Forgot your password?
typodupeerror
Microsoft Security Software Technology

Hackers Counter Microsoft COFEE With Some DECAF 154

Posted by kdawson
from the please-mister-moto dept.
An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
This discussion has been archived. No new comments can be posted.

Hackers Counter Microsoft COFEE With Some DECAF

Comments Filter:
  • Less innocent people will be going to jail. Less family will be broke up.

    The time has come to rise against the machine.

    • by skine (1524819) on Tuesday December 15, 2009 @11:11PM (#30453868)

      I prefer to RAGE against the machine.

      BAH-duh BAH BAH-duh BAH DAH-duh.

      • by Anonymous Coward on Tuesday December 15, 2009 @11:52PM (#30454064)

        Coding in the name of!

        • by Anonymous Coward on Wednesday December 16, 2009 @01:27AM (#30454572)

          Fuck you, I won't code what you tell me!

          • by Per Wigren (5315) on Wednesday December 16, 2009 @03:44AM (#30455030) Homepage
            Some of those who share sources
            are the same that hate bosses
            • Rage Against The Machine - "Killing In The Name" for UK Christmas No.1! [telegraph.co.uk]

              From the Facebook group: "Fed up of Simon Cowell's latest karaoke act being Christmas No. 1? Me too ... So who's up for a mass-purchase of the track 'KILLING IN THE NAME' from December 13th ... as a protest to the X Factor monotony?"

              I've bought it from iTunes, Amazon, and re-bought the album in my local HMV. Get it done, people.
              • I've bought 3 copies and am looking forward to not having a karaoke number 1.

              • Re: (Score:3, Insightful)

                by camg188 (932324)
                Why do you care about popularity ratings? Just listen to what you like. End of problem.
                • It's not about populatiry, it's about proving that the public en masse can change anything they want.

                  I'm waiting for the "National ID card is a bad idea. Let's get it abandoned" group. Also called the "Vote for anyone but Labour" group.
                  • It's not about populatiry, it's about proving that the public en masse can change anything they want.

                    True, as long as it is of no consequence. Anything business or government really want will come about one way or another... keeping people occupied with mindless drivel like entertainment just makes it all easier.
                    Oh, someone is at the doo

                    • But that's the point, isn't it. Start small, work upward...

                      Rome wasn't built in a day, nor was it destroyed as such. I'm not promoting anarchy or disestablishmentarianism, but just that democracy is still possible. All it needs is for people to learn to get their news from multiple sources, check facts, read a little more, and investigate even a tiny amount into the back-hand / poison pill policies which are charged through Parliament on the back of "Think of the Children" / "Terrorism is bad!" legislation
              • by flyneye (84093)

                I'm also fed up with Rages " Lets venerate burglars who murder old people" misguided lyrics and their "lets make socialism acceptable so we can sell lots of Che T-Shirts at Hot Topic" attitude along with the guitarists " lack of technical expertise on a Whammy pedal, rendering it an misused, overused cliche for those of us who use it seriously."
                So maybe we should buy someone who isn't prepackaged industry approved rock and roll rebellion.
                Or better yet quit worrying about who's o

            • by log0n (18224)

              You win! By far the best!

      • Welcome, my son, welcome to the machine.

    • Re: (Score:3, Insightful)

      by Wrath0fb0b (302444)

      Less innocent people will be going to jail. Less family will be broke up. [sic]

      Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

      • I fail to see why technical savvy should be correlated with innocence or guilt.

        What exactly do you correlate Microsoft with? They routinely code more backdoors than a brothel, you really think their involvement with law enforcement won't backfire? Like you suggest, criminals are tech savvy too.

  • by Anonymous Coward on Tuesday December 15, 2009 @10:46PM (#30453734)

    DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

    Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.

    • by Cryacin (657549)
      Who says Microsoft didn't get a "contractor" to write this and release it in the wild? NT phone home!
    • by Ihmhi (1206036) <i_have_mental_health_issues@yahoo.com> on Tuesday December 15, 2009 @11:18PM (#30453908)

      And even if they post code, they could just post any old source code and claim it was used to generate the executable.

      Well yeah, until someone who has an I.Q. greater than a water buffalo compiles the source code and finds out that it doesn't match up with the finished DECAF product...

      That's the point of having source code out there in the first place. It can be inspected for everything from your everyday uh-ohs to your big time no-nos.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        And then some one with a little higher I.Q. takes the time to do something fun like disassemble the executable or hell, use wireshark to capture any network traffic the program might generate to see what it is actually doing.

        • by b4dc0d3r (1268512) on Wednesday December 16, 2009 @05:00PM (#30464824)

          It's .NET and they ran Dotfuscator over it, so you're going to have to graduate past bovine intelligence on this one.

          • by rdnetto (955205)

            I once tried to decompile a obfuscated .NET app. It's definitely possible to figure it out, since all the calls to the CLI, etc. are the same, but it can be pretty tricky when every function and class name looks like a GUID.
            But if you have the time, it's definitely possible to deconstruct it.

            EDIT: I just downloaded it and took a look at the code in Reflector. It seems pretty simple (only 5 classes and the settings namespace isn't obfuscated). Anyone familiar with .NET with about an hour of free time and the

    • If this is true then the NSA got a lot lazier, a lot more efficient, and a lot more effective. The Soviets pioneered denouncing your neighbors but this is one better.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      "they could just post any old source code and claim it was used to generate the executable." ... which is why you read the code, and if you approve of the code, compile it yourself. If your C.S. skills aren't up to that level, then check with someone you trust as competent to do that code analysis/compilation.

      It's essentially the same with every program.

      But yeah, this looks like an exploit opportunity, and I won't run DECAF on any of my boxes (uh, wait... do I *have* any Windows boxes? Oh, yeah, my gaming

    • This is the beauty of Open Source - you can build your own binaries when paranoid :)

    • by b4dc0d3r (1268512)

      decaf.exe.config - no disassembly needed.

      <setting name="NotifyUser" serializeAs="String">
      <value>False</value>
      </setting>

    • DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

      Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.

      Your distrust in Microsoft is totally unwarran....

      Oh, nevermind... I cant even type that with a straight face... ;-)

  • Maybe DECAF is a double agent blocking COFEE and collecting it's own things in the inventor's in interest. It's a trap!
  • Microsue (Score:3, Funny)

    by GuNgA-DiN (17556) on Tuesday December 15, 2009 @10:47PM (#30453746)

    Oh Microsoft.... is there *anything* that can't be handled by a lawsuit?

  • The Site... (Score:5, Informative)

    by JBG667 (690404) on Tuesday December 15, 2009 @10:48PM (#30453750)
  • by publiclurker (952615) on Tuesday December 15, 2009 @10:48PM (#30453752)
    I have incriminating information on my computer so I'm supposed to download and run some closed-source software from people who now know I have this information, and it will make my problems go away. Right.....
    • by Bios_Hakr (68586) <xptical@@@gmail...com> on Tuesday December 15, 2009 @11:05PM (#30453842) Homepage

      So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.

      • by shird (566377)

        Communicating to some central server when you run it at least. If it stores the data and sends it on a different date you wouldn't know too easily.

        Besides, it may be doing something other than sending off your data.. e.g encrypting it and ransoming you for the key to decrypt it.

      • by Syberghost (10557)

        Yeah, because it's not possible for programs to detect they're running in a VM...

        • Re: (Score:3, Interesting)

          by GameboyRMH (1153867)
          What if someone actually wanted to secure a VM with this app?

          I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?

          But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade [hak5.org]," especially if it c
      • by rdnetto (955205)

        That seems like overkill, plus you won't know if it's installing a trojan that activates later. If you're familiar with .NET just open it up in Reflector - even though it's obfuscated, any use of the .NET libraries like System.Net.Sockets will be in plain text.

  • by OverlordQ (264228) on Tuesday December 15, 2009 @10:51PM (#30453770) Journal

    AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.

    • I seriously doubt a forensics tool created by the same developers that created what it tries to break into, is going to rely on autorun to get things started.. Even if that is the case, it's not exactly hard to obtain a password removal tool out in the wild to get rid of the "lock your computer"..(ie: linux live cd's that run scripts to kill saved winxp/vista/win7 account passwords) I've had one in particular for years that I use when someone calls me to say "how do I get into my box when I can't remember t
      • COFFEE is designed to circumvent on disk encryption. To do this it gets the keys from the running system. So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

        • Re: (Score:2, Interesting)

          by MaximKat (1692650)

          So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

          Yeah, it does... in Windows 95.

          • +1 I posted on this further up. [slashdot.org] The "Autorun with screen locked" vulnerability is ancient history, and in Vista/7, Autorun requires user input. (and then the app would need admin privileges to do anything meaningful, spawning a UAC prompt, which again requires user input, and is designed to prevent inputs from being spoofed). There must be some secret backdoor in use.
      • by Anonymous Coward

        The point of COFEE is to grab things that would be lost when the computer is shut down (passwords stored in ram, temporary files, etc) before they pull the plug and take it back to headquarters.

        (Pull the plug, not just tell it to shut down, because it may have a shutdown process in place to wipe evidence.

        And yes, you could use linux live CDs to remove passwords, but that involves changing what is on the disk, thereby ruining it as evidence. There are strict procedures in place to prevent the evidence from b

        • Re: (Score:1, Informative)

          by Anonymous Coward

          I'm sure more competant forensics people don't pull the plug. Instead they would keep the machine up and running and capture it in that state, using clips to keep it fed the voltage as it gets loaded onto a vehicle and until it gets to the forensics area. There, you use a PCI or IEEE 1394 card to dump the box's RAM.

          Then, the hard disk gets imaged via a hardware write blocker (very important), the decryption keys in RAM used to decrypt the image of the HDD, and the search for whatever stuff (after ACTA, an

          • You could use an accelerometer or a ball-and-cup arrangement similar to a seat belt locking mechanism (very sensitive, especially on newer cars. It locks the seat belt reel if the ball isn't exactly centered) to trigger a computer to shut down or reset if moved. If it's inside the PC and looks pretty normal I doubt the cops would notice, even if they opened the PC (which they probably wouldn't since they could trip a case intrusion switch...sawing through the case in a known safe area would be their only op
            • You could use an accelerometer or a ball-and-cup arrangement similar to a seat belt locking mechanism (very sensitive, especially on newer cars.

              Or the status of the USB cable plugged into the huge laser printer next to your desk, or whether eth0 is up, or by using the built-in GPS (if there is one) or the external GPS (labeled "TIME") to establish plausible deniability.

              Honestly, there are about a million things you could check to have a good idea that your computer isn't being moved.

    • by JWSmythe (446288)

      Read the instructions. It works with autorun, but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.

      If you really read into the COFEE instructions, you'd see it doesn't give too much up. Well, it says a lot, but not about 3rd party software. It mostly gives standard MS stuff from the registry. Decrypted login passwords, what's set to run at boot time, etc. It would be a good forensic tool for cleaning up after a break

      • by OverlordQ (264228)

        but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.

        That is why I said lock the computer, then they can't get to the file manager.

    • $ apt-cache search GINA dll
      $

      Dammit, now I can't check out COFEE :(

  • >The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

    And most people running MS-Windows know for sure what THAT will do to their computers?

    Does seem odd, though, that DECAF would not be open so people (in the know) would trust it and could learn from it. Oh well.

  • by robot256 (1635039) on Tuesday December 15, 2009 @10:59PM (#30453816)

    ...to distribute rootkits and create botnets. Even better than those "Free Antivirus Software" downloads.

    Seriously, is anybody going to trust something like this without the source? Somebody intelligent enough not to open unsolicited email attachments, at any rate.

    (And yes, I realize there might be "legitimate" reasons for keeping the source out of law enforcement's hands, but frankly [at risk of trolling] I would rather be spied on by the government than identity thieves.)

    • When was the last time you read the source of an application to audit it?

    • And yes, I realize there might be “legitimate” reasons for keeping the source out of law enforcement&s hands [...]

      WTH? Machine code IS source code! Just in another language that is a tiny bit harder to read (assisted by tools). So there really is no real point in hiding the source code. Everybody who wants to look at what it does, can still do that.
      How else would the CPU know what to do with it?

      It’s sad, when even on Slashdot, people think that “closed” source would be anymore than security trough obscurity theater.

      • Sure, it's security through obscurity.

        And sometimes, security through obscurity works. ... for long enough. Sure, you can disassemble megabytes of machine code. But if it takes man-years to read enough to know what it is doing, you still win if the people reading it take real-years to get practical results.

        It's that you can't really know how much effort people are putting into defeating the obscurity, and how much success they are having until "too late", that makes security through obscurity so unreliabl

      • by b4dc0d3r (1268512)

        It's .NET and they ran Dotfuscator over it, so it's not that simple. At this point it's pretty damned obscure.

        • by rdnetto (955205)

          Even obfuscated, it's only 5 classes (which reference an unobfuscated settings namespace that gives you a little more info). Anyone familiar with .NET with some time on their hands could reverse engineer it.

  • I think I'll just stick to Pepsi

  • Arguments (Score:5, Insightful)

    by Demonantis (1340557) on Tuesday December 15, 2009 @11:31PM (#30453954)
    I realize a large number of people won't trust it because its not opensource. I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it. If you don't want it don't run it, but if it is a trojan a firewall can easily defeat that. If it is a virus word will spread and people will avoid it. It is like the Antivirus 2009 programs, other then being blatantly obvious viruses, don't work anymore because people know they are bad.
    • Re: (Score:3, Insightful)

      by JonJ (907502)

      I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it.

      One would think that Microsoft has little to no problems doing this without the source.

      • Not having the source will act as a speedbump, at the least...although if DECAF can totally block whatever hidden backdoor COFEE is exploiting and prevent it from executing in the first place, there would be no advantage to hiding the source. From what I've read DECAF is security by obscurity at this stage - weak security but better than nothing.
      • by rdnetto (955205)

        I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it.

        One would think that Microsoft has little to no problems doing this without the source.

        It's written in .NET, so even though it's obfuscated it's not that hard to reverse engineer it using Reflector. If I (a teenager who only dabbles in coding) could reverse engineer it in a few hours*, I have little doubt that some MS employee who is being paid to do so could figure it out in under a week.

        *I have not reverse engineered it, but I have looked at the source, so I can say that it really isn't that complex.

    • Microsoft already knows what they need to patch, seeing as they know what source code they leaked.
    • by Java Pimp (98454)

      I just did a Google search to see if anyone has reported it to be a virus and found nothing. It's probably safe.

      I'm installing it now. I'll let you know what hap

  • Could be that Microsoft is also really concerned about Cofee accessing protected encrypted files that would allow hackers to pirate legitimate copies of Windows if the device identity encoding within WGA is cracked! I am afraid someone might have just let the horse out of the barn through a Windows backdoor. The heads are about to roll in Redmond again!
    • WGA's been cracked six ways from Sunday. The issue is Microsoft's server-side validation - illegitimate copies can't get updates. This is why MS goes apeshit on unauthorized patch distribution.
  • Confused? (Score:2, Redundant)

    by BountyX (1227176)
    I'm a little confused, what exactly is the point of DECAF? Wouldn't encrypting your hard drive be more effective?
  • by Monkeedude1212 (1560403) on Wednesday December 16, 2009 @12:11AM (#30454170) Journal

    Soon I'll Release my Beta version of FRENCH VANILA

    (Forensic Reducing Emulator Named Coherantly and Handsomely for Very Awesome Naughty and Illicit Activities)

  • Linux! ammite?
  • Wait, what--? (Score:4, Insightful)

    by girlintraining (1395911) on Wednesday December 16, 2009 @12:38AM (#30454304)

    ...so you aren't really going to know for sure what it will do to your computer.

    You're saying you don't know how to run a debugger in a VM session? or registry and file monitoring utilities? I get that analyzing machine code may be a bit of a lost art, but if you have the binary file you have everything you need to figure out what it does -- eventually. Someone will reverse-engineer it. In fact, I rather expect the authors knew this when they released it.

    • by rdnetto (955205)

      if you have the binary file you have everything you need to figure out what it does

      It's even better than that. .NET EXEs actually contain MSIL (a type of intermediate language) and are easily decompiled into the original source code (or something resembling it). DECAF has been obfuscated (all the variable/function/class names changed to meaningless letters), but it's simple enough that you could figure it out in under an hour, if you're familiar with .NET, especially since system libraries (e.g. System.Net.Sockets) will be referenced in plain text.

  • There is so much more COFEE should have done. It looks like it takes a look at your current running state. It grabs netwrok connections you have open, running processes, and user account names that are logged in. Things that get lost when you power a computer off. The autorun is just to make it simple for the user. I don't expect this is the only tool ran. I expect it is quick snapshot before you pull the plug.

    Microsoft did take care to get the correct versions of the tools for each OS. You know how yo

  • I am confused. (Score:2, Insightful)

    by TexasTroy (1701144)
    Someone please explain. How is Windows secure (no pun intended) if Microsoft can release a tool, or script, which can get information from a password or encrypted system? Surely this cannot be an exploit to a backdoor. Does the use of COFEE require a user to already be logged in for it to work? Seriously. If this is the case, what keeps an evil-doer from using the tool to get into any window system they want and do whatever they want? If the tool has been leaked, then there is plausible deniability re
  • Seriously, what does COFEE generated data prove? If my computer would run XP and for some reason some official would want to plug a USB stick with the label "COFEE" into it, then what ever data they claim to find I could deny easily that it was mine. After all, on the USB stick there could have been ANY program which plants ANY data on the computer it was plugged into!

    As far as I know, part of proper computer forensics work is to first (!) dublicate the hard drive in question, then generate a checksum for b

    • by Matey-O (518004)

      It proves you don't know much about computer forensics, that's for sure.

      • I think the GP has a point regarding the planting of evidence. Unless the COFEE app(s) that ran on the suspect machine can be verified to have been built from known good source, there is a potential for planted evidence. Faking timestamps and even self-wiping the part of the app that does the planting after the fact is quite possible. Am I missing something?
  • Slashdot users proved prophets for the nth time over: http://tech.slashdot.org/comments.pl?sid=1435688&cid=30021576 [slashdot.org]
  • People, you don't understand what this means !!

    This marks an end of an era ! Up until now investigators could be pretty comfortable assuming that their forensics analysis were giving off accurate data about the use and activity of the computer. Tools to analyse file, network and disk access are based on the assumption that the metadata has not been tampered with.

    It is enough that you download and run this program every now and then to render every analysis of your computer pretty meaningless as eviden

"The Mets were great in 'sixty eight, The Cards were fine in 'sixty nine, But the Cubs will be heavenly in nineteen and seventy." -- Ernie Banks

Working...