This is a fantastic tool that most of you have probably heard of. If not, here is a brief summary. EvilGrade exploits weaknesses in the auto-update services of multiple common software packages. It is able to trick the service into believing there is a signed update available for the product, thus prompting the user to install the upgrade. Unfortunately the upgrade is in actuality an attacker’s payload. The nefarious part about this product is that it is very difficult for the average user to detect! Since it utilizes the software’s own update process, there is no suspicious looking box or popup that would seem out of the ordinary; it would look just like any other legitimate upgrade.
Version 2 has made some even greater improvements. Not only is there more signing bypass, but the available modules (meaning, the pieces of software that you can exploit) has improved greatly. Prior to this I only found the Notepad++ module to be the real exciting one, but now EvilGrade includes the following:
- Java
- Mirc
- VirtualBox
- VMWare
- Windows Update
- IStat
- Winscp
- Winamp
- More
From that list you could target nearly anybody.
You can check out a sweet demo of it (including its bypassing Java’s signing security) here.
Install on BackTrack
Installation on BackTrack is pretty simple. Here are some of the steps:
Step 1: Download EvilGrade here
Step 2: Extract EvilGrade using:
tar -zxvf isr-evilgrade-2.0.0.tar.gz
Step 3: Install Perl Dependencies
Here is the important part. EvilGrade requires the following perl modules:
- Data::Dump
- Digest::MD5
- Time::HiRes
For BackTrack you will need to install the first two. This is how you can locate them:
sudo apt-cache search perl [package, i.e Data::Dump]
It will respond with a package name (like libdata-blahblah, etc). Install it with the following:
sudo apt-get install [package, i.e, libdata-blablah]
Step 4: Run evilgrade
