The misinformation on DECAF being shut down and a hoax is alarming and the quality of reporting on this security topic actually worse than usual. Earlier tonight we noticed this update from @slashdot on Twitter: “DECAF Was Just a Stunt, Now Over”, along with this: “Anti-COFEE tool taken down & d/l’ed copies disabled.”. Ok, fair enough, releasing DECAF was a stunt according to its two creators. We listened to this bizarre podcast where the developer was asked to take DECAF down. Finally we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we’re going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we’ll demonstrate how.
The story is this, users visiting the http://www.decafme.org/ were treated to the screenshot shown below stating that DECAF “no longer works” because the release “was a stunt to raise awareness for…the need for better forensic tools”. The thought process isn’t terrible, DECAF is a simple, clearly quickly written, and unsophisticated Visual Basic 2005 application designed to show the simplicity of thwarting the COFEE forensics tool. You can also see where Microsoft and others have a problem with the application. The application is designed to detect the presence of the Microsoft released forensic tool (largely a wrapper around known utilities) called COFEE and be able to then execute certain actions as specific by the user.
We’ve covered both topics in full, and aside from being good security theater, both the COFEE leak and DECAF release are much ado about nothing:
Repent, and you shall be Saved
So things started out ok, a proof of concept tool to combat unreasonable hype, until crazy came to town. Users visiting the site are presented with this bizarre message about Jesus:
How to Reactivate DECAF in Two Minutes
Remember that DECAF calls home when launched via HTTP to 18.104.22.168.
If it doesn’t receive this response, it crashes.
The crash returns this error:
EventType clr20r3, P1 decaf.exe, P2 22.214.171.124, P3 4b2679b7, P4 decaf, P5 126.96.36.199, P6 4b2679b7, P7 115, P8 14d, P9 system.invalidoperationexception, P10 NIL.
So not serving this page is what appears to be “the deactivation”, the URL does not return the right response, and the application crashes. To counter this we:
Set up a virtual host in Apache:
<VirtualHost *:80> ServerName decafeme.org ServerAlias www.decafeme.org RewriteEngine On RewriteRule ^.*$ /index.php [L] DocumentRoot "/var/www/decafeme/ <Directory "/var/www/decafeme/"> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory> <IfModule mpm_peruser_module> ServerEnvironment apache apache </IfModule> </VirtualHost>
Add this php file as ‘index.php’:
<?php echo("1.0.0|http://www.decafme.org/|"); ?>
Modify your hosts file by adding this entry (swapping out the IP for wherever you put the virtual host):
And we’re back to kicking off a set of processes when COFEE is detected on a system such as:
- Shutdown the system
- Kill selected processes
- Disable Network, USB, CD-ROM, ports, floppy
- Clear event viewer
- Erase Data
We verified this by performing all the steps above, re-running DECAF, and doing a system shutdown upon detection of COFEE.
Reporting that is an Epic Fail
Looking at what sites were misreporting such as CrunchGear and Slashdot the story seems to all flow back to this Seattle pi blogs article by Nick Eaton. Nick reports that DECAF “is fake”, that numerous media outlets were “duped” and that we were all manipulated. Except whatever the two developers reasons were for creating DECAF, publicity stunt or tool release followed by threat of legal action and quick pull back, DECAF was released as a working tool that still works.
Nick goes on:
There was something suspicious about the DECAF Web site before it switched to spoof mode Friday morning. The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools. It all seemed a little too legitimate and focused for an anti-policing tool.
Then there is this podcast, devoid of actual information about COFEE and DECAF but that fills in the blanks with nonsense about child molesters and terrorists. In their defense, we’re told this show is usually pretty good, so we’ll call this a bad night.
So never let the facts get in the way of a good story.
DECAF vs. COFEE debate from the Developer (Video)
We couldn’t get through the whole thing, but here it is:
DECAF is not the most sophisticated piece of software, but it did work, and still works. COFEE is not used by legitimate forensic investigators. “But pedophiles will use DECAF to thwart law enforcement!”. We can all only hope that they do because the time they spend trying to get DECAF to work properly will be time spent away from committing felonies and hopefully it will give them a false sense of confidence such that they do not use more effective methods to hide their crimes like encryption. That would actually benefit investigators, as in “hey, this moron thought that having DECAF installed was going to stop us from being able to find out what he was up to”. The fact is bringing up wild child molester, pedophile, and terrorist scenarios is a cheap, dramatic tactic, designed to rile people up emotionally preventing us from having a dispassionate discussion about the facts of the situation.
If you have a serious computer crime to deal with, get a serious computer forensics investigator, who uses sets of real computer forensics tools based on the situation he or she is faced with.
But Microsoft may never build another COFEE, and transparency will stop! Be serious, part of the unnecessary nonsense generated around the leak of COFEE and all that followed was the inappropriate way it was originally released and marketed as “only for law enforcement”. Forensics tools must be well known, analyzed by experts, and their effects on target systems well documented. Thus releasing a closed source tool to a small community meant that COFEE could never be used seriously to present evidence in court. That is if it did anything novel, but it doesn’t, COFEE allows the user to run existing tools, system utilities, from a USB stick.
The promise of COFEE, how it was marketed, has sold a number of people on why its so important that it was leaked and subverted. Standardization of incident response tools (as in only a couple are used) would be a nice idea, but would be an effort faced with serious challenges because heterogeneous non-complex IT environments are a thing of the distant past. Having less skilled people “run a tool” that allows them to perform data capture is a nice idea, albeit even a little more dubious. What lawyer could not get evidence from a computer thrown out that’s collected by someone who doesn’t understand a computer? The reasons why it would be a positive is clear, forensic data would not be lost even if an investigator lacks computer forensics skills, and frankly there are not that many good computer forensic investigators to go around.
But COFEE does not deliver on either of these aspirations, as much as some might wish it does. And it was easily countered, meaning any bad actor could have done it. And tools aren’t evil, the people who use them are.
Now if you have time, have a read of an article about the evolving state of real forensics tools.
12/23/2009 – SoldierX
The guys over at Soldierx.com have taken the next logical step and removed the phone home component (that now crashes) from the DECAF program and re-released it.
Note also per our original analysis that when COFEE is found, DECAF sends a request back to decafme.org as follows (our IP address is changed):
GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1
It appears to basically be a tracking mechanism, however the SoldierX guys didn’t like that it was doing that from a privacy perspective, and removed that piece also.
DECAF developers have also posted new messages, including the newest one indicating that a version 2 is now on the way:
12/23/2009 – DECAFme.org
Well, with Christmas right around the corner we felt it was an opportunity for DECAF to bring an application back on the scene. DECAF v2 is in the kitchen cookin’ as we speak. As you know, DECAF v1 did do what it said it would do even though some people seemed to report it didn’t. Some might not use V2, some might. We really don’t care either way. If you are scared to use V2, thats ok; run it through a VM.
Now that we let the cat out the bag, be sure to keep checking back and look for V2 within the next few days. This is the start of something big…
DECAF was not a spoof, it was a “stunt”. We have got an amazing amount of positive feedback. We have had MANY requests for the source code of DECAF but do not feel its release would promote a positive move.
We have not been able to settle with our buyer for DECAF and DECAFme.org. If there is anyone seriously interested in purchasing, send an email to [email protected] Serious inquiries only.
With all the recent buzz about DECAF lately, there have been many requests for the visibility of DECAF source code. These have been from the early days of its release to the current “stunt” news. My purpose of DECAF is over. There are many out there who think we are feds cough John Young cough and some who think we are lunatic, religious nuts cough John Young cough. But then again we still have 95% of the other readers who encourage and compliment us. Oh ya.. and we finally heard that Microsoft seems to have finally broke the silence about the hype. I am not quite sure where they stand as I was expecting to hear from Richard Boscovich myself but didn’t. Anyhow, on to my point…
We have heard from both sides of the argument regarding DECAF source code being released.
We have reason to believe DECAF source code and domain will be purchased this week by an unnamed buyer. We can’t be sure of the plans or really make sense of their motive but we are considering it. If this does happen, we will not be able to release the source to the community. Feel free to stay tuned as these next 48 hours pan out.
Filed Under: Forensics