The following document is one of the case studies we carried out in the 1^st semester at the Advanced Cybersecurity MSc. (Polytechnic University of Bucharest). It describes how a rogue wireless access point (a.k.a. the “Evil Twin”) can be created to mimic a legitimate one, in order to trick users to connect to it.

The paper also contains a working proof-of-concept (PoC) that presents the main steps that I personally took while executing this attack (along with the needed hardware & software). This is something you should try only at home, on your own equipment .

The goal was to gracefully steal precious WiFi passwords with an Evil Twin and a little bit of Social Engineering, instead of applying brute-force to guess them (which sometimes takes a little bit too much time ).

The PPT presentation of the paper:

This CTF contest phase took place between 20^th – 22^nd of May 2022.
We competed against 70 teams (from both Romania and Republica Moldova).
We all had exactly 48 hours to find vulnerabilities & exploit them in 25 challenges (me & my team finished everything in under 33 hours).

As a result, this time, we managed to get the 1^st place ¯\_(ツ)_/¯ .

Team ‘The Few Chosen’ : Noria, D. Toma, Spurge (ç’est moi), representing the Babeș-Bolyai University.
The official national ranks: https://unr22-echipe.cyberedu.ro/#ranks.

All of our writeups can be found on Notion, or below.

Stay safe* :’)

This contest phase took place between 6^th – 8^th of May 2022 and had 165 active participants (from both Romania and Republica Moldova).

I managed to get the 14^th place, or 10^th place for my category (university). All the official ranks can be found here: https://unbreakable.ro/clasament.
Even though this was the individual phase, I have to congratulate my two teammates (and faculty colleagues), Noria and Toma, who managed to get the 1^st and 2^nd place respectively. GG.

However, even though I had a busy weekend, I still solved 80% of the given challenges. The writeups can be found below.

What is social engineering ?

Well, given the plethora of news about scammers and people being easily fooled by them, the public opinion about this subject is anything but positive. However,make no mistake, it surely isn’t just that…
Actually, social engineering is the art, or better yet, science of skillfully maneuvering a person to take an action that may or may not be in the “target’s” best interest. Thus, besides crimes, you can also notice it in: business marketing, the way children get their parents to give in to their demands, the way doctors, lawyers, or psychologists obtain information from their clients. Obviously, you can also find it in law enforcement, and in dating — it is truly used in every human interaction, from babies to politicians …

Types of social engineers

• Hackers & Penetration testers: as modern software gets more difficult to break into, hackers are turning to social engineering skills more than ever.
• Spies: simply put, it is a lifestyle for them. They mostly use it to build credibility and to “fool” victims into believing they are someone or something they are not.
• Identity thieves: they use information such as a person’s name, bank account numbers, address, birth date, and social security number without the owner’s knowledge.
• Disgruntled employees: often enter into an adversarial relationship with their employer. They typically hide their level of displeasure to not put their employment at risk, yet they resort to theft, vandalism or other crimes as revenge (moles).
• Scammers: usually driven by greed or the desire to “make a buck”. They master the ability of reading people in order to target a vulnerable victim.
• Executive recruiters: are very adept at not only reading people but also understanding what motivates people, in order to please both the job seeker and the job poster.
• Salespeople: use their skills to find out what people’s needs are and then see whether they can satisfy them.
• Governments: use it to control the messages they release as well as the people they govern (they utilize techniques like: social proof, authority and scarcity). This is not always negative, as some of their messages are for the good of the people, and using certain elements of social engineering can make the message more appealing and more widely accepted. However, when politicians want to avoid talking about something, they resort to using Wooden Language (this is a perfect example that I found while visiting The Romanian Kitsch Museum in Bucharest).
• Doctors, psychologists, and lawyers: must use elicitation and proper interview and interrogation tactics, as well as many if not all of the psychological principles of social engineering to manipulate their clients into the direction they want them to take.

Given the information above, you’ve probably realized that there’s a high probability to be a target of such trickery.
How do I stay safe? Great question.
Well, what I can say for sure, is that you are safer if you know and understand the techniques used for a successful social engineering attack. This is why, in the next section, I’m going to explain decisive skills like: information gathering, elicitation, pretexting, microexpressions, Neurolinguistic Programming, interview & interrogation, building rapport, The Human Buffer Overflow, influence tactics (reciprocation, obligation, concession, scarcity, authority, commitment, liking, social proof), framing, and, the last but not least, manipulation.

With enough time and enough effort anyone can be social engineered. Those words are true, as scary as they are. That doesn’t mean there is no hope; it means your job is to make malicious social engineering so difficult and time consuming that most hackers will give up.
(Christopher Hadnagy)

As usual, this information is for education purposes only. A lot of social engineers face prison time as well. So, have fun, but respect the legal and ethical constraints. Otherwise, make sure that you’re hiding better than everyone else can hide, in the 21^st century.

Information gathering

The most important phase of the attack. Usually takes from days to months, depending on the target. For example, this is what the Russian government had been doing for at least 8 years in Ukraine, using cyberattacks and spies, before starting an invasion on 24^th of February 2022.

Mindset: no piece of information is irrelevant; even the slightest detail can lead to a successful breach.

Example: Mati Aharoni (professional pentester) was tasked with gaining access to a company that had an almost nonexistent Web footprint. After some internet searching, he found a high-ranking company official who used his corporate email on a forum about stamp collecting and who expressed an interest in stamps from the 1950s. Mati created a website like stampcollections.com, where he put 1950s stamp photos found on Google, and embedded a malicious frame that exploited a vulnerability in the popular web browser at the time. So, accessing the link would give the attacker control over the victim’s computer. Then, he crafted an email for this company official. In the email, it’s stated that he’s another user of the same forum, who noticed the interest in old stamps, and that his grandfather, who ‘passed away’, left a stamp collection that can be seen on Mati’s stampcollections.com website. Before sending the email, for maximum impact, he called the target on the phone. This way, Mati built trust by discussing on a friendly tone about his stamp offer, while also expressing some feelings of sadness for the recent death in his family (triggering compassion). Thus, the target was very eager to see this collection. As soon as the man received the email, he clicked the link and the company’s perimeter was compromised. The tiny piece of information that led to this successful attack: a corporate email on a random website.

The problem: using social media, people can easily share every aspect of their lives with anyone they choose, making potentially damaging information (for their personal & business security) more readily available than ever before.

Example: Max Fosh infiltrated into The International Security Convention (the irony). He used a badge found on an Instagram post from the event (edited a little bit in Photoshop, then printed) -> video: https://youtu.be/qM3imMiERdU.

Also, many employees talk about their job title in their social media outlets. This can help a social engineer to profile how many people may be in a department and how the departments are structured.
Other sources & techniques: Apple/Google Maps (for an idea about the target’s buildings, ways in & out), Google Dorks, WhoIs, NMAP, Maltego, forums, overhearing conversations, flirting with the target, public reports, or simply the trash (you’d be surprised how much sensible information is literally dumped).
Attackers look for the links between the information extracted from all sources, to create a whole profile. This profile includes contact numbers, biographies, email naming conventions, special words or phrases that can help in password profiling, family members, physical locations, purchases, leases, contracts, favorite foods/teams/music, the service companies used, etc. Everything is processed in order to find vulnerabilities and come up with the best attack strategy.

Elicitation

In training materials, the National Security Agency of the United States government defines elicitation as “the subtle extraction of information during an apparently normal and innocent conversation.” Generally speaking, being able to use elicitation means you can fashion questions that draw people out and stimulate them to take a path of a behavior you want.
This method works so well because the conversation can occur anywhere the target feels comfortable (their routine places, for example). Other reasons are that:
– most people have the desire to be polite, especially to strangers
– professionals want to appear well informed and intelligent
– if you are praised, you will often talk more and divulge more
– most people would not lie for the sake of lying
– most people respond kindly to people who appear concerned about them.
Goal: obtain information then utilize that information to motivate a target to the path you want him to take (only through casual conversation). Therefore the attacker must be ‘natural‘, well informed about the subject he’s talking about, and not greedy with the questions, to avoid raising any red flag.

Preloading

Preloading can be a critical part of elicitation, and denotes just what it says—preload targets with ideas on how you want them to react to certain information. It is often used in marketing messages (e.g. movie trailers soundtrack).

A simplistic example: a friend walks up and says, “I have to tell you a really funny story.” What happens to you? You might even start smiling before the story starts and your anticipation is to hear something funny, so you look and wait for opportunities to laugh. He preloaded you and you anticipated the humor. Another one: interrogators would say “Now think carefully before you answer the next question…”. This kind of statement preloads the target’s mind with the idea that he must be truthful with his next statement.

Basically, it’s all about being able to plant ideas or thoughts in a way that is not obvious or overbearing, as a first step, before starting the actual attack. Because you ‘preloaded’ the target, when the time arises to present an absurd idea, it will most probably be accepted.

A successful elicitor:

• offers a non-judgmental ear for people to talk about their problems
• appeals to someone’s ego (e.g., when you praise someone, they’ll usually express their humbleness by talking about how the situation actually is => valuable information)
• expresses a mutual interest
• makes a deliberate false statement (we have the desire to inform others, appear knowledgeable, and be intolerant to misstatements => valuable info when you’re being corrected by the others)
• offers information in a conversation, because it almost compels the target to reply with equally useful information
• uses the effects of alcohol, if possible, as it loosens the victim’s lips. This is an unfortunate but true fact.
• uses more open-ended questions (those that cannot be answered with yes or no)
• uses assumptive questions (to determine whether or not a target possesses the information you’re after).

Pretexting: How to Become Anyone

Pretexting is defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit (you create a new identity). Chris Nickerson: it is not about living a lie (…). You are, in every fiber of your being, the person you are portraying. The way he walks, the way he talks, body language—you become that person.

What is a good pretext based on? First of all, the quality of the information gathered beforehand. Then, the practice of dialects/expressions, the simplicity (the simpler the pretext the better the chance of success), confidence (helps a lot in convincing the target you are who you say you are; usually achieved by involving personal interests in the pretext), and the finale: providing a logical conclusion or follow through for the target.

Example: a popular malicious pretext right now is the fake ‘fund raiser’, who takes advantage of the current Ukrainian crisis. These individuals behave like they care, presenting the atrocities of war (simple pretext that triggers people’s emotions), and demand money for helping Ukrainians (the logical conclusion). The same happened right after 9/11 , 2001.

Modes of thinking & the senses

A social engineer has to understand the modes of thinking. Why? Well, if you can first figure out the target’s dominant mode of thinking (and then use it yourself in subtle ways), you can unlock the doors of the target’s mind and help him actually feel at ease when telling you even intimate details. So, how can you figure out someone’s dominant mode of thinking?

The world is brought to our brain by our senses: sight, hearing, touch, smell, taste (traditional classification). The modes of thinking are associated with only 3 of them. Therefore, we have the:

• visual thinker (majority): usually remembers what something looked like (colors, textures, brightness / darkness). He can clearly picture a past event and even build a picture for a future event. This individual usually makes a decision based on what is visually appealing to him regardless of what is really “better” for him. Often uses words like: “that looks good to me”, “I get the picture now”. Also, visuals need to look at the person speaking to communicate properly.
• auditory thinker: remembers the sounds of an event in detail (e.g., the alarm was too loud, the woman whispered too low, the scary bark of the dog). Of course, he learns better from what he hears, as in this case the sounds themselves help recall memories. May use phrases such as: “loud and clear”, “something tells me”, “that sounds ok to me”. Whole encounters can go from great to a disaster with one wrong word spoken to an auditory thinker.
• kinesthetic thinker: remembers how an event made him feel—the warmth of the room, the beautiful breeze on his skin, how the movie made him jump out of his seat with fear. Often kinesthetic thinkers feel things with their hands to get the sense of the objects. May use phrases such as: “I can grasp the idea”, “I’ll get in touch with you”, “I just wanted to touch base”, “how does it feel?”. They don’t really react to sights and sounds, thus, social engineers have to get in touch with their feelings to communicate with them efficiently.
  This is the type of people that must touch everything in the grocery store when they shop, whether they need it or not. By touching the objects, they make a connection. This is what helps them clearly remember the things later.

Asking questions that contain some of the key dominant words, observing a target’s reactions, and listening can reveal what dominant sense he or she uses.

Let’s take the example of an excellent salesguy, Tony, who can figure out someone’s dominant sense in 60 seconds. When he first engages the target, he has a very shiny silver-and-gold pen in his hand. He gestures a lot and notices whether the person follows the pen with her eyes; if she does slightly, Tony will continually make the gestures bigger to see whether her eyes follow. If that doesn’t seem to work in the first few seconds, he will click the pen open and closed. It isn’t a loud noise, but loud enough to disrupt a thought and draw someone’s attention if she’d be an auditory. If he thinks that is working, he will click it with every important thought, causing the target to have a psychological reaction to the sound and what is being said. If that doesn’t seem to work, he will reach over the table and tap her wrist or forearm, or if he is close enough, touch her shoulder. He doesn’t touch excessively, but enough to see whether she will shy away or seems overly happy or disturbed by the touch. At this point, he’s most likely guessed the correct sense and starts to move the conversation in that direction, to make the target more comfortable.
Why exactly does Tony do all of this stuff? Think about it: if someone makes you feel “warm and fuzzy”, or seems to understand what you are saying, or where you are coming from, you easily open up to, trust, and let that person in your circle.

Microexpressions

Microexpressions are facial expressions which are not easily controllable and occur in reaction to emotions. Many times they last for as short as one-twenty-fifth of a second. Because these expressions are involuntary muscular movements due to an emotional response, they are nearly impossible to control. Social engineers use them to notice deception and figure out how the target is really feeling, in order to act accordingly. Another crucial reason is stated by Dr. Paul Ekman: If producing the facial expression can cause the emotion, that must mean that our facial movements can affect the emotions we feel, and maybe even the emotions of those around us. Basically, social engineers practice producing the facial expressions voluntarily, as it makes it easier to achieve a certain emotional state.

Let’s take a look at the microexpressions linked with some basic or biologically universal emotions:

• Anger (one of the easiest to spot): the lips become narrow and tense. The eyebrows slant downward and are pushed together, then the most noticeable characteristic comes into play: the glare.
• Disgust: often characterized by the upper lip being raised to expose the teeth, and a wrinkling of the nose. May also result in both cheeks being raised when the nose is wrinkled up, as if to try to block the passage of the bad smell or thought into one’s personal space.
• Contempt: very strong emotion that is often confused with disgust. Contempt is only experienced about people or the actions of people, but not about tastes, smells, or touches (Dr. Ekman). Contempt is distinguished by wrinkling the nose and raising the lip, but only on one side of the face, whereas disgust is the raising of the whole lip and the wrinkling of the whole nose.
• Fear: often confused with surprise because the 2 emotions cause similar muscular reactions in the face. The eyes are open wide, the eyebrows are crunched together inward. The lips are pulled together and out towards the ears. Fear can be a big motivator to do many things that you (or your target) would not normally consider doing.
• Surprise: the eyebrows are raised (eyes open wide), the jaw is unhinged and opened slightly.
• Sadness: overwhelming and strong emotion. It can also be very subtle. Mouth is open only slightly, the corners of the lips are down and the cheeks are raised a little. The eyes look down and the eyelids droop. Because we can feel it ourselves when seeing other people expressing this emotion, social engineers use sadness in their advantage a lot.
• Happiness. The true and the fake smile are an important aspect of human expressions to know how to read, and as a social engineer to know how to reproduce. When a person smiles for real, de Boulogne indicates, two muscles are triggered, the zygomaticus major and the orbicularis oculi. He determined that the orbicularis oculi (muscle around the eyes) cannot be triggered voluntarily and that is what separates a real from a fake smile. Therefore, even if recent research indicates some can train themselves to trigger that muscle, more often than not a fake smile is all about the eyes. A real smile is broad with narrow eyes, raised cheeks, and pulled-up lower eyelids (it usually involves the whole face, from the eyes to the mouth).

Showing genuine emotions is known to be a difficult task. One of the tricks actors use to be able to successfully show proper emotion is to remember and focus on a time when they truly felt the emotion they need to portray. Learning to correctly exhibit the subtle hints of microexpressions can cause the neurons in your target’s brain to mirror the emotional state they feel you are displaying, making your target more willing to comply with your request.

On the other hand, using this knowledge, there are 4 things that can help you detect lies / deceit in a target:

• contradictions: watching the person’s microexpressions while you question him about a contradiction is always helpful.
• hesitation: if you ask a question and the answer should have come quickly from the person, but he hesitates beforehand, it can be an indication that he was using the time to fabricate an answer or to decide whether he wants to reveal some facts.
• changes in behavior: during a discussion the target may change his behavior every time a certain topic is brought up. Maybe you notice an expression change or a shift in the way he sits, or a marked hesitation. All of these actions can indicate deceit.
• hand gestures: many professionals state that when someone is being untruthful he will touch or rub his face often. Some psychological connection exists between rubbing the face and generating a fabrication. Taking note of a change in the size, frequency, or duration of hand gestures during different topics in the conversation is important.

Why exactly do social engineers want to detect deceit? If their pretext is someone with authority (manager or department supervisor), and they catch someone lying, they can use that in their advantage. By “forgiving” the person, they are now owed a favor in return.

Neurolinguistic Programming (NLP)

NLP was developed in the 1970s by Richard Bandler and John Grinder with the guidance of Gregory Bateson. Without any regulating body, the field grew as everybody wanted to learn to control others, lie without getting caught, or solve all their psychological problems.

The new/modern approach of NLP states that to make a change, the unconscious mind of the target must be involved, the new behavior must satisfy their original positive intention, and the change must occur internally, at the state of mind, rather than at the behavioral level. This new code suggests how NLP can create serious and drastic changes to a person’s thinking.
Example: increasing your sales by getting someone to start talking about their dreams. Once you have them talking about certain goals or aspirations, you can position your product or service as answering one of the needs to reach those goals. By positively building on your product as fitting a need they have, you give your potential buyer’s brain a way to connect your product with positive sales.
For a social engineer, NLP comes down to using voice, language, and choice of words to guide people down the path he wants.

You can ‘inject’ commands into people’s mind without their knowledge (yes, I know how that sounds), and the way you say things is where the injection occurs; it’s a moment framed within regular conversation. Sometimes how you say something is more important than what you say. Therefore, using the tones of your voice to emphasize certain words in a sentence can cause a person’s unconscious mind to focus on those words.

For the next few paragraphs, the pink, bold font denotes the words spoken with a lower (deep) voice tone. Good social engineers jump between tones very subtly. It’s an ability that is refined with hours of practice.
“Remember how clean your room looked last Christmas?” The embedded command is “clean your room”, which includes a time shift to a happier time. This is an example of a pleasant, painless injection.
“Buy now, you can see the benefits!” This one starts with the voice low, then up to a normal tone, then back down for benefits.

If you pay close attention to the way some politicians speak or to the voices in commercials, you’ll most likely notice this technique. NLP is a powerful topic, and, much like microexpressions, this section only scratched the surface.

Interview & Interrogation

The main difference between an interview and interrogation is that an interview is in an atmosphere where the target is comfortable both physically and psychologically. In an interrogation the intention is to put some pressure on the target by creating discomfort, with the goal of gaining a confession or some knowledge the target possesses. Interrogation principles are used widely by successful social engineers. It’s a skill they’ll spend a considerable amount of time obtaining.

When starting an interview or interrogation, areas observed for changes in the subject are: body posture (upright, slumped, leaning away), skin color (pale, red, white), head position (upright, tilted, forward/back), eyes (direction, openness), hands/feet (movement, position, color), mouth/lips (position, color, turned up/down), voice (pitch, rate, changes), words (short, long, number of syllables, dysfunctions, pauses). Changes can indicate a question or line of questioning that needs more attention. Professionals don’t watch for only one sign, they watch for groups of signs.

Examples: defensive posture (the torso is pointing away and the eyes are averting from looking at you), usually appears after asking a question which the target will not answer with the truth. When you feel threatened or scared, your body’s natural reaction is to pull the elbows in towards the rib cage. An increase in movement or “fidgeting” during an interrogation can show an increase in stress levels, signifying that the interrogation is having the desired effect. Blurting out answers quickly is believed to be a sign of practicing the answer. An open palm might indicate sincerity.

Social engineers have to determine what is “natural” in a target (i.e. the baseline) very fast. Being very observant is the key to success with this skill. A method of figuring out the baseline involves asking questions that cause the suspect to access different parts of his brain. The interrogator asks first nonthreatening questions that require simple memory and questions that require creative thinking. Then looks for outward manifestation of his brain activating the memory center, such as microexpressions or body language cues. This way, he knows what to expect when asking the real questions.

Theme development in police interrogations is when the interrogator develops a story to postulate why the suspect may have committed a crime. “So he insulted you and you got so mad, you grabbed the pipe and began hitting his windshield with it.” While the officer is telling the story, he or his partner is watching the body language and microexpressions of the suspect to see if there are any clues that would constitute agreement.

The Department of Defense has different approaches that professional interrogators use, and social engineers have a lot to learn from them.

• Direct approach: The confidence, attitude and manner of the interrogator rules out that the suspect is innocent at all. Without threatening, the interrogator disarms the suspect by telling him anyone else would have done the same thing. Social engineers use this if their pretext is a person who has power over the target. They assume the target “owes” the response they seek.
• Indirect approach: The suspect is allowed to tell his side of the story in detail and the interrogator looks for omissions, discrepancies, and distortions. The interrogator’s job is to let the suspect know that the best course of action is to tell the truth.
• Sympathetic approach: The interrogator drops his voice and talks in a lower, quieter tone that gives the impression he is an understanding person. He sits close to the suspect and maybe puts his hand on the suspect’s shoulder or pats him on the arm. Physical contact at the right time is very effective.
• Emotional approach: It plays on the morals or emotions of the suspect. Questions such as, “What will your wife or kids think about this?” are used. The thoughts that are aroused emotionally upset him and make him nervous. As these emotions manifest themselves, the interrogator can capitalize on them.
• Logical approach: This non-emotional approach presents strong evidence of guilt. The interrogator should sit erectly and be business-like, displaying confidence.
• Indifferent approach: The interrogator acts as if he does not need the confession because the case is solved. At that point the interrogator may try manipulating the suspect into giving his side of the story. Social engineers use this when they’re caught in an area or situation they should not be in, by acting indifferent instead of afraid that they’ve been caught. It can cause the person who caught them to not be alarmed as much and afford them an opportunity to dispel any worries.
• Face-saving approach: The interrogator should rationalize the offense, giving the suspect a way out and an excuse to confess and save face.
• Egoistical approach: It’s all about pride. For it to work you need a suspect who is very proud of an accomplishment. Bragging on good looks, intelligence, or the way the crime was performed may stroke his ego enough that he wants to confess to show that, indeed, he was that smart.
  Playing up someone’s accomplishments gets them to spill their deepest secrets. In the case of a U.S. nuclear engineer visiting China, social engineers loaded the man with compliments, and he spilled the beans and divulged information he shouldn’t have.
• Exaggeration approach: If an interrogator overexaggerates the case facts, the suspect may admit to what was real. Social engineers use this approach by overexaggerating the task they are there to perform. By overexaggerating the reason for being there you can give the target a reason for providing you lesser access. Example: “I know Mr. Smith wanted me to fix his computer personally because he lost a lot of data, but if you don’t feel comfortable with that, I can potentially fix his problem from another computer in the office.”
• Also, a suspect rarely confesses his transgressions all at once. Getting him to make minor admissions, such as he was on the site, owned the weapon in question, or owned a similar car, can move him toward admitting more and more, eventually leading to a complete confession.

Gesturing is often used to get better answers in these situations. There are techniques like anchoring (linking statements of a type with a certain gesture, e.g. positive with right hand movement, negative with left hand movement), or mirroring where you try to match your gestures to the personality of the target. Mirroring not only involves mimicking a target’s body language but also using gestures that make it easy for a person to listen to you. Seeing gestures a target is familiar with can be comforting to him or her.

Finally, if you want to know how far some people can go for the sake of “interrogation”, take a look at C.I.A.‘s Project MK-Ultra. You won’t be disappointed .

Building Instant Rapport

Basically, it’s the ability to make friends with someone in a matter of minutes, and it is a vital skill for social engineers. Wikipedia defines rapport as being ‘in sync’ with, or being ‘on the same wavelength’ as the person with whom you are talking. So, how does a social engineer build rapport?

• he likes people and enjoys interacting with them. People can see through fake smiles and fake interest, and they need to feel you are genuinely concerned to build that trust relationship.
• he takes care with his appearance: clothing, body odor, cleanliness, movements, facial expressions. He adapts all these factors to the target (using information that was gathered about their preferences). Also, “if a person is not comfortable with himself, others will not be comfortable with him either.”
• he’s a good listener. He realizes a major difference exists between hearing and listening. It’s commonly believed that people retain much less than 50% of what they hear.
  He pays attention, does not fiddle with the phone or other gadget, does not interrupt, and tries hard not to think ahead and plan his next response. If you are planning your next response, you will not be focused, and you may miss something important, or give the target the impression you don’t really care.
  He doesn’t forget to smile and provide proof that he’s listening, by nodding (once in a while) and rephrasing some of the ideas of the target.
  He doesn’t always let his personal beliefs and experiences filter the message coming his way. If he does that, he may not truly “hear” what the speaker is saying.
• he keeps the conversation off himself. We all love to talk about ourselves – it is human nature. So, he lets the target talk about herself until she gets tired of it (you’d amazed at how much information they release); he’ll be deemed an “amazing friend”, “a “perfect husband”, or whatever title he’s seeking.
• he tries to identify and understand the underlying emotions, then uses reflection skills to make the person feel as if he’s really in tune with him. Nothing builds rapport more than when people feel like you “get them.”
• he’s curious and he has a strong general knowledge. Knowledge is power, right? It makes you interesting and gives you something to base a conversation on. Also, when you become curious about others’ lifestyles, cultures, and languages you begin to understand what makes people ‘tick’.
• he’s open minded enough to look into another’s thoughts on a topic, even if those thoughts differ from his. This keeps you from being rigid and unbending in your personal judgments. You may not personally agree with certain topics, beliefs, or actions but if you can remain nonjudgmental, then you can approach a person by trying to understand why he is, acts, or portrays a certain way.
• he finds ways to meet any of the 4 fundamental psychological needs for humans (stated by Dr. William Glasser):
  – belonging/connecting/love
  – power/significance/competence
  – freedom/responsibility
  – fun/learning
  If you can create an environment to provide those needs for people, you can create bonds that are unbreakable. You just have to look at how successful social media platforms have become, and how hard it is to let them go. It’s because they are environments that mainly satisfy needs like belonging/connecting and fun.

Using these rapport-building techniques as well as matching energy levels, facial expressions, and the like, he can build strong rapport on a subliminal level.

Let’s take a police interrogation example that proves this point about the power of rapport to make people comply with requests. The officers had arrested a man who was a peeping tom. He had a fetish where he loved to invade the privacy of women who wore pink cowboy boots. The agent, instead of judging him for the freak he is, used phrases like, “I like the red ones myself,” and “I saw this girl the other day wearing short shorts and high cowboy boots, wow!” After just a short time he began to relax. Why? He was among like-minded people. He felt connected, part of the crowd. Their comments put him at ease and he began to spill his guts about his “habits.”

The Human Buffer Overflow

Buffer overflow is a well known vulnerability in the world of software security. Simply put, a buffer is a space (usually of fixed size) given for something to happen or to hold data.
If the program does not properly check the ‘limits’ of a buffer, a hacker can overload it with data until the program crashes, or, a part of that data fills a memory zone next to that buffer. If that adjacent memory zone happens to be a place where the program looks for instructions to execute, then it can execute instructions given by the hacker. Oof.

Well, it looks like this can also be applied to the human mind. If a certain dataset does not fit the space we have for it, what happens? Unlike a computer, your brain doesn’t crash, but it does open up a momentary gap that allows for a command to be injected so the brain can be told what to do with the extra data.

The simplest example of this is having color names written using another color. We’ve all been through this: YELLOW BLUE ORANGE BLACK RED GREEN PURPLE YELLOW GREY GREEN. As fast as you can, try to read the color of the word, not what the word spells.
After a couple of fast reads and struggles (which means a lot of data to process at once) you’ll read the word and not the color. The data ‘overflow’ made the command injection possible, as our mind is not good at concentrating on 2 things at the same time.

Social engineers understand how we make decisions in life, in order to perform such buffer overflows. People make most of their decisions subconsciously, including how to drive to work, get coffee, brush their teeth, and what clothes to wear without really thinking about it. The goal is to bypass the “firewall” (the conscious mind) and gain access directly to the “root of the system” (the subconscious). This is done with Embedded Commands, which are usually short (3 or 4 words), hidden in normal sentences, and accompanied by facial/body language.
Examples: In marketing / commercials, some information is presented first (studies, reviews, functionalities etc.). This information is usually intriguing and stimulates the imagination of the target, thus, the conscious mind stops to process it. This is quickly followed by words like: “Buy now!”, “Act now!”, “Follow me!” (the commands, targeting the subconscious).

When a social engineer applies this method directly (i.e. live, during dialog), while the conscious mind is connecting the dots, so to speak, the unconscious mind has little option but to comply if an embedded command exists.

An example (from personal experience) is the scammer from big cities (I found this one in Rome, he was from Africa) who builds rapport with random tourists and gives them bracelets (apparently for free). But, when the tourist tries to leave, this “friendly guy” becomes serious, and starts telling emotional stories about how his family struggles to live, demanding some money “to help them”. Because the tourist was given the bracelet, he’ll most likely feel that he needs to give something in return (there also a fear of ‘bad vibes’). So, instead of giving the bracelet back (which, btw, the scammer refuses to take back), the tourist takes his money out (the worst mistake you can make in this context).
Up to this point, there’s no buffer overflow, but now, when this scammer sees the (not so modest) amount of cash you have, he decides to go for this dirty technique. If the tourist tries to hand him a small bill (only 5€ let’s say), he quickly takes his money out, and starts to talk a lot of words in a very broken English, from which only the word ‘change‘ can be understood. While holding his money, he continuously repeats these words, faster and faster (this is the data that overflows your conscious mind – you start thinking what the hell is he actually saying), and among them, the only word you can somehow discern is still ‘change‘ (the command to be injected). So, guess what: you’ll take out a much bigger bill and you’ll hand it to him, thinking that he only wants to change the money (changing money is a well known, familiar & legit procedure to our subconscious)… He takes it, and gives you only a much smaller bill in return (that is, if you’re lucky). And that’s it. He’ll continue with the same broken English, while getting away from there, leaving the tourist still processing the situation.
Believe it or not, they make enough money to live a decent life (for some time) with this stupid trick, in big cities (Paris, Rome, Barcelona, Lisbon a.s.o.). However, there’s people who play with these scammers, to harass them back, like this guy. Sometimes, catching them becomes fun :)) .

Influence: the power of persuasion

This is the process of getting someone else to want to do, react, think, or believe in the way you want them to. True influence is elegant and smooth, and most of the time undetectable to those being influenced. After reading this section, you’ll start to get irritated at the shoddy attempts of marketing people and, if you are like me, you will begin to rant and rave at terrible commercials and billboards (they are fuckin’ everywhere).

Let’s take a look at some influence tactics, shall we?

Reciprocation

It’s the simple principle of “you do something for me, I do something for you”. Simple example: I hold the door open for you first, and most likely you’ll hold the next door open for me. This rule is important because often the returned favor is done unconsciously, and it is seen as part of the moral codes.
Politicians are influenced in much the same way. It is no secret that many times politicians or lobbyists are more favorable to people who helped their political campaign than those who did not.

Social engineers give something away, and that thing must have value – to the recipient. The more value the gift has and the more unexpected it is, the greater the sense of indebtedness.

An example is, of course, negotiation. The seller starts with a big price, the buyer with a much smaller offer. Gradually, each of them gives up a part of the possible earning, one by one, until they reach a deal (reciprocation/concession: if the seller dropped the price this much for me, I can give him a little more).
Children can use this trick when demanding money from the parents. If they need 5€, but they start by asking for 30, then 20, it is more likely they’ll end up with 5 or even 10.

Scarcity

People often find objects and opportunities more attractive if they are rare, scarce, or hard to obtain. This is why you will see ads filled with “Last Day”, “Limited Time Only”, “Only 3-Day Sale”, “The first X users will get Y discount” and “Going Out of Business Forever” messages that entice people to get a share of the soon-to-be-never-seen-again product. In economy, the rarer the resource, the higher the perceived value the object retains (e.g., gold). Social events can often appear to be more exclusive if scarcity is introduced.
Some dating advice for men is based on this concept as well. One might act like he’s very busy on a regular basis, and free time is hard to come by. For this reason (especially if he’s built a good reputation), this man can be seen as of high value. In lots of cases, women feel much more attracted to this kind of man, also because he does not give them attention or validation, like the majority of men do (by approaching & flirting with them). So, in order to get her validation from this man as well, an attractive woman will most likely do the 1^st step in the game of seduction. From personal experience, I can tell you that this is some pretty good advice, but it requires a lot of self control, self love, and self confidence.
For a social engineer, using scarcity mixed with other principles can also make the attack even deadlier. Either way, scarcity creates a desire and that desire can lead someone to making a decision he might regret later.

Authority

People are more willing to follow the directions or recommendations of someone they view as an authority. Therefore, social engineers may impersonate persons with:
– legal authority: law enforcement, security guards, lawyers;
– organizational authority: CIO or acting as sent or authorized by the CFO;
– social authority: refers to ‘natural-born leaders’ of any social group. In Western countries, there are 3 authority symbols : titles, clothes, automobiles. Using the right combination of these and an assertive attitude when approaching the target, a social engineer can easily intimidate him/her.

Example: in the BOR Recorder investigation, an expensive car (w/ the clothing) gives the ‘respected‘ status to the undercover journalist, whose pretext is a politician who wants to do business with the church.

Commitment & Consistency

People value consistency in others, and they also want to appear consistent in their own behavior. If a social engineer can get a target to commit to something small (an act or a simple “yes”), usually escalating the commitment is not too hard. Robert Cialdini states: “(…) once we make a decision, we will experience pressure from others and ourselves to behave consistently with that decision. You can be pressured into making either good or bad decisions depending on your past actions”.

Simple example – a phone conversation often used by solicitors goes something like this:
“Hello, how are you today?” You answer, “I am doing great.” Now, the exploit: “That is good to hear, because some people who are not doing so great can use your help.”
You can’t really go back on what you said now, because you are still doing great and committed to it.

Being aware that it is okay to say “no” can save you from committing to something that could be disastrous. Yet sometimes we convince ourselves that saying “no” is some form of cardinal sin that needs many prayers to be forgiven.

Liking

Other than making themselves liked at the psychological level, social engineers take into consideration their physical attractiveness as well. Humans tend to automatically “like” those who we find attractive. As vain as that sounds, it is the truth. Some serious psychological principles back up this idea.

The “What Is Beautiful Is Good” study proved that people tend to link beauty with other successful qualities and it alters their opinions and ability to trust someone. This effect is often used in marketing. Beautiful people are given products to drink, eat, and wear, and other people will automatically assume these things are good.

A good social engineer knows the target (how does he dress, what does he consider bad and good) so he/she can successfully look the way the target would expect. The social engineer will project a confident and positive attitude, will look for things to compliment people on, and will wear clothing, hairstyles, jewelry, makeup that won’t shock, surprise, or disgust anyone.
Smart compliments tend to reinforce a target’s self image, making him feel as if you have a greater-than-normal understanding of him.

Consensus / Social Proof

Social proof is a psychological phenomenon that occurs in social situations when people are unable to determine the appropriate mode of behavior.

Dr. Robert Cialdini states in one of his books: “Social proof—people will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment is aborted, as so many people were looking up that they stopped traffic.”
“One means we use to determine what is correct is to find out what other people think is correct…We view a behavior as more correct in a given situation to the degree that we see others performing it.”

Social proof is not just influenced by large groups, but also by high-profile individuals. For instance, a single celebrity becoming associated with a product will make others want to be associated with the celebrity’s positive traits, and they will then use the same product.

A social engineer uses this principle to stimulate a person’s compliance with a request by informing him or her that many other individuals, perhaps some who are role models, took the action or behavior you are trying to get this person to do. He uses social proof under 2 conditions: uncertainty (when people are unsure and the situation is ambiguous, they are more likely to observe the behavior of others and accept that as being correct) and similarity (people are more inclined to follow the lead of others who are similar to themselves).

Altering Reality: Framing

Framing is your own personal experiences and the experiences of others that you allow into your conscious mind to alter the way you make decisions. Basically, anything that can alter people’s perceptions can be called framing.

You can see simple examples of this when inspecting grocery store products. On many of them it’s written that they contain 25% of some good stuff instead of 75% of the bad stuff.
Simply presenting the facts in a different way can make something that would normally be considered bad,seem good. Hence, framing has long been used in politics.

Our minds are designed to not like “clutter” or chaos. When presented with frames that are cluttered (e.g. images with optical illusions), our brains will try to make order out of them. Your mind will insist on finding familiar patterns in things. We do it in clouds, space, and inanimate objects. Humans also tend to see faces in these things. Example – just take a look at texts like this: O lny srmat poelpe can raed tihs. The fact that you easily read it has to do with the brain trying to make order out of chaos, by default.

Many times companies will use subtle measures of framing to plant an idea. They know that logic convinces someone an action is good to take, but emotion is what makes the action happen.

E.g. in logos: in the FedEx logo you can also see an arrow (frame between ‘E’ and ‘x’); in the Amazon logo, the arrow can be seen as a smile, which connects ‘a’ to ‘z’ (the frame is that Amazon has everything, and it makes you happy).
In an expensive clothing store—when you walk in, everything is hung neatly, pressed, and perfect. The items are evenly spaced and in little amount. The perception can be that the clothing is worth the exorbitant price.

Social engineers know that a frame is a conceptual structure that our minds use in thinking. So, their goal is either to create a new frame, align with a person’s frame, or bring the target into their frame. However, people tend to overlook frames or proposed frames if a link does not exist to a core belief or a value of their belief system.

E.g.: Vladimir Putin‘s regime frame about Ukraine. It’s strongly connected to events of WW2 when Russians fought & defeated the Nazis (in their attempt to conquer some of Russia), who were seen as the worst people on the planet (there were reasons for that ofc). Since then, this win is a crucial event for Russia (even transformed in propaganda) and is intensively thought as one of the most important history lessons in Russian schools. Now, because defeating Nazis turned into a national value/core belief there, the frame that Ukraine has to be “eliberated” and “de-nazificated” is used by Putin, and, if you pay close attention, there still are a lot of Russians who believe him.

Because our minds work by picturing things, social engineers use words which are descriptive and robust (“imagine this and that“). They deliver stories that cause the target to picture the frame they want, while involving him emotionally. After planting the idea, they may repeatedly cause the target to think about the frame, as this reinforces it tremendously.

You can learn a lot from looking at how media utilizes this skill. By using omissions, or leaving out details of a story or the whole story itself, the media can lead people to a conclusion that seems like their own, but really is the media’s. This method is effective because it bends the truth but not so much that it becomes false, so it remains believable.

Manipulation: Controlling Your Target

The aim of manipulation is to overcome the critical thinking and free will of the target. The social engineer doesn’t want to alert the target he is being manipulated.
Some of the following methods may be very controversial and downright horrible, but they are used each day by scammers, identity thieves, and the like. One of the goals can be to create anxiety, stress, and undue social pressure. When a target feels that way he is more likely to take an action that you want him to take.

Simple but innocent example: diverting the target’s attention to something other than the problem at hand can give you enough time to finish your job (until he realizes what is actually happening). For instance, if you are caught by a security guard, instead of getting nervous, you could simply look at him with confidence and say: “Do you know what I am doing here? Did you hear that some USB keys have been lost with very important data on them? It is imperative we find them before everyone comes in tomorrow. Do you want to check the bathrooms?”

Manipulation is used in 6 ways that hold true whether the topic is brainwashing or something less insidious. You shouldn’t fancy the details, but I know you want them. Here you are.

1. Increasing the suggestibility (i.e. the desire to cooperate) of the target. It can involve using NLP skills (discussed previously) or other visual cues. A social engineer can make sure the whole setup is geared towards his target – the phrases used, the word pictures painted, the clothing colors chosen to wear. Knowing his likes, dislikes, kids’ names, favorite teams, and favorite foods, and then using this to create an emotional environment will bring great results. At its most extreme, sleep or food deprivation increases suggestibility the fastest.
2. Gaining control over the target’s environment. Can involve everything from controlling the type and quantity of information to which a target has access, to much subtler things like gaining access to a target’s social media websites. Being able to use social networks to find out what triggers they have is a powerful skill.
   Good social engineers locate the target’s social circles, whether online or in the real world, and spend time planning how to get in and control that environment. How? Well, they again take time to build relationships in there, and gather information before the final blow is administered.
3. Creating doubt/ forcing the target to reevaluate. This one is very negative because it’s used to make someone doubt what he/she has been told (most probably for years) to be true. It’s basically destabilizing and undermining his/her belief system.
   A manipulator makes his victim question the rules they follow, their job, or any other belief, in order to affect her ability to make rational decisions. Cults use this tactic to prey upon those looking for guidance through life. Many times, people who feel lost or confused are convinced that their whole belief system needs to be reevaluated. When the cults have control they can be so credible that the victims can be thoroughly convinced that their family and friends do not know what is best (e.g., in recent years we’ve seen people leaving civilized countries to join ISIS).
   Social engineers usually apply this concept by presenting well-thought-out questions that can cause the target to reevaluate his stand on a topic and cause him to falter.
4. Creating a sense of powerlessness. Very dark, but effective tactic.
   To make a target feel a lack of confidence in her convictions, a social engineer presents “facts” he “received” from someone with authority, known by the victim. On the other hand, if his pretext is someone with power, he can act angry by the lack of response or the inability of the target to give quick answers. In this context, the social engineer also threatens his victim, causing her to doubt her position and feel loss of power. If the victim cannot take time to think about how to handle a problem, she must take a decision in a way she knows she shouldn’t.
5. Creating strong emotional responses in the target. That includes everything from doubt to guilt to humiliation and more. If the feelings are intense enough, they can cause the target to alter their whole belief system.
   Social engineers usually create an emotional response based on fear, loss, or punishment. In that context, a target might possibly do anything to “regain favor”.
6. Heavy intimidation. Of course, fear of physical pain or other dire circumstances can be used to make a target crack under pressure. Social engineers won’t go this route unless they are using corporate espionage as a tactic. They’ll use perceived authority to build strong fear and feelings of potential loss, by suggesting that failure to comply can lead to being laid off or other adverse consequences.
   Looking busy, upset, and on a mission can intimidate many. Talking with very authoritative expressions can also intimidate people.
   An experienced social engineer does not allow his emotions to get involved, and always assumes that the target will act the way he wants (by answering the way he wants, by granting all his requests). He knows that assuming what he wants will occur is a strong point, because it affects his mental outlook. The belief that you’ll get what you came for will create a new body language and facial expressions that will feed your pretext perfectly.

But, how about using positive manipulation? The difference is that the target doesn’t need therapy when you are done . This is useful in educating children, in convincing people to stop smoking or in making someone take up a good habit.

Concluding remarks

Let’s finish with some critical points about why all this madness usually works.

• people are designed to be trusting, to have levels of compassion, empathy, and a desire to help others
• most of us are not aware or do not realize the scale of the danger. Only when you know how the “criminal” thinks, and only when you are ready to look that evil in the eye and embrace it, can you truly protect yourself.
• you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.
• companies tend to fear change. That’s why many of them fall behind with software updates and even mindset updates.
• when information is perceived as having no or little value, then little effort is placed on protecting it. You must realize the value of the data that you have and be aware of a tactic a social engineer might use to reduce the value of this information in your eyes.

Publications used for this article:

Social Engineering: The Art of Human Hacking – Christopher Hadnagy
www.social-engineer.com

26/02/2022: Ukraine’s president announced that anyone in the world can volunteer in the front line of defense of the country.
The problem is that most of these individuals and civilians lack military background or battlefield experience.
This article can serve as a starting guide for urban combat and for survival.
I also had hopes that nobody, especially in Europe, would ever need such information.
But here we are.

Some important notes beforehand

• I always try to remain unbiased and provide impartial &usefulinformation
• if there is anything that should be changed or added here, you can contact me (I’m open to suggestions)
• the war between Russia & Ukraine is not new, it has been going on since 2014 (I see a lot of people finding out only now)
• I have been following this conflict since 2018, when it was only a cyberwar, as it implied some of the most sophisticated hacks and vulnerabilities at the time (NSA related). Here is a list of the cyberattacks: https://en.wikipedia.org/wiki/Russian%E2%80%93Ukrainian_cyberwarfare
• if you want a pretty good explanation for why is all of this happening, you can find it here: https://youtu.be/If61baWF4GE
• always inform yourself from sources that verify (or at least discuss) the veracity of the information before posting it, like Wikipedia
• most of the tips enlisted here are from a former U.S. Marine with extensive fighting experience in Iraq, who chose to remain anonymous
• the current offensive in Ukraine is the biggest mistake I have ever witnessed. What I can say for sure, related to a possible happy ending, is that the Kremlin should be mature enough to:
  – admit its mistakes and stop the offensive immediately
  – accept help from the rest of the world to rebuild its democracy and Russia’s economy

Until then, the tips …

1. Stay out of the street! The worst place to be in an urban warfare environment is to be outside.
2. Doors are called “the fatal funnel”. It is human nature to try and enter through a door. Aim all your weapons at the door.
3. Block the door from the inside with anything you can, furniture, chairs, booby-traps, but keep a percent of mobility to it. The idea is to make the invaders think the door isn’t blocked. That way, when entering, they remain exposed for the longest amount of time possible.
4. Stairways are another crucial zone. Block the stairways with any obstacles you can to slow down invaders. This way you also make them pay attention to their feet, while you are upstairs.
5. If you throw grenades downstairs, have your magazine fully topped and ready. The invaders will most likely run up the stairs to run past the grenade blast. You’ll need all the ammo you have to gun as many down as possible.
6. When possible, cut small holes in the floor into the rooms below to fire into. People breaching rooms will look for threats directly in front of them and usually don’t look above or below until last.
7. Don’t sling your weapon around your body. If things go hand-to-hand it will hinder you.
8. Have a knife, spade, or club close by and readily available. If you have to fight hand-to-hand it’s much more handy than a rifle.
9. Never fire from the same window twice.
10. Never stick the muzzle of your rifle outside of a window. Don’t expose it.
11. Shoot from deep inside the room out the window. It will help hide the muzzle flash and reduce the noise, making it hard to tell where it came from.
12. If you wound an enemy, don’t kill him. Let his friends come to help him. Moving a wounded soldier means it will take 4 men out of the fight to carry him away. That’s 4 less rifles firing at you.
13. Shoot the men trying to evacuate the wounded soldier. It will demoralize them.
14. Keep as many carbohydrates an you and remember to eat and hydrate. Urban warfare is incredibly intensive.
15. Keep moving. Never stay in one spot very long.
16. One very accurately placed shot can hold up a lot of people for a long time. You don’t have to be a sniper. You just have to convince them there is one in the area.
17. Use the sewers in subways to move whenever possible.
18. Whenever possible, try to let other friends know where you are located, to avoid friendly fire. It’s very easy to start shooting at each other in an urban environment.
19. It may be consuming, but take the tracers out of your ammunition supply and refrain from using them.
20. Have one magazine of all tracer rounds. Use this magazine only when you need to let everyone else know where an enemy is located at. After using it, run away immediately.
21. Ammunition goes fast. Conserve what you have, especially when using automatic weapons. Take into consideration the recoil and fire only 2-3 shots at a time.
22. 10 men firing from several different buildings can appear to be a small army and stop a lot of people.
23. Rip down street signs, deface building names and do anything to strip the identity of where you are at. This will add confusion to an invading force.
24. Evacuate your wounded in a timely manner if possible.
25. If the enemy suddenly pulls back, GET OUT OF THE AREA IMMEDIATELY. It does not mean you are winning. It means they are going to call in heavy artillery or an air strike on your position.
26. If you are going to lose an area, poison common water supplies. Most likely, an enemy will try to refill their supplies at the closest source.
27. Cluster your booby traps in close proximity to create paranoia.

Also …

• in combat, you are going to experience horrible things: collapsing buildings, dead people, mutilated/burnt corpses of humans and animals, your friends disappearing a.s.o. This is the nature of war. You have to keep that in mind, as everything will happen very fast. Panic is your worst enemy, while the adrenaline rush is probably your best friend.
• You have to keep yourself calm and collected at all times. This will help you be aware of everything that is happening around you. You cannot lose yourself.

Good luck.

Team ‘The Few Chosen’: Noria, D. Toma, Spurge
Won: 3rd place
National ranks: https://unr21s2-echipe.cyberedu.ro/#ranks

These writeups can also be found here.

Writeup link here.

In this world of ever evolving malware, its behavior and the methods used to fight against it become essential knowledge for anyone involved in the IT industry. This article aims to shine a light on the aspects stated above, in order to help computer users stay safe and to stimulate the development of better security solutions.

Shall we ? . . .

I. OS processes: why are they so important?

• when a file is executed, it becomes a process among the other already existing ones
• processes have loaded modules (DLLs) and threads
• each process can write into the virtual memory of another process (code injection)
• many malicious entities use clean processes (e.g. cmd.exe, regedit.exe, explorer.exe) to execute their payloads
• they are directly used by the malware detection solutions

II. Which are the malware detection methods?

III. Which are the challenges and goals of solutions based on dynamic detection?

• a single action performed by a process is usually insufficient to distinguish between malware and legit applications
• advanced malware can avoid detection by separating malicious actions into multiple processes through process creation or code injection => necessity to monitor malicious groups of processes at once instead of individual ones.
• system remediation after detection: find which process created / handled the malicious files, check if those files were executed, if the process compromised other processes, or if any registry changes were made => in the end, everything should be reverted
• definitive goal: classify processes as clean (Negative) or infected (Positive). The result can be:
  • True Positive (TP) – the entity was correctly classified as malicious
  • True Negative (TN) – the entity was correctly classified as clean
  • False Positive (FP) – the entity was erroneously identified as malicious (false alarm)
  • False Negative (FN) – the entity was erroneously identified as clean

IV. But what do we need for dynamic detection?

• heuristics – each heuristic is an algorithm (function) that analyzes the actions intercepted through monitoring; in case of any peculiar action identified, the heuristic triggers an alert which is passed to an evaluation engine
• interception mechanisms of the OS (for file system, processes, API etc., which entail complex components – drivers, DLLs) that provide the actions to the heuristics – we’ll focus on Windows here, as this is the most targeted OS

V. Which are the interception (filtering) mechanisms of the Windows OS?

• File System Filtering – uses file system drivers, kernel-mode components that can monitor / modify / prevent file system operations. They are of 2 types:
  • Legacy – problematic, they must handle every type of I/O operation that a file system driver performs
  • Minifilter drivers – more reliable, performant and with a simplified development process. They can choose which file system operations to monitor and can register pre-operation and post-operation callback routines that are called by the OS each time the monitored operations are performed.
• Process Filtering – a minifilter driver can also be used to monitor the creation and termination of processes. It can call PsSetCreateProcessNotifyRoutineEx API to register a callback routine. Whenever a new process is created, the registered routine is called before the initial thread of the process begins running. The routine can also terminate the process.
• Registry Filtering – a minifilter driver can also be notified whenever an operation that targets the registry is performed by registering a callback routine using the CmRegisterCallbackEx API. It is called before and after the registry operation is completed and receives specific info about that operation as parameters.
  By writing in registry keys like:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run , or
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ,
  the malware ensures that it will run at log-on, gaining persistence.
• WIN API Hooking – intercept API calls by redirecting their execution to an associated routine, called hook, to analyze / extract info about the call (parameters or return value) => the process calls a hooked API. Methods:
  • Import Address Table (IAT) Hooking – the destination addresses of the functions that are statically imported by the process are altered so that they point to the hook functions
  • In-Line Hooking – alter the instructions of the functions to be intercepted, in memory, at run-time, by changing the first several bytes (to transfer the execution to the associated hook routine). When the routine completes processing, control is transferred back to the original API (change the first several bytes back or invoke a function that contains those bytes – called Trampoline).
  • Detours – the Detours library is provided by Microsoft to intercept functions similar to in-line hooking, by applying code dynamically at run-time. The detour function can be used to replace the hooked function or extend its functionality.
• Event Tracing for Windows (ETW) – allows the interception of system events generated by the Windows OS in real time. As ETW is a kernel-level feature, it is not susceptible to some type of evasion that affects WIN API Hooking, such as hook removal, or direct syscall usage. It can also avoid application crashes caused by API hooking.
  Disadvantage: code injection and other memory manipulation actions cannot be reliably identified without the Microsoft-Windows-Threat-Intelligence provider, that was included in Windows 10.
• Anti-Malware Scan Interface (AMSI) – feature included in Windows 10 that contributes to real-time malware detection. Apps can use it to invoke the security solution available on the system to analyze various objects (files, memory areas, streams, URLs, IPs, etc.). It’s especially useful in detecting malicious scripts that can be highly obfuscated / difficult to detect. The Windows 10 script hosts (PowerShell / Windows Script Host / JavaScript engine) integrate AMSI and invoke scans of the code, which must be and is de-obfuscated right before execution.

VI. Which are the common actions performed by malware?

There are 3 actions, very common in malware, that are especially encountered in installers & uninstallers ( => risk of False Positives): writing executable files in the System / Windows / Temporary folders, executing the created files and registering an executable to run at start-up => there’s a need to distinguish between ordinary executable files and installers/uninstallers. Legit installers are usually generated by common software installation packages, and can be identified by scanning the file for certain signatures.

VII. How to smartly evaluate the intercepted actions?

A generic approach is using a scoring engine, which contains heuristics able to detect samples that use various new combinations of malicious actions. A set of predefined features are extracted (from the executable file or based on the actions of the analyzed process). Each feature has an associated score, that is used to compute a general score for the sample. If that score exceeds a predefined threshold, the sample is either categorized as a certain type of malware or as clean.

When thinking of complex malware scoring mechanisms, one may believe that the solution can be implemented using artificial intelligence (AI). An AI algorithm performs well enough in face recognition, for example, because human faces do not change their definitory characteristics over time. But malware evolves at a rapid pace, to use the latest features provided by operating systems and programming languages, as well as to exploit the latest unpatched ( zero-day ) vulnerabilities. Therefore, the scoring engine must be easy to understand and maintain, precise, predictable to changes, and needs to be updated very quickly. This is NOT easily achieved with an AI algorithm, where the training is time consuming and the results cannot be anticipated, not to mention the constantly required re-training. Also, adding a new heuristic may damage the entire scoring mechanism. Furthermore, an appropriate training set for dynamic malware detection is almost impossible to find.

In practice, adapting the scoring engine to a new threat should require writing a couple of heuristics and calibrating the scores and weights only for them. More exactly, when another malware technique appears in the wild, a security researcher needs to test the security solution against samples or proof of concepts (POCs) that exhibit the new behavior. He / She may also manually capture the behavior of the processes by simply using a tool like Process Monitor. If the current detection model does not identify the new malicious technique, it’s a clear sign that the current model must be extended.

In a broader perspective, such a solution should be integrated in a modern security application, together with other components such as URL blocking, firewall, classic AV signatures, etc.

VIII. Now, which are the smart tricks used to stay under the radar?

• solutions that use dependency graphs constructed from API / system calls, may be evaded by replacing a call sequence with its semantic equivalent and/or inserting redundant calls
• instead of executing all the malicious actions in a single process, distribute the payload to multiple, distinct processes, to be executed over a long period of time. Because behavior-based detection cannot identify a process based on a single action (due to the risk of False Positives), multiple individual processes, each performing a smaller set of actions, may go unnoticed.
  Injecting the payload in multiple processes also makes cleanup difficult: if only one affected process is terminated, the malware is capable of re-instantiating itself from another injected process.
  The distinct malicious processes (that make up an attack) may communicate using traditional inter-process communication, supported by the OS, or through purposely implemented mechanisms.

• Windows OS problems that make exploitation easier:
  • it does not keep a strict relation between child processes and parent processes => managing related processes for detection is more difficult, requiring OS specific knowledge
  • it allows code to be injected in a trivial way and does not provide a synchronous notification when injections occur => detecting all code injection methods is also considerably hard

IX. How do we combat multi-process malware, though?

• represent the actions performed by each process as feature vectors, then correlate them with the actions performed by the child processes. Disadvantages: difficult to implement, does not consider code injection when correlating processes.
• divide the processes into categories: group creators (they create other processes, not necessarily related to them), group inheritors and unmonitored processes. By assigning a category / role to each process, the groups of processes are much easier to identify and manage. The category of a process can be identified based on features like: the file path, the digital signature or a hash computed for the executable file.
• as installers can be used as a spreading mechanism, when an installation starts, the solution should create a process lineage tree, in which the root is the initial installer application. When the root or a descendant creates a new process, it should be added to the lineage tree as a child of the process that created it. This way, we can observe better the deepness and the exact activity of that installation, as it happens.

X. How about the advanced cyberattacks & cyberweapons detection?…

Well, as more and more people are being affected by this NSA-level madness ( shouldn’t come as a surprise, since some of their most sophisticated tools & exploits were leaked online by The Shadow Brokers – but that’s a story for another time ), we have to talk about this too.

These attacks are usually orchestrated by Advanced Persistent Threat (APT) actors – highly skilled, motivated and well-funded hackers, with ample resources at their disposal (usually nation state sponsored, as now it is much cheaper and effective to attack and spy your enemies in the cyberspace).

• APT attacks are carefully planned and often designed for a specific victim after a significant amount of time is spent researching the target => challenging to detect
• some security researchers try to combat this by combining the capabilities of the behavioral security solution with the MITRE ATT&CK knowledge base of adversary tactics and techniques, which are classified in 14 categories:

1. Reconnaissance - gather critical information to plan future operations
2. Resource Development - create/purchase/compromise/steal resources that can be used to support operations
3. Initial Access - get into the target network
4. Execution - run malicious code
5. Persistence - maintain your access
6. Privilege Escalation - get higher-level permissions
7. Defense Evasion - avoid being detected
8. Credential Access - steal account names and passwords
9. Discovery - figure out & map the environment you're in
10. Lateral Movement - move through the environment
11. Collection - gather data of interest to your goal
12. Command and Control - communicate with & control compromised systems
13. Exfiltration - steal sensitive data
14. Impact - manipulate and/or destroy the systems and data

• these tactics also represent reasons for malware to perform certain actions. Moreover, each category is broken-down into multiple techniques and sub-techniques that indicate how a tactical goal is achieved.

Conclusion

To wrap up, there are two serious problems that always seem to haunt the defense professionals: the time gap between the moment a new malware is released, until a behavioral model is available for that malware type (as systems are exposed to attacks), and the sophisticated cyberattacks (APT‘s specialty), which are particularly difficult to detect and they are often discovered when it’s already too late. Thus, there’s still an acute need for proactive behavioral detection solutions with fast response capabilities.

Publications used for this article:
Sushil Kumar et al. An emerging threat fileless malware: a survey and research challenges, 2020
Steve Mansfield-Devine. The malware arms race. Computer Fraud & Security, 2018
Jaime Devesa, Igor Santos, Xabier Cantero, Yoseba K. Penya, and Pablo Garcia Bringas. Automatic behaviour-based analysis and classification system for malware detection, 2010
Romanch Agarwal, Prabhat Kumar Singh, Nitin Jyoti, Harinath Ramachetty Vishwanath, and Palasamudram Ramagopal Prashanth. System and method for non-signature based detection of malicious processes, 2016
Ishai Rosenberg and Ehud Gudes. Bypassing system calls based intrusion detection systems, 2017
Weiqin Ma, Pu Duan, Sanmin Liu, Guofei Gu, and Jyh-Charn Liu. Shadow attacks: automatically evading system-call-behavior based malware detection, 2012
Jithin Pavithran, Milan Patnaik, and Chester Rebeiro. D-time: distributed threadless independent malware execution for runtime obfuscation, 2019
Gheorghe Hajmasan, Alexandra Mondoc, and Octavian Cret. Dynamic behavior evaluation for malware detection. In 2017 5th International Symposium on Digital Forensic and Security (ISDFS), Tirgu Mures, 2017
Gheorghe Hajmasan, Alexandra Mondoc, Radu Portase, and Octavian Cret. Evasive Malware Detection Using Groups of Processes, 2017
Gheorghe Hajmasan, Radu Portase. Systems and methods for tracking malicious behavior across multiple software entities, 2020
Sandor Lukacs, Raul Tosa, Paul Boca, Gheorghe Hajmasan, Andrei Lutas. Complex scoring for malware detection, 2016
Sandor Lukacs, Raul Tosa, Paul Boca, Gheorghe Hajmasan, Andrei Lutas. Process evaluation for malware detection in virtual machines, 2015
Bill Blunden. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2009

The main challenge was to find inventive and playful ways to exploit database connected applications that are vulnerable to this kind of attack.

Therefore, I used two applications: one that was entirely coded by me, and the other being a vulnerable webservice hosted on a Linux server. It was fun ( ͡° ͜ʖ ͡°) .

Below is the complete description of the exploitation process / write-up.

The Github repo for this solution can be found here.

The above PDF and video demo can be found here.