Reactivating DECAF in Two Minutes

ScreenHunter_07-Dec.-14-16.32

The misinformation on DECAF being shut down and a hoax is alarming and the quality of reporting on this security topic actually worse than usual. Earlier tonight we noticed this update from @slashdot on Twitter: “DECAF Was Just a Stunt, Now Over”, along with this: “Anti-COFEE tool taken down & d/l’ed copies disabled.”. Ok, fair enough, releasing DECAF was a stunt according to its two creators. We listened to this bizarre podcast where the developer was asked to take DECAF down. Finally we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we’re going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we’ll demonstrate how.

The story is this, users visiting the http://www.decafme.org/ were treated to the screenshot shown below stating that DECAF “no longer works” because the release “was a stunt to raise awareness for…the need for better forensic tools”. The thought process isn’t terrible, DECAF is a simple, clearly quickly written, and unsophisticated Visual Basic 2005 application designed to show the simplicity of thwarting the COFEE forensics tool. You can also see where Microsoft and others have a problem with the application. The application is designed to detect the presence of the Microsoft released forensic tool (largely a wrapper around known utilities) called COFEE and be able to then execute certain actions as specific by the user.

We’ve covered both topics in full, and aside from being good security theater, both the COFEE leak and DECAF release are much ado about nothing:

Repent, and you shall be Saved

So things started out ok, a proof of concept tool to combat unreasonable hype, until crazy came to town. Users visiting the site are presented with this bizarre message about Jesus:

A message of peace.

A message of peace.

How to Reactivate DECAF in Two Minutes

Remember that DECAF calls home when launched via HTTP to 208.68.237.165.

If it doesn’t receive this response, it crashes.

1.0.0|http://www.decafme.org/|

The crash returns this error:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

So not serving this page is what appears to be “the deactivation”, the URL does not return the right response, and the application crashes. To counter this we:

Set up a virtual host in Apache:

<VirtualHost *:80>
ServerName decafeme.org
ServerAlias www.decafeme.org
RewriteEngine On
RewriteRule ^.*$ /index.php [L]
DocumentRoot "/var/www/decafeme/
<Directory "/var/www/decafeme/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
</VirtualHost>

Add this php file as ‘index.php’:

<?php
echo("1.0.0|http://www.decafme.org/|");
?>

Modify your hosts file by adding this entry (swapping out the IP for wherever you put the virtual host):

127.0.0.1 www.decafme.org

And we’re back to kicking off a set of processes when COFEE is detected on a system such as:

  • Shutdown the system
  • Kill selected processes
  • Disable Network, USB, CD-ROM, ports, floppy
  • Clear event viewer
  • Erase Data

We verified this by performing all the steps above, re-running DECAF, and doing a system shutdown upon detection of COFEE.

Lockdown Settings

Lockdown Settings

Reporting that is an Epic Fail

Looking at what sites were misreporting such as CrunchGear and Slashdot the story seems to all flow back to this Seattle pi blogs article by Nick Eaton. Nick reports that DECAF “is fake”, that numerous media outlets were “duped” and that we were all manipulated. Except whatever the two developers reasons were for creating DECAF, publicity stunt or tool release followed by threat of legal action and quick pull back, DECAF was released as a working tool that still works.

Nick goes on:

There was something suspicious about the DECAF Web site before it switched to spoof mode Friday morning. The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools. It all seemed a little too legitimate and focused for an anti-policing tool.

Then there is this podcast, devoid of actual information about COFEE and DECAF but that fills in the blanks with nonsense about child molesters and terrorists. In their defense, we’re told this show is usually pretty good, so we’ll call this a bad night.

So never let the facts get in the way of a good story.

DECAF vs. COFEE debate from the Developer (Video)

We couldn’t get through the whole thing, but here it is:

Finally

DECAF is not the most sophisticated piece of software, but it did work, and still works. COFEE is not used by legitimate forensic investigators. “But pedophiles will use DECAF to thwart law enforcement!”. We can all only hope that they do because the time they spend trying to get DECAF to work properly will be time spent away from committing felonies and hopefully it will give them a false sense of confidence such that they do not use more effective methods to hide their crimes like encryption. That would actually benefit investigators, as in “hey, this moron thought that having DECAF installed was going to stop us from being able to find out what he was up to”. The fact is bringing up wild child molester, pedophile, and terrorist scenarios is a cheap, dramatic tactic, designed to rile people up emotionally preventing us from having a dispassionate discussion about the facts of the situation.

If you have a serious computer crime to deal with, get a serious computer forensics investigator, who uses sets of real computer forensics tools based on the situation he or she is faced with.

But Microsoft may never build another COFEE, and transparency will stop! Be serious, part of the unnecessary nonsense generated around the leak of COFEE and all that followed was the inappropriate way it was originally released and marketed as “only for law enforcement”. Forensics tools must be well known, analyzed by experts, and their effects on target systems well documented. Thus releasing a closed source tool to a small community meant that COFEE could never be used seriously to present evidence in court. That is if it did anything novel, but it doesn’t, COFEE allows the user to run existing tools, system utilities, from a USB stick.

The promise of COFEE, how it was marketed, has sold a number of people on why its so important that it was leaked and subverted. Standardization of incident response tools (as in only a couple are used) would be a nice idea, but would be an effort faced with serious challenges because heterogeneous non-complex IT environments are a thing of the distant past. Having less skilled people “run a tool” that allows them to perform data capture is a nice idea, albeit even a little more dubious. What lawyer could not get evidence from a computer thrown out that’s collected by someone who doesn’t understand a computer? The reasons why it would be a positive is clear, forensic data would not be lost even if an investigator lacks computer forensics skills, and frankly there are not that many good computer forensic investigators to go around.

But COFEE does not deliver on either of these aspirations, as much as some might wish it does. And it was easily countered, meaning any bad actor could have done it. And tools aren’t evil, the people who use them are.

Now if you have time, have a read of an article about the evolving state of real forensics tools.

Update

12/23/2009 – SoldierX

The guys over at Soldierx.com have taken the next logical step and removed the phone home component (that now crashes) from the DECAF program and re-released it.

Note also per our original analysis that when COFEE is found, DECAF sends a request back to decafme.org as follows (our IP address is changed):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

It appears to basically be a tracking mechanism, however the SoldierX guys didn’t like that it was doing that from a privacy perspective, and removed that piece also.

DECAF developers have also posted new messages, including the newest one indicating that a version 2 is now on the way:

12/23/2009 – DECAFme.org

Well, with Christmas right around the corner we felt it was an opportunity for DECAF to bring an application back on the scene. DECAF v2 is in the kitchen cookin’ as we speak. As you know, DECAF v1 did do what it said it would do even though some people seemed to report it didn’t. Some might not use V2, some might. We really don’t care either way. If you are scared to use V2, thats ok; run it through a VM.

Now that we let the cat out the bag, be sure to keep checking back and look for V2 within the next few days. This is the start of something big…

12/21/2009

DECAF was not a spoof, it was a “stunt”. We have got an amazing amount of positive feedback. We have had MANY requests for the source code of DECAF but do not feel its release would promote a positive move.

We have not been able to settle with our buyer for DECAF and DECAFme.org. If there is anyone seriously interested in purchasing, send an email to [email protected] Serious inquiries only.

12/19/2009

With all the recent buzz about DECAF lately, there have been many requests for the visibility of DECAF source code. These have been from the early days of its release to the current “stunt” news. My purpose of DECAF is over. There are many out there who think we are feds cough John Young cough and some who think we are lunatic, religious nuts cough John Young cough. But then again we still have 95% of the other readers who encourage and compliment us. Oh ya.. and we finally heard that Microsoft seems to have finally broke the silence about the hype. I am not quite sure where they stand as I was expecting to hear from Richard Boscovich myself but didn’t. Anyhow, on to my point…

We have heard from both sides of the argument regarding DECAF source code being released.

We have reason to believe DECAF source code and domain will be purchased this week by an unnamed buyer. We can’t be sure of the plans or really make sense of their motive but we are considering it. If this does happen, we will not be able to release the source to the community. Feel free to stay tuned as these next 48 hours pan out.

Filed Under: Forensics

Tags: , , ,

Comments (18)

Trackback URL | Comments RSS Feed

  1. DECAFme.org says:

    Another great article

  2. Ovie says:

    Very well written article. loved it…even the disagreement with my admittedly over dramatic child molesting terrorist comment. ;)

  3. heh says:

    any reason you used php instead of writing a static html file? :P

  4. this is a matter of choice – if we have php then why don’t use it? if not, we would have to configure server other way, so i don’t see any important difference ;]

  5. Joe says:

    Err, not really. if you did it with php, it would look like:

    –file– 1.0.0|http://www.decafme.org/| –end of file–

    instead of –file– –end of file–

    How would you have to configure it otherwise?

  6. A very sane article with a lot of truth spoken. I swear I’m going to take to the church tower with a sniper rifle if I read one more article about COFEE being the LE analyst’s favourite forensic tool ever.

  7. Nicely done I have been following this from day one and its good to see one source that has it all today.

    Good job!

  8. Prefect says:

    Regardless of what technology you use (php, whatever), as long as the response to the GET is that string DECAF should run. PHP is just what we had running, and we reported on exactly what we quickly did.

    Ovie, like the show. Your strong suit is not as the Dr. Phil of information security ;)

  9. [...] Reactivating DECAF in Two Minutes – Praetorian Prefect [...]

  10. Anonymous says:

    According to the DECAFme.org site, they have re-stared the decaf project and ver 2.0 will be released soon….. this might be interesting :P

  11. [...] a PREFECT por la solucion base en ingles. Compartir con [...]

  12. mike says:

    v2.. no usage logging, no version checking.. monitors cdrom now.. auto-start monitor, and ill save the biggest feature for release. :)

    -mike

  13. [...] How to Reactivate DECAF in Two Minutes (Jak ponownie aktywować DECAF w 2 minuty) [...]

  14. [...] En este primer episodio hablaremos de: Lo Nuevo – Estados Unidos y Rusia negocian para evitar una guerra cibernética – COFEE vs DECAF – Reactivando DECAF en 2 minutos [...]

  15. [...] En este primer episodio hablaremos de: Lo Nuevo – Estados Unidos y Rusia negocian para evitar una guerra cibernética – COFEE vs DECAF – Reactivando DECAF en 2 minutos [...]

  16. According to the DECAFme.org site, they have re-stared the decaf project and ver 2.0 will be released soon….. this might be interesting :P

  17. [...] a PREFECT por la solucion base en [...]

  18. [...] http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/ Esta entrada fue escrita por hacksperger, publicada en diciembre 26, 2010 a las 9:45 am, archivada bajo Tecnología. Agrega el favorito al enlace permanente. Sigue los comentarios aquí con el feed para esta entrada. Envía un comentario o deja una ruta: Trackback URL. « Mobile Forensics [documento de lectura atenta para interesados]^ LikeBe the first to like this post. [...]