Post on 07-Nov-2014
description
transcript
What!WINDOWS AZURE AND POWERSHELL POWERED MALWARE
BY KIERAN JACOBSEN
The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.
Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code.
Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home!
Malware IS DANGEROUS
The Bad Guy
Name: Boris
Previous Title: System Administrator @ Queensland Department of Widget Management
Technical Skills: PowerShell
Group Policy
Windows Azure
some hacking knowledge
The Malware
Written in PowerShell
IT IS VERY OBVIOUS!
Signed by SSL Certificate issued by 3rd Party Root Authority
A machine is considered infected when: C:\Infected contains required files
Drive infection scheduled task is running
C&C scheduled task is running
Command and Control is cloud based, uses Windows Azure VM Role Windows Server 2012 with IIS and WebDAV
The Malware: Infect-WebPC.ps1
Infects a client
Clients download and execute script
Downloads other files for infection, creates scheduled tasks to communicate with Command and Control
The Malware: Invoke-CandC.ps1
Runs as scheduled task
Uploads “registration” file to Command and Control server, file contains running processes and services
Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host
Runs each command using invoke-expression
Commands can be executable or any PowerShell command
A Quick Note: Code Signing
Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable
Does not prove good intentions
Due to Crypto basis, more trusted by technically minded users
Many sources of abuse: Forgery
Deception
Theft
See Also: http://www.f-secure.com/weblog/archives/00002437.html
http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/
The Network
Simple, flat network
Limited outbound protocols allowed, HTTP, HTTPS, DNS
Single Windows Server 2012, running DC and File and Print
Windows 7 SOE All users local administrators
UAC was disabled due to an application compatibility issue
VNC runs on all machines, as a service account –which is a domain admin
What Boris Knows
Usernames, computer names, IP addressing…
Security and Firewall policies
That passwords have all been changed
Group Policy restrictions – PowerShell Execution Policies
Personal details of those remaining Email addresses
Pets and favourite animals
Hobbies and interests
The Plan of Attack
1. Infect previous co-workers
1. Alice: His former Boss
2. Bob: The co-worker he didn’t like
3. Eve: The paranoid security administrator
4. Jane: The C-Level exec
2. Get a Domain Admin account username and password
3. ?
4. Profit!
A Quick note: PowerShell Execution Policies
There are 6 states for the execution policy
Unrestricted All scripts can run
Remote Signed No unsigned scripts from the Internet can run
All Signed No unsigned scripts can run
Restricted No scripts are allowed to run
Undefined (Default) If no policy defined, then default to restricted
Bypass Policy processor is bypassed
Demo: Boris infects Alice’s PC
Demo: Boris infects Bob’s PC
Demo: Boris infects Eve’s PC
Code: Bypassing Restricted Execution Policy
Demo: Boris gets a domain admin username and password
Demo: Demo infects the server
Demo: Boris cracks open AD
Cloud Cracker Results
Malicious HID Devices
HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads
Device shown today: Hak5 USB Rubber Duckie
Retails for: USD 60
Contains Micro SD storage card and 60MHz CPU
When placed in plastic case, will appear like any other USB device
Appears as a HID Keyboard – Bypassing USB Storage controls
Simple programming language, can do anything you could do with a keyboard
Cross Platform
Demo: Boris goes for complete domination, infects Jane’s PC
So what do we do?
Boris never made a connection to the network, it always connected to his PC
Boris could have easily done this with a significant level of anonymity
PowerShell Execution Policies
URL White Listing
Application White Listing
Email filtering
USB Device Control
Solution: User Education
Questions? More Info…
Website: http://aperturescience.su
Twitter: @kjacobsen
Email Kieran@thekgb.su
GitHub Project: http://bit.ly/pscandc
Tools: PwdumpX: http://bit.ly/pwdumpx
Quarks PW Dump: http://bit.ly/quarkspwdump
Cloudcracker.com: http://bit.ly/cloudcracker
Usb rubber duckie: http://bit.ly/TFe7EG
Hak5: http://hak5.org