Risky Business #82 -- The Paul Craig Omnibus Experience

Previously on Risky Business...
10 Oct 2008 » Risky Business

This is a special weekend listening edition of Risky Business and is brought to you by our sponsor MessageLabs.

If you're a regular listener to this program you'll know I headed to New Zealand a couple of weekends ago to attend the Kiwicon security conference in Wellington... there were presentations, lots of free beer, and of course this presentation by security consultant and researcher Paul Craig.

Paul works for Security Assessment.com in New Zealand, and he delivered by far the most entertaining presentation at Kiwicon. Called the Paul Craig Omnibus Experience, the talk blended three separate talks into one, which I've edited down into one fine hour of listening. The first talk is about iKat, the interactive kiosk attack tool.

iKat was unveiled by Paul at the most recent DEFCON conference in Las Vegas -- it's basically a website that you can visit from Internet kiosks -- like you find in corporate lobbies or airports. Of course when you visit the iKat website from a kiosk you can start clicking on stuff and popping shells. Paul released iKat to get people thinking -- so many people pump all sorts of sensitive information into the average kiosk... but since the release of iKat, we now know fore SURE they're not safe. Umm... thanks mate!

That's the first part of his talk, and it's a lot of fun. As you'll hear, Paul has a healthy sense of humour and does really well in front of a crowd.

In the second part of the Omnibus Experience, Paul discusses his hobby -- stealing data from botnets. In all, Paul boosted 3.3 gigabytes of plain text logs that had been intercepted by a fairly unsophisticated keylogging Trojan... the resulting findings are hilarious.

Last up he unveils the Moth Trojan.

Listeners to our last show would have heard a bit about this. Moth uses native Windows functionality to subvert the operating system. Not only does it allow full remote access to the affected host, but it actually insults the user through Microsoft's text to speech function. It's classic stuff.

Now, you would have heard an interview I did with MacLeonard Starkey from AusCERT about this -- Macca says detecting this thing is actually pretty easy. Now, while Macca has come up with some nifty detection techniques, I think the jury's still out on how effective Paul's techniques are. Because the Trojan is so customisable and allows such an amazing level of control over the infected system, I reckon it'd be a real challenge to get rid of different variants of this thing ... anyway, have a listen to Paul's talk and make your own mind up. I've linked to Paul's Web site where you can download the source code to Moth, and I've also linked to Macca's write up on Moth.

You can find the source code to Moth here, and MacLeonard Starkey's write-up here.