Security optimize

DropSmack: Using Dropbox to steal files and deliver malware

Michael P. Kassner interviews a digital forensic scientist who uses Dropbox to compromise targeted networks -- something the bad guys probably figured out as well.

I use Dropbox, and so do some 50 million other people. That's remarkable, considering Dropbox suffered through a few embarrassing speed bumps related to user file security. It seems it's going to take more than those kind of oops for us to consider giving up the convenience afforded by Dropbox.

A digital addiction like that begs the question: what kind of "issue" would it take to convince someone (me for instance) to stop using Dropbox?

When I asked that question at a security seminar, little did I realize a digital investigator slash pen tester would provide the perfect speed bump that will have all 50 million of us asking ourselves, "Is using Dropbox worth the risk?"

What issue?

I was perusing the seminar briefing website from this year's Black Hat EU, fishing for potential article topics, when I came across a briefing note titled "DropSmack: How cloud synchronization services render your corporate firewall worthless." Feeling a nibble, I read the briefing. Right away, I knew I hooked a keeper:

"The contributions of this presentation are threefold. First, we show how cloud-based synchronization solutions in general, and Dropbox in particular, can be used as a vector for delivering malware to an internal network."

The other two contributions were as eye-opening:

  • Show how the Dropbox synchronization service can be used as a Command and Control (C2) channel.
  • Demonstrate how functioning malware is able to use Dropbox to smuggle out data from exploited remote computers.

I'd like to introduce Mr. Jacob Williams (@MalwareJake). Jake is a highly skilled pen tester and digital forensic scientist employed by CSR Group. He's the guy who gave the Black Hat presentation, and he's the one who is going to cause significant angst among Dropbox users as well as corporate-security types.

The events as they unfolded

As the story goes, Jake was hired to perform a "no holds barred" penetration test on a corporate network. Nothing Jake tried worked, even social engineering the employees. Then Jake found a crack -- the company CIO. He obtained a personal email address and a way to spear-phish the CIO.

He just had to wait until the CIO used his work notebook away from the corporation's highly secure network. In less time than one would expect (scary actually), Jake owned the notebook.

While snooping around on the CIO's computer, Jake couldn't believe his luck; he found corporate documents quietly sitting in a Dropbox synchronization folder. Jake told me, "I knew I could use Dropbox as a conduit into the inner corporate sanctuary. What I didn't know was how."

That's because Dropbox databases are encrypted; and reverse engineering the Dropbox software in order to read the databases would take longer than Jake had. Not to be denied, Jake and his cohorts eventually discovered a way in. It seems massive quantities of beer played a vital role (from Jake's Black Hat presentation).

The epiphany

By design, Dropbox would allow Jake to send files to all the devices associated with the CIO's Dropbox account, but that's not enough. Jake needed a way to infiltrate further into the company network, install malware, and find specific documents as part of the pen-test requirements.

Figuring out how to accomplish all that was Jake's epiphany, and like any good pen tester wanting to get unstuck, Jake created a tool called DropSmack to perform the above steps.

Next step was getting it loaded. Jake realized all he had to do was get the CIO to open a file infected with DropSmack in his Dropbox folder, and it would install. Here are the steps:

  • Embed DropSmack in a file already synchronized by Dropbox.
  • Add some macro goodness.
  • Load file back on the compromised computer.
  • File automatically synchronizes.
  • Wait for the victim to open the file on the internal network.

I thought I had a gotcha; I asked Jake, "What about Windows 7 and needing admin rights to get by the UAC?" Jake told me something I should have known, but didn't, "Dropbox does not need admin rights to load, because it installs into the user's profile directory. So we did the same thing with DropSmack -- nice and simple." Something else I didn't understand: "Now that DropSmack is installed, how do you tell it what to do?" Jake explained:

DropSmack is designed to monitor the Dropbox synchronization folder. We create a file using a .doc extension, put a legitimate file header on the first line, and add the desired commands. Our files won't open in Word (they say the file is corrupted); but that's good, it makes the file less prone to investigation by a snoopy user.

We then place the doctored file in the owned computer's Dropbox folder. Dropbox does it magic synchronizing all associated Dropbox folders. DropSmack detects the file meant for it, and executes the command.

I then asked Jake for a few examples of what DropSmack was capable of doing:

Once you infect a remote machine with DropSmack, it can be used to perform arbitrary actions on the machine. This includes pivoting to other machines in the remote network (such as a file server). Using the PUT command, you can upload any new tools you may need to the remote machine. The EXEC command allows you to execute those tools. The GET command allows you to retrieve output from any commands that was written to an output file.

To get remote shares mounted to a machine, you'd just upload a batch script containing the "net use" command that outputs to an output file, EXEC the script, and retrieve the output file. I demonstrated this live at the Black Hat EU conference, capturing a listing of the user's home directory, IP configurations, and the Program Files directory (to see what software was installed on the machine).

Jake beat me to the punch on my next question. I wondered if the notifications Dropbox created would seem odd to the user.

So, for now, Jake makes sure the name of the command file relates to the files already in Dropbox.

Countermeasures

Next, Jake and I discussed how to foil DropSmack. Jake didn't have much regard for normal antimalware methods: such as IDS, firewalls, antivirus apps, or DLP software. He felt whitelisting software was the only for sure way to prevent DropSmack from loading.

More importantly, Jake suggested that security managers think long and hard before allowing Dropbox or any file-synchronization application, no matter how convenient they are. Besides the more obvious reasons for disallowing file-synchronizing apps, Jake alluded to the "can of worms" companies can find themselves in regarding privacy laws. He explained:

Many general counsels are more than a little worried about the appearance of authorizing us to pen test what could end up being be home machines. That's becoming a sticky issue with pen-testers these days as people open spear phishing emails delivered to the corporate email addresses on machines that may be privately owned.

Jake also pointed out:

The Computer Fraud and Abuse Act doesn't allow the corporation to authorize testing of an employee's personal assets. Usually penetration testers solve this problem (and avoid breaking the law) by only acting on malware from machines in the corporation's public IP range.

The liability issue resulting from privacy laws affects more than just pen testers; companies allowing file synchronization apps are apt to get embroiled in issues similar to the legal implications of BYOD.

Final thoughts

Jake and I felt it important to mention that Dropbox is by far the most secure of all file synchronization applications that Jake looked at. In fact, he uses Dropbox personally (at least he did before finding the issue). Jake also wanted me to make sure and mention that Dropbox was not compromised in order to accomplish his pen-testing goal. It was just a conduit.

A few more interesting tidbits from Jake:

  • More often than not, Dropbox is loaded on corporate networks whether it is approved or not -- most of the time it's not.
  • It's a good bet the bad guys know this technique, and are already using it.

The article may make it seem that DropSmack is more of a corporate concern, but that is not necessarily so. Once DropSmack or similar malware becomes mainstream in bad-guy circles, it's everyone's concern.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

108 comments
staber69
staber69

I did not see an answer to..

If you use only the dropbox web browser to transfer files, does this open up any holes, or only when you install dropbox and synch files? Thanks

tbyers31
tbyers31

This is one of the best written and thoroughly explained articles I've come across lately.  The clear explanation of the process and risks was very helpful to me.  I use dropbox at home and work, but really so that I can have access to personal data anywhere.  I totally get that the corporate risk is there; this article helped me understand the technical risks in comparison to the policy risk of corporate information being dispersed without authorization.

sootsnoot
sootsnoot

Here is an issue that concerns me that I have not seen mentioned anywhere, either on the dropbox site or in numerous other articles on dropbox security:

How do we know that the dropbox client software does not access other files on the user's computer outside the dropbox folder?  Firewall software protection is generally based on granting permission to a particular executable file to establish outgoing or permit incoming network connections on particular IP addresses and ports, but as far as I know there is no way (on PCs) to restrict what files the program can access.  Is there some other mechanism that ensures that the client software does not access other files?  If the client were open source, it would be easy enough to verify...  Does dropbox have any sort of certification process (or even just a statement to the effect) that the client application has access only to files stored under the dropbox folder you specify??

ron_w_ii
ron_w_ii

Having just read this article, I found it quite interesting and informative considering that Dropbox, and possibly other similar cloud services, could be used in such a manner. However in your "Final thoughts" section, you note that both of you "felt it important to mention that Dropbox is by far the most secure of all file synchronization applications that Jake looked at." Why? Without mentioning any details or comparison data on other services, are you not just giving your article superfluous information? Also you're giving a tacit endorsement to a service without providing any pertinent details. If you have information relating to the validity of your "feelings", why not include it or provide a link to it?

mmyers
mmyers

A big thanks to both Michael and Jake. This article came at a great time as I just had a request from our supposed most tech savvy doctor to store presentation files containing ePHI in dropbox so that he could access them while doing a presentation at a conference. Not to mention the fact that he thought that it was OK to connect his laptop to an insecure conference hall network, he thought that is was ok to send his credentials over that same insecure network. Needless to say he has been tasked with reading this article to see the error of his ways and will more than likely loos his remote access for a "Time Out" period so that he can repeat his Privacy and Security training.

mmyers
mmyers

As good as many of you are as admins, I believe that you are missing the point. If a CIO can be compromised and most likely because he turned off his CIO spidey senses when he turned on his Dad helping son senses, then this can happen to lesser security minded individuals. I work in the medical field and am constantly reminded that my doctors are the smartest idiots I know. They are so smart when it comes to the medical side of things and so dumb about the network side of things, I am surprised that more of them are not killing themselves by trying to make toast in the shower. Not everyone has the technical abilities that the admins have. And with so many so called security solutions out there, how do you know that the one that you chose was the correct one? New exploits happen every hour. New vectors of attack happen just as quickly. It is not your networks that are insecure, it is your end users. Don't be smug, as good as you are, there is someone better.

ManifestedSolutions
ManifestedSolutions

Sadly, between hackers and the newly-passed CISPA, our privacy has steadily eroded???I recommend that everyone at least explore their options to see what’s out available to them. This service is definitely worth looking into! But don’t count Dropbox out yet. There are several ways of getting more space now (One method http://goo.gl/JwMTL). Our team utilizes this service to back up invoices, articles and handle blog entries from about 10 different authors. The editors can then quickly review their posts, requesting any revisions. We found that 18GB met those needs, however other platforms may require additional space. Users who are concerned due to recent security issues should check out 2.1.4 version which rolled out earlier this year. To those who do business internationally: I heard they’re now supporting other languages. The bugs (crosses fingers) have been taken care of and several features have been revamped. My favorites are the push notification support and sort-by-date capabilities. Fair warning, Dropbox is not the cheapest, but certainly worth its while if you’re new to cloud-based file syncing.

jhowmans
jhowmans

" ... He just had to wait until the CIO used his work notebook away from the corporation’s highly secure network. In less time than one would expect (scary actually), Jake owned the notebook. .." Details of how he managed to 'own' the CIO's PC from obtaining his email address would be useful.

jaimerubio
jaimerubio

The problem is not Dropbox, the problema es the ingenuity of the CIO. There are other 1000 tools to do that if you get Access to a network inside computer. Apparently Kassner wants to attack Dropbox??, why?? what??s the problem?? Dropbox is a very secure tool. But if you give you psw to thirds, is not a Dropbox problem.

alexisgarcia72
alexisgarcia72

In our corporate enviroment users have standard permissions, they are not local admin so they cannot install hardware or new software. If an standard user have the infected malware in the dropbox folder, the user cannot even execute the malware. is this a simple solution to this problem? Another "easy" solution is to have deployed zero-update attack protection like CSA products (http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html) - unfortunately CSA is not longer available - perhaps a replacement product? - This proved to be usefull in scenarios like this one in this great article. I even see CSA protecting servers without AV like a champion in security labs.

dmalmstedt
dmalmstedt

I agree with a lot of the earlier comments, and the scenarios described above happen more often than we'll ever read about. If your data is proprietary or confidential to you, then you should take the ownership to protect it. Why believe the responsibility is someone else's? That's like sending your sensitive information to the cloud, in its native unprotected form, to protect it - it just doesn't make sense. Automatically have it encrypted on your device, and have the decryption occur on the receiver's device only to a secure viewer. You decide the delivery rules so that you are in control, even after someone downloads it from DropBox or any other shared storage mechanism. Anything less allows a third party to "peek," or to add malicious foreign objects to it.

torps
torps

is there a ranking of the various cloud based services in terms of security?

rgutter
rgutter

I don't object to articles that increase security awareness. But the lesson here is simply this: if you have a corporate device automatically trust content originating from an external compromised source you've just rendered useless all perimeter defences. One would think that's a principle CIOs would be aware of.

Gisabun
Gisabun

.... This is social engineering. The novices out there will click on any link thrown to them if they believe it is believable. I get a couple of spam/scam messages a day. You know, the one where it says I owe some company $650,000 or maybe $1.2 million is waiting for me at Western Union. With the amateurish looks, those with half a brain would know something is fishy, but there plenty who don't have a full set of screws holding down their head - this let alone the rediculous amounts from no one you ever heard of. So how easy would it be to send some novice a message where they are using some HTML to hide the actual destination server.

Norby
Norby

At our organization, we use AppLocker policies to disallow execution from user profile folders, as well as portable media. If the users have rights to write a file somewhere, they're not allowed to execute anything from there. Only applications installed by someone with Admin rights into standard program locations can execute. This prevents users from installing things like alternate browsers, and should work to prevent this kind of exploit.

nscalessa
nscalessa

Why can't users simply only access DropBox via the website and just not use the client at all? Wouldn't that eliminate many of these problems?

scott.gatzke
scott.gatzke

The article mentioned that Dropbox installs to the user directory and therefore bypasses UAC. But what if the Dropbox sync folder isn’t in the user directory? I store mine in the root of a different drive. Will UAC then display a message when the malware tries to run?

rocket ride
rocket ride

So, "the cloud" is turning out to be a mushroom cloud. Can't say I'm exactly surprised.

FinancialPlanner
FinancialPlanner

I used to be a big fan of Dropbox until recently. We found out that if you share a folder of an already shared folder, it gives full access of all folders to the person you shared with. We found this out when we shared a specific client folder with a client and they ended up having access to all of our clients' folders. I talk to Dropbox about this and they just blew me off. This is an issue of serious proportions, yet Dropbox did nothing about it. This is why we ultimately moved to Google Drive. I am hoping that more people will understand the security risks and decide to use another service.

phawtrey
phawtrey

If VIIVO is used exclusively with Dropbox, can the C2 channel still be used to penetrate a network?

keith
keith

At least on Windows 7. The key is not installing it to your "User" directory! I make a policy of not installing software to the default location whenever it's going to be something I use frequently; in this case, my dropbox is on E:/. So the admin requirement for installing software kicks in and this whole thing isn't an issue ... provided I'm smart enough not to click ok when the executable notification pops up. Dropbox should of course change the default location away from one that's unprotected. Otherwise, this is human vulnerability rather than software.

TiagoViana
TiagoViana

Dear Sirs, You totally lost my humble respect... Any guy that considers a 0.12 alcohol tax a "massive quantity" is either a Mormon or a Wimp! Give some respect to beer drinkers!!! Ok, ladies??? Oh, nice article, btw!

Non-techie Talk
Non-techie Talk

Is this an issue only for machines that have Dropbox installed on them, or does it equally apply if I'm accessing Dropbox via browser uploading/downloading specific files? I have Dropbox on my home desktop and my Android phone, but not installed at work. I may periodically upload or download a specific file I'm working on. Or, at other times, I may go to FedEx Office (formerly Kinko's) to print a document; I would access Dropbox via browser, download the file, etc. Thanks for the clarification.

frankopolis
frankopolis

@msawyer: Good point and I completely agree. Nevertheless, it is a good article and a reminder of one of the many ways we can be compromised. Phishing doesn't always generate access to corporate data as it did in this case.

Reality Bites
Reality Bites

changed and scans it and kills it. For the dummies not keeping virus definitions up to date, yes you are open. Virus protection won't even let the temp file update without quarantining it. Sounds like a storm in a tea cup to me.

Michael Kassner
Michael Kassner

Jake figured out the CIOs private email account and from Facebook determined he was helping organize an event for his son. A malware-laden email related to that event was the spear-phish.

HAL 9000
HAL 9000

[i]Apparently Kassner wants to attack Dropbox??, why?? whats the problem?? Dropbox is a very secure tool. But if you give you psw to thirds, is not a Dropbox problem. .[/i] The actual Blog reads:- [i] “I knew I could use Dropbox as a conduit into the inner corporate sanctuary. What I didn’t know was how.”[/i] Now exactly how is that attacking Dropbox? Or [i]Jake and I felt it important to mention that Dropbox is by far the most secure of all file synchronization applications that Jake looked at. In fact, he uses Dropbox personally (at least he did before finding the issue). Jake also wanted me to make sure and mention that Dropbox was not compromised in order to accomplish his pen-testing goal. It was just a conduit.[/i] Clearly that says that the problem isn't with Dropbox as Dropbox is a conduit not the problem and it also says that [i]Jake and I felt it important to mention that Dropbox is by far the most secure of all file synchronization applications [/i] Sorry but I just can not see that as an [b]Attack on Dropbox[/b] it is nothing more than the [b]Blaringly Obvious[/b] how having Dropbox installed is a way into a so called [b]Secure[/b] system that simply never existed prior to things like Dropbox being invented and used. It shown nothing more than Security Managers needing to rethink their Security Measures and how at least 1 of the currently used File Synchronization Services can be used to break into the system and adversely impact on your Security Measures. Col

Michael Kassner
Michael Kassner

DropSmack like Dropbox does not require admin rights to load.

Michael Kassner
Michael Kassner

What do you mean by secure viewer on the receiver's device? If the decryption is automated like the encryption side, DropSmack will work.

Michael Kassner
Michael Kassner

Jake just released his findings about this. He is studying the other file-sync services in preparation for another BlackHat talk this summer. I hope to write about the other at that time.

Michael Kassner
Michael Kassner

Perimeter defenses were not in play, how could they be?

Michael Kassner
Michael Kassner

Social engineering is not the only avenue to compromise the Dropbox client computer.

Michael Kassner
Michael Kassner

An acquaintance was telling me about this yesterday. I think it would work aexactly as you suggest.

Michael Kassner
Michael Kassner

I would have to say that Dropbox has no advantage then. The point of using it is the convenience of working on a file and then it being updated immediately in all of the installed clients. Then there is the issue of a bad guy owning the computer you use to upload the file via the website. All that would be needed was a keylogger and the bad guys owns the website as well.

Michael Kassner
Michael Kassner

But you have to still be aware that other malware can use different attacks. For example, one may ask you for permission to load. Many people, not saying you are one, are accustomed to just clicking on UAC window to get past it.

alexisgarcia72
alexisgarcia72

I share a folder with a co-worker and he only have access to the specific folder I just shared, nothing else.

Michael Kassner
Michael Kassner

Jake is looking into other systems as well and they are not free from issues.

Michael Kassner
Michael Kassner

The problem is if the files are automatically encrypted or decrypted. If that is the case, it will still be a problem if a bad guy can place a file in the required spot.

Michael Kassner
Michael Kassner

It is very easy for people to not consider what they are agreeing to as well. So, alternate locations may not be the best solution.

Michael Kassner
Michael Kassner

Your work is protected from DropSmack. Do you bring any work files home via USB key or another method? That would be the same thing, just a different conduit. So it is different, but something to consider.

Michael Kassner
Michael Kassner

And please remember phishing is just one of many methods that could be used to get malware loaded.

Michael Kassner
Michael Kassner

DropSmack when I researched the article was not on any antimalware's radar.

rgutter
rgutter

That's my point. The focus on Dropbox obscures general security principles (most obviously defense-in-depth) violated by the CIO. He defeated the value of his enterprise network's perimeter defenses by deploying software on his work computer that is DESIGNED for ease of use to perform a TRUSTED sync with a device that is easily compromised as it resides outside that perimeter. I'm suggesting that it would be very worthwhile in your articles or comments to stress the principle rather than detailing the "faults" of what is simply one of many transport mechanisms that actualize the problem. (Bringing in a USB stick used on his home computer would be another.) You've in a sense done so by noting that no amount of encryption would help if the sync'd files are automatically decrypted at the work endpoint. Again, it's improper TRUST that is the issue.

Michael Kassner
Michael Kassner

We were side-stepping each other. After each article, I wish I would have added something else. This one is no different -- maybe next time.