Hackers declare war on international forensics tool
Microsoft's COFEE decaffeinated
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Hackers have released software they say sabotages a suite of forensics utilities Microsoft provides for free to hundreds of law enforcement agencies across the globe.
Decaf is a light-weight application that monitors Windows systems for the presence of COFEE, a bundle of some 150 point-and-click tools used by police to collect digital evidence at crime scenes. When a USB stick containing the Microsoft software is attached to a protected PC, Decaf automatically executes a variety of countermeasures.
"We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding," one of the two hackers behind Decaf told The Register in explaining the objective of the project.
Microsoft has been pouring free COFEE to law enforcement officers since at least mid 2007. Short for Computer Online Forensic Evidence Extractor, it packages forensics tools onto an easy-to-use USB stick that allows investigators to collect browsing history, temporary files and other sensitive data from most Windows-based machines. COFEE is distributed through Interpol.
Last month, when COFEE leaked to the net, Microsoft downplayed concerns the breach would allow hackers to create countermeasures. Redmond representatives weren't immediately available for comment late Sunday night.
Decaf boasts a huge variety of user-driven countermeasures against COFEE. In addition to nuking temporary files within seconds of detecting files or processes associated with the investigative tool, Decaf can also clear all COFEE logs, disable USB drives, and contaminate or spoof a variety of MAC addresses. Future versions promise to add features that allow users to remotely lock down protected systems.
The software began seeding on private BitTorrent trackers on Sunday afternoon, and shortly thereafter, it was posted here. The Register wasn't able to immediately analyze the 181 KB executable to confirm it performed as advertised.
The release of Decaf follows the leak last month of COFEE. By the time Microsoft lawyers demanded the removal of COFEE from sites such as Cryptome, the genie was already out of the bottle. To this day, COFEE remains available on Wikileaks.
While the hackers are making available the Decaf executable, they are not releasing the source code for fear, they say, that the signatures used will be reverse engineered. The end user license agreement that accompanies the software states: "You will not disassemble, decompile, or reverse engineer it, in whole or in part, except to the extent expressly permitted by law. You will not use DECAF for illegal purposes. You will comply with all export laws. DECAF is licensed, not sold." ®
COMMENTS
***ing Amateur Hour.
It's been dotfuscated, but you can read fairly large chunks using .net Reflector.
Haven't come across anything sinister, but it's a pretty crude bit of code. Shells out to netstat.exe and devcon.exe; heh, shells out to shutdown.exe rather than using any of the shutdown APIs; hard-coded lists of log and temp file dirs and registry keys to delete; none of them securely overwritten, just unlinked - this thing is going to leave forensic traces everywhere, which is hardly a good idea, given the envisaged usage mode: I don't think the cops are going to come round, break your door down, stick their COFEE usb stick in your PC, then go away again without taking your PC along for a full sector-by-sector dump of your HD at their leisure.
Representative line:
info13 = new DirectoryInfo(string.Format(@"C:\Documents and Settings\mjfel529\Application Data\Mozilla\Firefox\Profiles", MyProject.User.Name.Split(new char[] { '\\' })[1]));
Yeah, like that's going to work on anyone except the original author's PC. And even when they fix the bug... well, do you really want it to trash all your profiles entirely, rather than just wipe the sensitive data?
Also, you're screwed if you're using an internationalized version of windows where directory names like "Documents and Settings" are translated into the local language.
So far, it looks like they want to hide the source code out of embarrassment at their horrible VB.net coding skills rather than because there's anything malicious in it, but I am curious about the repeated code chunks that convert some arbitrary base-64 encoded string into binary and write it to a file on disk.
and don't forget the heinous crimes of...
emptying your recycle bin!
Emptying your REAL bin
Flushing to toilet
Cleaning your shoes
Washing your hair/having a shower/bath, cleaning your teeth
Basically CLEANING or DISPOSAL of ANYTHING should
(surely indicative of terrorist tendencies, after all - if you have nothing to hide.......) :-)
One of these days somebody will actually explain the difference between SECRECY and PRIVACY to our sh**ty government - until then they see PRIVACY = SECRECY = TERRORIST/PEDO = ILLEGAL = JAIL
BIG FAIL
Now they have done it
So now the police cant look at pedo's computers, I know exactly what the gov will do now, it goes like this.
Customer Walks into PC world and says: Hi I'd like to buy a laptop.
Staff Member: Sure, follow me this way and we'll do the police check for you.
Customer: What police check
Staff: now now sir, you don't want us selling a laptop to a pedo do you, so we are going to assume you are one until we do the check.
Customer: Is there anyway out of this?
Staff member: Sure, will you be with this laptop for less than two hours per week?
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
