.

Whitehat rootkits to prevent theft?

<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Thu Sep 18, 2008 9:47 am

Whitehat rootkits to prevent theft?

A while ago, my house was broken into and my laptop got stolen, there was 5 years worth of personal projects, photos and just stuff that was worth more to me than the thief probably got from the ancient laptop itself.  As far as security goes - generally you're advised to take photos of your electronic goods, make note of the serial number and perhaps paint some identifying mark in UV paint.  On the non-physical side, it's recommended that you encrypt your hard drive to protect your information, but I've been thinking recently:

I'm not satisfied with just knowing that my data is safely encrypted and I'll get my insurance money back.  I want my damn laptop back, or at least I want to see the thief get prosecuted. 

So my thought is this:  Why should I not install a rootkit that mails me every X time-period that the computer is connected to the net with its IP address?  I'd encrypt anything valuable on my hd and I'd leave a guest account with limited privileges open so the thief would have a greater chance of logging in with it.  This way it would be comparatively trivial to track the thief physically if not be able to identify them directly through an ISP accout.

At this point in my line of reasoning though, I had this sinking feeling as I had a vision of the only conclusion of this line of thought: Security Companies that supply rootkits which dial home to their servers with identifying information.  They would sell this as a guaranteed way to ensure that either your computer hardware is recovered or the criminal prosecuted or both.  "get kitted" the slogans would scream, and it would be the latest thing to have a security rootkit addon installed.  Worse yet, what if the government encouraged this scheme and/or provided these tools to everyone for the same reason... Not that I'm anti-authoritarian, but I'm slightly paranoid about this sort of thing. 

Anyway: Thoughts?  Rootkits are not something I'm at all familiar with yet. Would a "white hat" root kit like this be feasible option? 

Thoughts, comments?

Nick.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Sep 18, 2008 10:33 am

Re: Whitehat rootkits to prevent theft?

Nick,

nice idea but I'd imagine that once the thief finds he can't get access to your juicey data thanks to your encryption I'm guessing they'll just re-install and punt it on ebay/down pub.

Might work on a few limited cases, but I can't see it been hugely successful. If you had something in hardware, or a seperate hidden partition then it could be another matter.

Just my thoughts, but my brain is a bit drained today so I may be missing something.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1911

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Sep 18, 2008 12:40 pm

Re: Whitehat rootkits to prevent theft?

Yeah, I'm going to go the same route as RR on this. I've thought about such an idea in the past as well, some sort of "phone home" thing to trace the laptop.

In most cases, as RR mentioned, they are either going to A) format your drive and reinstall the OS, B) replace the drive or C) sell it as-is so someone else can deal with it going about A or B.

If they want to look at the data (and this is what I would do), they probably won't boot the laptop. Instead, they'll just extract the drive and use something like an IDE/SATA-to-USB cable to hook it up a separate computer.

The best approach is to simply make use of backups. Then when something like you've encountered does happen you get the insurance money, get a new laptop, and reinstall your data :)

BillV
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Thu Sep 18, 2008 7:36 pm

Re: Whitehat rootkits to prevent theft?

http://adeona.cs.washington.edu/

Adeona is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service.


I haven't used this software but it looks good and seems to be exactly what you need.
CISSP, CEH, GPEN, GCIH, GCFA
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Fri Sep 19, 2008 6:35 am

Re: Whitehat rootkits to prevent theft?

looks like there was a slashdot article about adeona also with some interesting comments from people.

I also found this thread just looking through this site.

http://www.ethicalhacker.net/component/ ... 1/#msg7055

I think I'll investigate it anyway - if they steal a computer and re-image then it's no different from them not re-imaging and not having a piece of tracking software installed.

hmmm.... 
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sun Sep 21, 2008 1:17 pm

Re: Whitehat rootkits to prevent theft?

I have a bomb installed in my laptop and if someone turns it on and doesn't punch in the correct code within 8 seconds they are history. Screw the idea of recovering it and prosecuting.

The reality is if you lose your laptop its gone. Even if you did have a way to trace it to some IP, what do you do next?  Get a court order for the ISP to give up the info? Run to the FBI about your $600 laptop?  I am sure the local police will be just so excited to jump on this one. I am not saying you couldn't pursue it, with enough time and money I am sure you could. There better be some really important data on it to make it worth your while.

The reality is the best thing you can do is make sure you back up, encrypt, cover with insurance and a little prayer never hurts!
<<

jimbob

Post Mon Sep 22, 2008 4:48 am

Re: Whitehat rootkits to prevent theft?

Not surprisingly you're not the first person to think of this. I do remember some products that would send an email out periodically but in reality this will have limited success.
  • If your laptop requires a password to log in then the thief will be unable to log in in order to set it up on their network so no mails can be sent.
  • If the laptop automatically tries to obtain a network connection using wifi for example there's a good chance that it will encounter a WEP/WPA secured network and be unable to connect. If it does find an open network there's no guarantee it will belong to the thief.
  • Getting law enforcement to take seriously your claim that your stolen laptop emailed you and then having then request contact details from the ISP, conduct a search etc. could be difficult.
For high-value systems a fully working approach would have to have be self-contained and self-sufficient. A combination of a cell phone network card, GPS and a webcam could mean that a system could phone home, give it's GPS location and take a picture of it's surroundings if it is simply booted up. The price of this solution could be greater than buying a low-end laptop and less effective than good physical security.

There probably is a market for this in government departments for example. Being able to trace lost or stolen laptops could be useful. If the GPRS data system was keep powered up even then the laptop was shut down it could be possible to phone your laptop and get a status report. This of a laptop acting as a very large cell phone.

Jimbob
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Fri Sep 26, 2008 10:22 pm

Re: Whitehat rootkits to prevent theft?

Interesting approach. There is http://www.lojackforlaptops.com/ which has been on the market for several years.

It is "a software product that enables law enforcement to recover stolen laptops by tracing them across the Internet."

They claim to recover 3 out of 4 stolen computers and utilize a BIOS-based agent to avoid being wiped.

I would like to see exactly how the location is tracked. A legit customer would have to assume they can always be tracked too.  :-\
CISSP, Security+, CEH, OPP, et alii
<<

Bane

Post Sat Sep 27, 2008 10:50 am

Re: Whitehat rootkits to prevent theft?

ElCapitan wrote:Interesting approach. There is http://www.lojackforlaptops.com/ which has been on the market for several years.

It is "a software product that enables law enforcement to recover stolen laptops by tracing them across the Internet."

They claim to recover 3 out of 4 stolen computers and utilize a BIOS-based agent to avoid being wiped.

I would like to see exactly how the location is tracked. A legit customer would have to assume they can always be tracked too.  :-\



We use computrace at work. There are two ways that it can trace the location. 1. It reports in based solely on IP address. 2. It uses a built in 3g card, or GPS to send a location,

The best use for this tool however is not recovery, but automated destruction of data. If a laptop is stolen, you can configure the tool to be told to wipe the drive the next time it reports in.

If you ahve teh right model of laptop, for example Lenovo and some HP models, computrace is integrated into the BIOS and can wipe the drive even if the thief is running off of an external boot disk such as a livecd.

.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Sep 28, 2008 3:34 am

Re: Whitehat rootkits to prevent theft?

Bane wrote:The best use for this tool however is not recovery, but automated destruction of data. If a laptop is stolen, you can configure the tool to be told to wipe the drive the next time it reports in.


Sounds like a good compromise, especially as it avoids having to convince the police that the machine actually belongs to you and that it is worth their time investigating.

Now if only we could build this technology into CDs we might end up with a government that can securely hold data :)
<<

$w33p3R

Newbie
Newbie

Posts: 30

Joined: Fri Aug 08, 2008 10:39 pm

Post Sun Sep 28, 2008 4:21 am

Re: Whitehat rootkits to prevent theft?

RoleReversal wrote:Now if only we could build this technology into CDs we might end up with a government that can securely hold data :)


Lol, don't hold your breathe on that one, as long as data is worth money, it will never be secure.
MCP, CEH
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Oct 02, 2008 3:23 am

Re: Whitehat rootkits to prevent theft?

NickFnord,

just come across this story on Slashdot which may be of interst

After his computer was stolen, Jose Caceres used a remote access program to log on every day and watch it being used. The laptop was stolen on Sept. 4, when he left it on top of his car while carrying other things into his home. "It was kind of frustrating because he was mostly using it to watch porn," Caceres said. "I couldn't get any information about him." Last week the thief messed up and registered on a web site with his name and address. Jose alerted the police, who arrested a suspect a few hours later. The moral of the story: never go to a porn site where you have to register.
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Thu Oct 02, 2008 4:11 am

Re: Whitehat rootkits to prevent theft?

I was just about to post the same thing.

I've actually been reading Reversing by Elad Eilam which has a chapter on reversing malware with an example of a bot that signs into an IRC channel to accept instructions.  I knew this was how botnets worked but I have never examined a trojan's code before.  I thought I might have a go at writing my own modified version for my laptop rather than paying for a licence for commercial software.

I wouldn't mind starting a sourceforge project (if there isn't one already) on it but it could easily be used maliciously I guess....
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Thu Oct 02, 2008 5:17 pm

Re: Whitehat rootkits to prevent theft?

Thats a cool story, but more of a fluke rather than what I would consider something you could rely on to retrieve your laptop.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software