23
What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Malware What!

Embed Size (px)

DESCRIPTION

Malware like Flame, Stuxnet, and Zeus have grabbed International headlines; but what do they mean to us, the average IT Professional? Are we at risk? During this presentation, we will see how an intruder gains access to our networks, escalates their access, and finally causes complete destruction. This presentation will include a botnet written in PowerShell and malicious HID devices.

Citation preview

Page 1: Malware What!

What!WINDOWS AZURE AND POWERSHELL POWERED MALWARE

BY KIERAN JACOBSEN

Page 2: Malware What!

The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.

 

Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code.

Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home!

 

Malware IS DANGEROUS

Page 3: Malware What!

The Bad Guy

Name: Boris

Previous Title: System Administrator @ Queensland Department of Widget Management

Technical Skills: PowerShell

Group Policy

Windows Azure

some hacking knowledge

Page 4: Malware What!

The Malware

Written in PowerShell

IT IS VERY OBVIOUS!

Signed by SSL Certificate issued by 3rd Party Root Authority

A machine is considered infected when: C:\Infected contains required files

Drive infection scheduled task is running

C&C scheduled task is running

Command and Control is cloud based, uses Windows Azure VM Role Windows Server 2012 with IIS and WebDAV

Page 5: Malware What!

The Malware: Infect-WebPC.ps1

Infects a client

Clients download and execute script

Downloads other files for infection, creates scheduled tasks to communicate with Command and Control

Page 6: Malware What!

The Malware: Invoke-CandC.ps1

Runs as scheduled task

Uploads “registration” file to Command and Control server, file contains running processes and services

Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host

Runs each command using invoke-expression

Commands can be executable or any PowerShell command

Page 7: Malware What!

A Quick Note: Code Signing

Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable

Does not prove good intentions

Due to Crypto basis, more trusted by technically minded users

Many sources of abuse: Forgery

Deception

Theft

See Also: http://www.f-secure.com/weblog/archives/00002437.html

http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/

Page 8: Malware What!

The Network

Simple, flat network

Limited outbound protocols allowed, HTTP, HTTPS, DNS

Single Windows Server 2012, running DC and File and Print

Windows 7 SOE All users local administrators

UAC was disabled due to an application compatibility issue

VNC runs on all machines, as a service account –which is a domain admin

Page 9: Malware What!

What Boris Knows

Usernames, computer names, IP addressing…

Security and Firewall policies

That passwords have all been changed

Group Policy restrictions – PowerShell Execution Policies

Personal details of those remaining Email addresses

Pets and favourite animals

Hobbies and interests

Page 10: Malware What!

The Plan of Attack

1. Infect previous co-workers

1. Alice: His former Boss

2. Bob: The co-worker he didn’t like

3. Eve: The paranoid security administrator

4. Jane: The C-Level exec

2. Get a Domain Admin account username and password

3. ?

4. Profit!

Page 11: Malware What!

A Quick note: PowerShell Execution Policies

There are 6 states for the execution policy

Unrestricted All scripts can run

Remote Signed No unsigned scripts from the Internet can run

All Signed No unsigned scripts can run

Restricted No scripts are allowed to run

Undefined (Default) If no policy defined, then default to restricted

Bypass Policy processor is bypassed

Page 12: Malware What!

Demo: Boris infects Alice’s PC

Page 13: Malware What!

Demo: Boris infects Bob’s PC

Page 14: Malware What!

Demo: Boris infects Eve’s PC

Page 15: Malware What!

Code: Bypassing Restricted Execution Policy

Page 16: Malware What!

Demo: Boris gets a domain admin username and password

Page 17: Malware What!

Demo: Demo infects the server

Page 18: Malware What!

Demo: Boris cracks open AD

Page 19: Malware What!

Cloud Cracker Results

Page 20: Malware What!

Malicious HID Devices

HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads

Device shown today: Hak5 USB Rubber Duckie

Retails for: USD 60

Contains Micro SD storage card and 60MHz CPU

When placed in plastic case, will appear like any other USB device

Appears as a HID Keyboard – Bypassing USB Storage controls

Simple programming language, can do anything you could do with a keyboard

Cross Platform

Page 21: Malware What!

Demo: Boris goes for complete domination, infects Jane’s PC

Page 22: Malware What!

So what do we do?

Boris never made a connection to the network, it always connected to his PC

Boris could have easily done this with a significant level of anonymity

PowerShell Execution Policies

URL White Listing

Application White Listing

Email filtering

USB Device Control

Solution: User Education

Page 23: Malware What!

Questions? More Info…

Website: http://aperturescience.su

Twitter: @kjacobsen

Email [email protected]

GitHub Project: http://bit.ly/pscandc

Tools: PwdumpX: http://bit.ly/pwdumpx

Quarks PW Dump: http://bit.ly/quarkspwdump

Cloudcracker.com: http://bit.ly/cloudcracker

Usb rubber duckie: http://bit.ly/TFe7EG

Hak5: http://hak5.org