Unmasked - Ars Technica [23]
So HBGary wanted to go the direct access route, characterizing it as the “low hanging fruit” with the lowest risk. General Dynamics wanted HBGary to investigate the USB route as well (the ports are more common, but an attack has to trick the operating system into doing its bidding somehow, commonly through a buffer overflow).
The team had two spy movie scenarios in which its work might be used, scenarios drafted to help the team think through its approach:
1) Man leaves laptop locked while quickly going to the bathroom. A device can then be inserted and then removed without touching the laptop itself except at the target port. (i.e. one can’t touch the mouse,keyboard, insert a CD, etc.)2) Woman shuts down her laptop and goes home. One then can insert a device into the target port and assume she will not see it when she returns the next day. One can then remove the device at a later time after she boots up the machine.
Why would the unnamed client for Task B—which a later e-mail makes clear was for a government agency—want such a tool? Imagine you want access to the computer network used in a foreign government ministry, or in a nuclear lab. Such a facility can be tough to crack over the Internet; indeed, the most secure facilities would have no such external access. And getting an agent inside the facility to work mischief is very risky—if it’s even possible at all.
But say a scientist from the facility uses a memory stick to carry data home at night, and that he plugs the memory stick into his laptop on occasion. You can now get a piece of custom spyware into the facility by putting a copy on the memory stick—if you can first get access to the laptop. So you tail the scientist and follow him from his home one day to a local coffee shop. He steps away to order another drink, to go to the bathroom, or to talk on his cell phone, and the tail walks past his table and sticks an all-but-undetectable bit of hardware in his laptop’s ExpressCard slot. Suddenly, you have a vector that points all the way from a local coffee shop to the interior of a secure government facility.
The software exploit code actually delivered onto the laptop was not HBGary’s concern; it needed only to provide a route through the computer’s front door. But it had some constraints. First, the laptop owner should still be able to use the port so as not to draw attention to the inserted hardware. This is quite obviously tricky, but one could imagine a tiny ExpressCard device that slid down into the slot but could in turn accept another ExpressCard device on its exterior-facing side. This sort of parallel plugging might well go unnoticed by a user with no reason to suspect it.
HBGary’s computer infiltration code then had to avoid the computer’s own electronic defenses. The code should “not be detectable” by virus scanners or operating system port scans, and it should clean up after itself to eliminate all traces of entry.
Greg Hoglund was confident that he could deliver at least two laptop-access techniques in less than a kilobyte of memory each. As the author of books like Exploiting Software: How to Break Code, Rootkits: Subverting the Windows Kernel, and Exploiting Online Games: Cheating Massively Distributed Systems, he knew his way around the deepest recesses of Windows in particular.
Hoglund’s special interest was in all-but-undetectable computer “rootkits,” programs that provide privileged access to a computer’s innermost workings while cloaking themselves even from standard operating system functions. A good rootkit can be almost impossible to remove from a running machine—if you could even find it in the first place.