos, no files are loaded on the disk, there are no warnings, nobody asks for root passwords.
Raise privileges
After the development of Pinocchio began to perform its first instructions on the processor Bob, the question became, what to do next? In the theory of Bob, even if an infection occurs, he will have nothing, Bob put a complex password for root, and suddenly he will not enter it by any means.
Pinocchio with Alice provided such a question and decided it in advance. The same Pedro told them that he has a couple of zero-day vulnerabilities in the Linux kernel, like fresh vulnerabilities in kernel versions 3.17 and 3.14 - CVE-2014-9322, CVE-2014-3153.
After reading the description of the vulnerabilities, Pinocchio realized that they would allow him to execute the code in the context of the Bob OS kernel. And all he needs is for his malicious application to use these fresh holes and execute code in ring-0.
As long as the unsuspecting Bob is looking at Alice's photographs, Pinocchio’s code has already seriously invaded the spaces of his system and neither the antivirus (it simply doesn’t exist) or anything else can not even display the invasion message. Since Pinocchio decided not to stop there, he went further. Having reached the lowest level of Bob’s OS in which only trusted code is supposed to be executed, Pinocchio began searching for a file that is responsible for starting the OS. As soon as the software from Buratina found this file, it modifies it so that when the Bob PC restarts, the Buratina code continues to run.
Rootkit
And so Pinocchio and Alice got access to Bob's PC under the control of the Linux OS, but how can they hide their presence? Bob is not a fool and every 5 minutes check the integrity of the system files of the OS. To do this, Pinocchio decided that they would overwrite the code of the operating system itself, which is loaded into the memory of Bob's PC, but how? After all, if the same actions are carried out on the Windows OS, then one small system component will detect this and force the PC to restart.
Bob doesn’t worry about his safety - even if the code of the attacker is executed in the kernel, then in recent versions of the Linux kernel, the system memory areas are write-protected. Even if Pinocchio tries to overwrite the OS code in RAM, the processor will generate an error and the PC will reboot.
Then Pinocchio opened the documentation on the processor, which is on Bob's PC and began to study ... He knows that the architecture of the processor is Bob x86, but what does it give? After all, the pages it needs in the kernel are write protected. Then Pinocchio drew attention to the register cr0 - a small block of memory in which data is stored with which the processor operates. And what will happen if I set the 16th bit to zero, quickly rewrite the necessary kernel methods and immediately restore the register - Buratino thought. And he did, as it turned out, if you reset this bit to zero, you can temporarily disable write protection.
Thus, Pinocchio gained full control over Bob’s OS, and then found the vulnerability and fixed it, but the program code that was stuck in this way in Bob’s OS could not be detected. Every minute integrity monitoring shows that not a single file in the system has been changed - the Buratina program simply replaces it when reading. There are no new processes - the malicious process is simply hidden and if there are solutions on another OS that have long since discovered such techniques, then there is no such thing under Bob’s OS.
In general, the conclusion, Alice and Buratino took pity on Bob ... and deleted all his files. Oh well, seriously, never be so fanatically confident of anything. I tried in a light form and without technical terms to state the essence of the problem. Such as Pinocchio's advice not to write more viruses, to make all Pedra come out and pass all unpublished vulnerabilities into public access to fix them, and Bob to believe less bearded gnomes, do not click on the left links and think with your head. And use the OS that you like! Absolutely safe is nothing. I hope everyone cheered up a bit)
PS If it is interesting, then I can write a small article with examples in C about the interception of kernel functions in the latest version of the Linux Kernel.
Source: https://habr.com/ru/post/256793/
All Articles