Friday, June 29, 2012

Paranoid android

I have been finding quite hard to trust nearly any application for many years. When you think of the underlying infrastructure that exist to enable you hit a server, download a piece of software and everything that could go wrong.

What if I'm hitting a spoofed DNS Server?
my access point was cracked?
one hacked the telco router and is deviating my traffic through another box?
or what if I already have some piece of software installed eavesdropping my browsing?

This paranoid list could go on forever. Obviously there's something you can do to avoid or monitor each of these items, but the truth is that you can never say, 100%, that every page you hit will be harmless and there is no malicious code running on your computer or that some piece of software is completely safe to be executed without some privacy concerns or whatever.

When you think about all these exploits coming out, for all kind of software, you can get quite paranoid.
Like on Windows, you click a file with extension .docx, well, you know Word will fire up and parse that file.
You know that there was already problems with Microsoft Office, Flash, and several other softwares, when parsing that would execute some shellcode stored in that file, and you would have no idea by looking at "its Word document Icon".
What about web related security issues? I suppose I'm not the only paranoid, am I?

I'm going on a trip this weekend and I decided to download a set from Astrix, from Youtube. That's legal, right? Can I write this here? Anyhow, I changed my mind and didn't! ;)

There are tons of websites dedicated for that, but they aren't happy to do videos longer than 1 hour and I had to think of another way.

For long I've known that it's always a bad idea to download these "tools", but I decided to give it a try.
Found a mainstream one, from dvdvideosoft, called Free Youtube to Mp3.

Downloaded the quite big package, 26 Mb... And the first thing that popped in my head was:

Unlike Stuxnet and Duqu which had a specific target, Flame is more generic and its size is 20 mega bytes, which is huge considering that anti-virus experts have seen codes of just 1 mb so far


Waited for the Antivirus to popup or something, calling me stupid, but nothing happened.
Since the paranoia doesn't go away, I thought: Let's check if the file is signed:


All seems good, time to get some Astrix!
Ran that stuff, read (ok, like 20% of) the privacy agreement, everything went fine and I fired up the app.

Aha! So now I got two windows, one from the App, and the other one from Symantec Antivirus!
My thoughts, throughout 3.2 milliseconds were:
  • F%$*& I knew this was crap.
  • This means that all other apps I executed, and my anti virus didn't pop up, were freaking malware?
  • False positive maybe? Try not to be too paranoid dude!
  • I suppose the reverse shell is running right now.... 

The message from the antivirus was:

SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
Event Info:  Create Process
ActionTaken:  Blocked
Actor Process:  C:\PROGRAM FILES (X86)\COMMON FILES\DVDVIDEOSOFT\BIN\DVSSERVICE.EXE (PID 11480)

And again:


SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SavUI.exe
Event Info:  Create Process
ActionTaken:  Blocked
Actor Process:  C:\PROGRAM FILES (X86)\COMMON FILES\DVDVIDEOSOFT\BIN\DVSSERVICE.EXE (PID 9092)

This kind of situation does not help a paranoid guy. Finally I uninstalled the program and made new plans for a new VM where I can grow a colony of viruses while testing stuff out.

EDIT:

I'm currently reading CLR via C# from Jeffrey Richter and when he talks about .NET framework deployment goals and why Microsoft Windows has a reputation for being unstable and complicated. I found something I think it's worth quoting here:

"... The third reason has to do with security. When applications are installed, they come with all kinds of files, many of them written by different companies. In addition, Web applications frequently have code (like ActiveX controls) that is downloaded in such a way that users don't even realize that code is being installed on their machine. Today, this code can perform any operation, including deleting files or sending e-mail. Users are right to be terrified of installing new applications because of the potential damage they can cause. To make users comfortable, security must be built into the system so that the users can explicitly allow or disallow code developed by various companies to access their system's resources."

- Jeffrey Richter, CLR via C# third edition.

This paragraph and specially the text highlighted (by me) gives me the feeling I'm not alone in this paranoia. :)