Social Engineering: Road Apple

2 years ago made the following publication:
<----------------->
Conducted an interesting experiment, I want to share the experience that people would learn from the mistakes of others. Experiment from the field of the legendary "Social Engineering", a method called "Travel Apple".

,
. CD, , , (, , ). , , .
: CD, , , " Q1 2007". , . , , , .

Source of quotes: www.wiki.inattack.ru/wiki/Social_engineering

Method Theory

All this seemed very interesting to me and it was decided to try it out. I chose an organization I know (whose name is not indicated for obvious reasons) and began planning. It was decided that this will be a CD disk on which the apple itself will be placed. In the program part it consisted of 2 independent programs:
1. The apple installer referenced by our CD's autorun.ini
2. The apple itself.
As I learned from preliminary research, Kaspersky AntiVirus is installed in the entire office with the Anti-hacker module and, accordingly, with the built-in firewall. Those. the removal of information through the network becomes a problematic task, the solution of which was “started up by the forest”. Initially, the idea was to limit sending SMS to the phone with content like “Hello form Apple: Mission completed”, but the firewall spoiled such pleasure. If we ourselves cannot send a notification, we will have to force a legal user to contact us. It was decided that the apple will not carry any spyware or destructive functions. Apple itself performed 2 functions: it created a text message on C: \ ap.txt and changed the titles of all available windows and buttons on “See C: \ ap.txt”. The message was a greeting text, an explanation of what happened and “For a CORRECT REMOVAL of this software, contact ...”, thereby increasing the chances of me receiving feedback from legal users, under pain of destructive functions if they are not properly removed. Yes, the function of correct deletion was created, but in fact it is quite possible to remove it by improvised means, without fearing for the integrity of the system =). Considering that there is KAV there, it was quite likely that the hidden install function was intercepted into the registry, therefore, apart from it, an instant forced launch of Apple was made, even though it is an installer.
')
Practice method

All this stuff is recorded on a CD-R, it remains only to add an attractive label on the disc. Having consulted with colleagues (thanks to them), nothing more dreamed up by curiosity except the word “Apple” was invented =). Initially, the plan was to penetrate the organization’s territory and leave the disk on the windowsill in the toilet +), but the reliability of this plan left a big shadow of a doubt. In theory, whoever finds a disk in the organization from the personnel, the disk must be transferred to the system administrator for further proceedings (which is what was intended). But in practice it can be quite different ... Then it was decided to go to the trick and agree with the organization’s security that the disk with the apple would be personally handed over to the system administrator, describing that the disk was found by chance on a planned window sill =). On the appointed day, I arrived at the organization, arranged with the guards, did all my business, and safely went home, expect the next few days of feedback from the office with me.
Alas, the system administrator did not consider it necessary to contact me, but I contacted him myself and found out all the details of what happened. As it turned out, the guard successfully transferred the disk to the system administrator and he successfully inserted it into a CD-ROM with MS Windows OS with auto-start not disabled, which led to the successful launch of the Apple installer. But then the unforeseen problems began. Their intrusion detection system (OWS) raised the alarm during the forced launch of Apple and the infection of the Apple system was prevented. Those. the only error was in using non-secure algorithms for programming, which are considered “suspicious” for PSB.

findings

The cleverly created disk got to its intended purpose, the disk was inserted into the “vulnerable system”, Apple's autostart worked, but the intrusion detection systems put it in the face of the snow ...
In general, 2 results:
1. The principle of Apple worked, its launch took place.
2. Intrusion detection systems ignited Apple.

Conclusion: if you professionally approach the programming of Apple, adapted to the conditions of life of the victim, then the chance of success is very high. On the other hand, the experiment teaches us a lot, how not to get caught up with such tricks.

<----------------->

The publication was in March 2008go. Less than 2 years later, a new system administrator called me from this organization and demanded explanations and responsibility for their actions :) The incident was that I did not have either a written idea or source code left and the requirements of the “correct instruction” on I had nothing to delete. Well said where to look about.
This is how it happens: it suddenly took 2 years to fully accomplish what was planned;)