what! windows azure and powershell powered malware by kieran jacobsen

What!WINDOWS AZURE AND POWERSHELL POWERED MALWARE

BY KIERAN JACOBSEN

The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.

Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code.

Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home!

Malware IS DANGEROUS

The Bad Guy

Name: Boris

Previous Title: System Administrator @ Queensland Department of Widget Management

Technical Skills: PowerShell

Group Policy

Windows Azure

some hacking knowledge

The Malware

Written in PowerShell

IT IS VERY OBVIOUS!

Signed by SSL Certificate issued by 3rd Party Root Authority

A machine is considered infected when: C:\Infected contains required files

Drive infection scheduled task is running

C&C scheduled task is running

Command and Control is cloud based, uses Windows Azure VM Role Windows Server 2012 with IIS and WebDAV

The Malware: Infect-WebPC.ps1

Infects a client

Clients download and execute script

Downloads other files for infection, creates scheduled tasks to communicate with Command and Control

The Malware: Invoke-CandC.ps1

Runs as scheduled task

Uploads “registration” file to Command and Control server, file contains running processes and services

Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host

Runs each command using invoke-expression

Commands can be executable or any PowerShell command

A Quick Note: Code Signing

Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable

Does not prove good intentions

Due to Crypto basis, more trusted by technically minded users

Many sources of abuse: Forgery

Deception

Theft

See Also: http://www.f-secure.com/weblog/archives/00002437.html

http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/

The Network

Simple, flat network

Limited outbound protocols allowed, HTTP, HTTPS, DNS

Single Windows Server 2012, running DC and File and Print

Windows 7 SOE All users local administrators

UAC was disabled due to an application compatibility issue

VNC runs on all machines, as a service account –which is a domain admin

What Boris Knows

Usernames, computer names, IP addressing…

Security and Firewall policies

That passwords have all been changed

Group Policy restrictions – PowerShell Execution Policies

Personal details of those remaining Email addresses

Pets and favourite animals

Hobbies and interests

The Plan of Attack

1. Infect previous co-workers

1. Alice: His former Boss

2. Bob: The co-worker he didn’t like

3. Eve: The paranoid security administrator

4. Jane: The C-Level exec

2. Get a Domain Admin account username and password

3. ?

4. Profit!

A Quick note: PowerShell Execution Policies

There are 6 states for the execution policy

Unrestricted All scripts can run

Remote Signed No unsigned scripts from the Internet can run

All Signed No unsigned scripts can run

Restricted No scripts are allowed to run

Undefined (Default) If no policy defined, then default to restricted

Bypass Policy processor is bypassed

Demo: Boris infects Alice’s PC

Demo: Boris infects Bob’s PC

Demo: Boris infects Eve’s PC

Code: Bypassing Restricted Execution Policy

Demo: Boris gets a domain admin username and password

Demo: Demo infects the server

Demo: Boris cracks open AD

Cloud Cracker Results

Malicious HID Devices

HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads

Device shown today: Hak5 USB Rubber Duckie

Retails for: USD 60

Contains Micro SD storage card and 60MHz CPU

When placed in plastic case, will appear like any other USB device

Appears as a HID Keyboard – Bypassing USB Storage controls

Simple programming language, can do anything you could do with a keyboard

Cross Platform

Demo: Boris goes for complete domination, infects Jane’s PC

So what do we do?

Boris never made a connection to the network, it always connected to his PC

Boris could have easily done this with a significant level of anonymity

PowerShell Execution Policies

URL White Listing

Application White Listing

Email filtering

USB Device Control

Solution: User Education

Questions? More Info…

Website: http://aperturescience.su

Twitter: @kjacobsen

Email Kieran@thekgb.su

GitHub Project: http://bit.ly/pscandc

Tools: PwdumpX: http://bit.ly/pwdumpx

Quarks PW Dump: http://bit.ly/quarkspwdump

Cloudcracker.com: http://bit.ly/cloudcracker

Usb rubber duckie: http://bit.ly/TFe7EG

Hak5: http://hak5.org