While I am not a sysadmin or know much about security, I am partially responsible for operating the smallish network of my company. As such I find Backtrack to be very educational and also somewhat frightening!
I want to ask three questions about the effectiveness of spear-phishing and the Java download attack. I have watched the video posted at IronGeek's site which suggests that these attacks are very simple. However, in "the wild" would they work so well?
First, as I understand it, with both the unencoded executable payload inside the .pdf file and the Java download of the encoded payload, the remote shell can execute properly for Windows, OSX, and Linux OSs. The video stated that the Java downloaded worked for all three and I assume the same is true for the payloads pretending to be a .pdf but can someone please confirm?
Second, I might well have thought the payloads inside the .pdf would be detected by AV software since, unlike the remote shells used in the Java download, they are not encoded. So how effective can sending the .pdf by e-mail really be if the payload is unencoded?
Third, each exploit makes a direct connection between the victim and the IP of the attacker. Does this mean that when the victim first clicks on the .pdf, the attacker has to be listening? What happens if the attacker is offline? Does the payload stay in memory (including after reboots) on the target's machine and always looks to make a connection to the attacker's static IP irrespective of whether he finds it?
Thank you - I would like to learn more about this particular attack since it seems so easy and I wonder if there are not "real world" issues with its implementation.