What’s the Worse That Can Happen?(the birth of a worm)

Clint “spackl” LaFever

spackl42@gmail.com

2

This Talk

• Story time.– How a worm is born– Old School is New School again– This is a true story.

• Are you prepared?– Do you have procedures in place?– Are your defenders trained?

3

Who Am I?

• 19 years in programming field– 14 years writing Enterprise Database

Information Systems• 10 years War Gaming

– 5 years Information Assurance• Red Team tool development• On-site/Remote Penetration Testing• Close Access

• Wireless

4

Story Unfolds…

• Annual Exercises– Designed to Train Defenders.– Status Quo was Defenders ALWAYS Win.– Attacker’s Environment Never Same as

Attacker Would Really Use.• Hard to make all teams happy.

– Network Conditions Unrealistic.• They do their best and are getting better.

– Final Day: Scorched Earth.

5

The Spark

Cleaning and organizing files one day…

6

Wheels Turning…

Dawned on me, what if?...

7

Let’s consult with friends…

Brainstorms + alcohol always works, right?

8

Everybody agrees…

All agree, but nobody really knows what would happen…

Just know it will be bad.

9

Sling Code…

Let me see if I can make a quick prototype…

First bit of functional code…~3 hours.

10

First Test…

Where did you go?

11

Get Leadership Buy In…

Before coding more, let’s make sure I will be allowed to use it.

12

Coding Continued…

Now that it can change MAC’s, let’s make it spread.

More Code Slinging…

Worm status takes hold.

13Propagation code ~8 hours.

14

Coding Through Issues…

• Different flavors of Windows.

• Removing self after MAC change.

• Multiple attacks.

• Randomizing attack.

• Covering tracks.

• Domain vs Non-Domain.

~16 hrs more of coding

15

Name It…

• Ask my son what comes to mind with self replication.• Skynet it is.• Now how to make it more fun to defenders.• What do you know, there is an IT company named Cyberdyne.

• Let’s add to it. Change all MAC’s to 002206D1ED1E

16

Showing It Off…

Shiney.

17

Humm, what if…

Programmers are never happy with v1.0

18

Not good enough…

• Let’s reset all local passwords.– Making note to be nice to change them to all the same hard coded

password in case need to tell them how to get back in (or myself)

~1 hour of code.

19

I Want More…

• Fill all hard drives.– Actually not as clear cut as one would of thought.

~2 hours of code.

20

Let’s Get Evil…

• Kill Service Processes.– Find any process that has established or

listening connections.– KILL them, bwaa ha ha ha.

• After testing, make a list of processes not to kill to avoid BSOD.

~4 hours of code.

21

What was that? BSOD?...

• Let’s add BSOD option.– Actually FAR EASIER than expected.– Couple of lines of code.

• Adjusting logic flow to deal with system crash with other options.– This option negates ability to clean off machine and maintains persistent

infection at restart.– Doubt they will ever let me use this option.

~3 hours of code.

22

Let’s Lose Control…

• Literally.– Current version only attacked list supplied.– Add option to “migrate”.

• Attack all in the attack list AND any system that has an established connection with that system.

• No way they will let me use this option.

~3 hours of code.

23

Always room for more…

• Realized worm is nice way to just spread around network.– Instead of destruction, what if I really wanted

to get command and control?– Add Download and Execute option.

• I know not evil, but could be handy.

~1 hour of code.

Be Professional…

• Add help to “tool”

24

25

Leading Up to Judgment Day

• Testing and tweaking.– Various hours of code. – ~36 hours of coding to make a worm like this.

• Getting word out.– Demonstrating to leadership prior to exercise.– Telling all I could of its existence.

Exercise…

• Standard Exercise objectives– We attacked.– We owned.

• Obtained credentials.

• Spread the word– Getting word out of tool during exercise to fellow

attackers.

– Spoke with attacker leadership of capabilities.– Told them made for final day of “scorched earth”

26

It’s a go…

• Green Light– “Worm like DOS” added to objectives list for final day.– Happy and nervous. – Can it truly work on a “real” network.– Will defenders squash it quick?

• What what?– Moved up a day as backroom talks really got leadership

wondering.– DV’s were going to be present.– Attacker leadership wanted to show what is really possible.– Oh !@#$#. Will be über FAIL if doesn’t work now.

27

28

Judgment Day

• Saw Skynet on Objectives list for the day.

• Given go ahead to use ALL options.– Reiterated there is no kill switch.– Reiterated that “I” cannot stop it once loose.

• Given go ahead to use ALL options.– Sweeeeeet!

• From Advanced Persistent Threat (APT) foothold– Launched Skynet from Primary Domain Controller.

• Remember that “migrate” option?

29

What Have I Done?…

• Change MAC’s. Check.

• Reset Passwords. Check.• Kill Service Processes. Check.• Fill Hard Drives. Check.• Migrate to other networks. Check.

• BSOD systems….

30

Watching it spread…

• High fives and cheers all around.

• Room got filled with everybody wanting to see.

31

Eye to Eye

• Walking through defender area to work with data collectors.

• Hearing talks in hallways.• Leadership asking how would “I” stop it and

clean it up.• Smoke pit.

– Curses and handshakes

32

Mass Debrief…

• Defenders talk.

• Attackers talk.

• …Defenders talk again.33

What is learned? D+1

• Focus of defense and detection is based on hackers wanting to steal data for Intel or profit.

• Preparing for a destructive internal network attack difficult to practice and prepare for.

• TTPs for dealing with such an attack have been talked about but rarely ever tested.

34

What Did Defenders Think?

• We were lucky.– They embraced the learning objectives.

• Told “best” training they ever had from any exercise.

• Teams (both offensive and defensive) wanted to have me talk more with them.

• Repeatedly mentioned that this was “old school” that many have forgotten.

35

My Lesson?

Add a kill switch.

36

Questions

37