Didier Stevens

Tuesday 9 March 2010

Frisky Solitaire – Another Info Stealer

Filed under: Forensics,Malware — Didier Stevens @ 0:00

Marcus Murray gave a great talk at TechEd Berlin 2009: “Hack-Proofing Your Clients Using Windows 7 Security”. In one of his demos, he showed a trojaned Excel spreadsheet. The spreadsheet was a simple text-based game, but it had a malicious component that executed surreptitiously while the game was played.

As I’ve done several hacks with Excel macros in the past, this made me realize that social engineering is a key element to get people to run macros from a spreadsheet of unknown origin.

Several people have asked me about de details of the vulnerability I exploited in my PDF Info Stealer PoC. But that’s not important. It’s not about the exploit, it’s about the payload: the info stealer. As I’ve written in my previous post, I don’t even need an exploit to get users to execute the info stealer. If I put the info stealer inside an Excel spreadsheet and social engineer the targeted users to execute the macros, I’ve achieved my goal without exploiting a software vulnerability.

I present you Frisky Solitaire:

Frisky solitaire is more compelling than text-based Excel games, because of the graphics. I took Solitaire from ReactOS, turned it into a DLL and embedded it with my memory loading shellcode into Excel macros (the same technique as I developed for cmd.dll and regedit.dll). I imagine that a simple game like Solitaire in Excel can go viral inside a company, when you know that many corporations disable standard Windows games on their desktops and Terminal Servers.

But in a crude attempt at social engineering the male population of a targeted company, I added an element of nudity to the game. The implied message of the game’s title is that winning games increases nudity. I know, I’m talking about basic instincts here, but it still does the trick…

So I imagine that this game can become popular with a large part of the male employees of a targeted company. And that they wouldn’t question the fact you have to execute Excel macros to play a game. Sounds plausible, no?

Of course, you guessed it: Frisky Solitaire is trojaned with an info stealer… No need to exploit a software vulnerability to steal info. Given that here too, everything is done in memory, detection is unlikely.

5 Comments »

  1. Auch Solitaire sucht und versendet beliebige Dateien…

    Nachdem Didier Stevens in seinem Blog einem Beitrag veröffentlicht hatte, der beschreibt, wie ein PDF-Exploit auf einem Rechner nach Daten sucht und diese danach ins Internet versendet, realisiert er das in seinem aktuellen Beitrag ganz ohne Exploit. Z…

    Trackback by Klipper on Security — Tuesday 9 March 2010 @ 9:25

  2. Search-and-send: Solitaire works fine, too…

    A few days ago, Didier Stevens demonstrated the danger that comes along with PDF files. In his blog he showed how easy it is to spread malicious PDF files in order to search-and-send confidential information to the Internet. In his new posting he does …

    Trackback by Klipper on Security — Tuesday 9 March 2010 @ 9:33

  3. [...] Frisky Solitaire – Another Info Stealer – didierstevens.com No need to exploit a software vulnerability to steal info. [...]

    Pingback by Week 10 in Review – 2010 | Infosec Events — Monday 15 March 2010 @ 8:31

  4. As Ed Skoudis once said to Josh Wright, “Dude … that’s just evil.” – John

    Comment by John McCash — Thursday 18 March 2010 @ 20:28

  5. [...] View full post on Didier Stevens [...]

    Pingback by Frisky Solitaire – Another Info Stealer | Computer Security Articles — Sunday 2 May 2010 @ 15:02


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 231 other followers

%d bloggers like this: