230 likes | 341 Views
What!. Windows Azure and PowerShell powered malware By Kieran Jacobsen. The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.
E N D
What! Windows Azure and PowerShell powered malware By Kieran Jacobsen
The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional. Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code. Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home! Malware IS DANGEROUS
The Bad Guy • Name: Boris • Previous Title: System Administrator @ Queensland Department of Widget Management • Technical Skills: • PowerShell • Group Policy • Windows Azure • some hacking knowledge
The Malware • Written in PowerShell • IT IS VERY OBVIOUS! • Signed by SSL Certificate issued by 3rd Party Root Authority • A machine is considered infected when: • C:\Infected contains required files • Drive infection scheduled task is running • C&C scheduled task is running • Command and Control is cloud based, uses Windows Azure VM Role • Windows Server 2012 with IIS and WebDAV
The Malware: Infect-WebPC.ps1 • Infects a client • Clients download and execute script • Downloads other files for infection, creates scheduled tasks to communicate with Command and Control
The Malware: Invoke-CandC.ps1 • Runs as scheduled task • Uploads “registration” file to Command and Control server, file contains running processes and services • Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host • Runs each command using invoke-expression • Commands can be executable or any PowerShell command
A Quick Note: Code Signing • Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable • Does not prove good intentions • Due to Crypto basis, more trusted by technically minded users • Many sources of abuse: • Forgery • Deception • Theft • See Also: • http://www.f-secure.com/weblog/archives/00002437.html • http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/
The Network • Simple, flat network • Limited outbound protocols allowed, HTTP, HTTPS, DNS • Single Windows Server 2012, running DC and File and Print • Windows 7 SOE • All users local administrators • UAC was disabled due to an application compatibility issue • VNC runs on all machines, as a service account –which is a domain admin
What Boris Knows • Usernames, computer names, IP addressing… • Security and Firewall policies • That passwords have all been changed • Group Policy restrictions – PowerShell Execution Policies • Personal details of those remaining • Email addresses • Pets and favourite animals • Hobbies and interests
The Plan of Attack • Infect previous co-workers • Alice: His former Boss • Bob: The co-worker he didn’t like • Eve: The paranoid security administrator • Jane: The C-Level exec • Get a Domain Admin account username and password • ? • Profit!
A Quick note: PowerShell Execution Policies There are 6 states for the execution policy • Unrestricted All scripts can run • Remote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run • Restricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to restricted • Bypass Policy processor is bypassed
Malicious HID Devices • HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads • Device shown today: Hak5 USB Rubber Duckie • Retails for: USD 60 • Contains Micro SD storage card and 60MHz CPU • When placed in plastic case, will appear like any other USB device • Appears as a HID Keyboard – Bypassing USB Storage controls • Simple programming language, can do anything you could do with a keyboard • Cross Platform
So what do we do? • Boris never made a connection to the network, it always connected to his PC • Boris could have easily done this with a significant level of anonymity • PowerShell Execution Policies • URL White Listing • Application White Listing • Email filtering • USB Device Control • Solution: User Education
Questions? More Info… • Website: http://aperturescience.su • Twitter: @kjacobsen • Email Kieran@thekgb.su • GitHub Project: http://bit.ly/pscandc • Tools: • PwdumpX:http://bit.ly/pwdumpx • Quarks PW Dump:http://bit.ly/quarkspwdump • Cloudcracker.com: http://bit.ly/cloudcracker • Usb rubber duckie: http://bit.ly/TFe7EG • Hak5: http://hak5.org