Wednesday, April 19, 2017

Skype hacked by CIA


Skype has comprised and targeted by your friendly neighborhood CIA agent as revealed in latest WikiLeaks leak, code-named "Vault 7".

This is not trivial since Skype boasts that it has more than 300 million monthly active users as of March 2016.
Recent CIA Wikileaks release mentions "Skype" hack for spying on users, under the section called "Fine Dining Tool Module Lists". Below is the relevant section.
DLL HijackSkypeUser, Video-ChatOperator uses Skype to chat or call while collection is occurring
For the uninitiated, the Wikileaks"Vault 7" release list a host of exploits for common everyday free and paid applications by the CIA. The "Fine Dining Tool Module Lists" section list applications whose modules or libraries (which are loaded to run the program known as dynamically loading libraries (DLL))  have been compromised and replace. This is know as "DLL Hijack" in the document.  A hijacked DLL enables practically anything to be done by the remote collectors; it can collect keystrokes, take screenshots, record microphone, snoop on your mail and the dreaded scenario of complete control over you computer using a remote administration tool RAT.   



Tien Phan describes in detail how one possible Skype DLL Hijack works, 
quoted from https://packetstormsecurity.com/files/138873/skype-dllhijack.txt
Hi,

There are a dll planting vuln in skype installer. This vuln had been
reported to Microsoft but they decided not fix this.

Here is the vulnerability details:
------
Skype installer in Windows is open to DLL hijacking.

Skype looks for a specific DLL by dynamically going through a set of
predefined directories. One of the directory being scanned is the
installation directory, and this is exactly what is abused in this
vulnerability.

Reproduce Notes:
1. Download this dll
https://mega.nz/#!b4ViSLJL!Pv99pN2d_WxsUHGPH0Ej3onwVeSdh41mpyKfQJfAq8E
2. Copy msi.dll to Downloads directory
3. download skype installer
4. execute the downloaded installer from your "Downloads" directory;
Observed behavior: message box ahyhya

Another dll can be used to hijack: dpapi.dll cryptui.dll
------

Regards,
Tien


-- 
Tien Phan
Blog : http://tienpp.blogspot.com
twitter : @_razybo_ 
This still works for the latest version of Skype 7.34 version, using dpapi.dll. 
Source code available here, I advise making your own DLL.   I created my own sample mock-up and video below shows the result.  

You can see how this would be a issue if dpapi.dll was downloaded in the background into same  "downloads" directory, and the Skype installer came days later. This would be the result.


The another favorite target seems to be  "msimg32.dll" DLL since it 
The DLL export 5 functions with the following prototypes:

  • typedef VOID(WINAPI *vSetDdrawflag)(VOID);
  • typedef BOOL(WINAPI *AlphaBlend)(HDC, int, int, int, int, HDC, int, int, int, int, BLENDFUNCTION);
  • typedef DWORD(WINAPI *DllInitialize)(DWORD, DWORD);
  • typedef BOOL(WINAPI *GradientFill)(HDC, PTRIVERTEX, ULONG, PVOID, ULONG, ULONG);
  • typedef BOOL(WINAPI *TransparentBlt)(HDC, int, int, int, int, HDC, int, int, int, int, UINT);

Re-route all calls to any of these functions to the "real" functions and return appropriately.

From https://www.codeproject.com/Articles/30659/Windows-Live-Messenger-Plug-in-Development-Bible


We've chosen MSIMG32.DLL as the proxy DLL that will reside in the WLM executable directory, forcing it to load our fake DLL instead of the MSIMG32.DLL which is located in the Windows system directory. Note that we can force the loading of our DLL from the WLM executable directory since this DLL is referenced on PE imports therefore loaded by the NT Loader, not by the executable itself. Keep in mind that other applications may load DLLs manually with LoadLibrary, either using the default Operating System library search order, or overriding it using absolute paths.


How to Prevent this?  

No guarantees here, especially if you are already infected and don't know it. If any dll like this exists in any of your PATH variables, then it will be picked up by default.

But best practice is to clear your temp files of all files;

  • C:\Users\{username}\AppData\Local\Temp
  • C:\Windows\Temp
These are accessible by typing at Start->Run
  1. TEMP
  2. %TEMP%
Do a deep clean using https://www.bleachbit.org/ to remove all temporary files from you browsers.

Lastly: Don't install your products from download folder. Create a new folder and move installer there. Then blow it away. 

References: 
https://blogs.sophos.com/2017/03/10/qa-wikileaks-the-cia-fine-dining-and-dll-hijacks/ 

No comments:

Post a Comment