Wednesday, 14 December 2011

When Does A "Tool" Become A "Weapon"?

As with so many tools, security vulnerability detectors can be misused to exploit rather than defend.  The Metasploit Project is an extremely valuable tool and many of us in cyber security use it to research and probe for potential problems. However, a recent development which was revealed by Security Labs in India demostrates just how easily the Metasploit Framework can be used to develop malicious payloads that avoid detection by the usual Anti-Virus and Firewall software.

By installing a few extras with BackTrack 5 (another tool-set that penetration testers know well) it is possible to run a script based upon Metasploit that generates a "reverse TCP payload".  In essence, all of your Internet data is carried using a protocol called TCP/IP, where the IP part gives the "addresses" of the sender and receiver, and the TCP part ensures that the entirety of the data is reconstructed correctly once received as it is chopped up into small "packets" for transmission across the Internet.  This "reverse payload" method means that you receive the unwanted data without realising it.  Hence, it will bypass detection by the types of traps to are usually employed to capture unwanted code.
What could you do with this?  Well, imagine you could use the technique to deliver a "backdoor" to a machine. Actually, you don't need to imagine as that is exactly what was done.  All of a sudden you have the means to take over machine remotely without the user knowing, and in such a way that most users would stand very little chance of detecting the attack: certainly not using routine Anti-Virus and Firewalls software.

It's such a shame that these tools are used in this way. Or is it? Perhaps that's the very reason they exist.  After all this has shown a vulnerability and a form of attack vector that may not have been thought about by the AV and Firewall vendors.