1 / 23

What!

What!. Windows Azure and PowerShell powered malware By Kieran Jacobsen. The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.

tamira
Télécharger la présentation

What!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What! Windows Azure and PowerShell powered malware By Kieran Jacobsen

  2. The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional. Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code. Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home! Malware IS DANGEROUS

  3. The Bad Guy • Name: Boris • Previous Title: System Administrator @ Queensland Department of Widget Management • Technical Skills: • PowerShell • Group Policy • Windows Azure • some hacking knowledge

  4. The Malware • Written in PowerShell • IT IS VERY OBVIOUS! • Signed by SSL Certificate issued by 3rd Party Root Authority • A machine is considered infected when: • C:\Infected contains required files • Drive infection scheduled task is running • C&C scheduled task is running • Command and Control is cloud based, uses Windows Azure VM Role • Windows Server 2012 with IIS and WebDAV

  5. The Malware: Infect-WebPC.ps1 • Infects a client • Clients download and execute script • Downloads other files for infection, creates scheduled tasks to communicate with Command and Control

  6. The Malware: Invoke-CandC.ps1 • Runs as scheduled task • Uploads “registration” file to Command and Control server, file contains running processes and services • Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host • Runs each command using invoke-expression • Commands can be executable or any PowerShell command

  7. A Quick Note: Code Signing • Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable • Does not prove good intentions • Due to Crypto basis, more trusted by technically minded users • Many sources of abuse: • Forgery • Deception • Theft • See Also: • http://www.f-secure.com/weblog/archives/00002437.html • http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/

  8. The Network • Simple, flat network • Limited outbound protocols allowed, HTTP, HTTPS, DNS • Single Windows Server 2012, running DC and File and Print • Windows 7 SOE • All users local administrators • UAC was disabled due to an application compatibility issue • VNC runs on all machines, as a service account –which is a domain admin

  9. What Boris Knows • Usernames, computer names, IP addressing… • Security and Firewall policies • That passwords have all been changed • Group Policy restrictions – PowerShell Execution Policies • Personal details of those remaining • Email addresses • Pets and favourite animals • Hobbies and interests

  10. The Plan of Attack • Infect previous co-workers • Alice: His former Boss • Bob: The co-worker he didn’t like • Eve: The paranoid security administrator • Jane: The C-Level exec • Get a Domain Admin account username and password • ? • Profit!

  11. A Quick note: PowerShell Execution Policies There are 6 states for the execution policy • Unrestricted All scripts can run • Remote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run • Restricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to restricted • Bypass Policy processor is bypassed

  12. Demo: Boris infects Alice’s PC

  13. Demo: Boris infects Bob’s PC

  14. Demo: Boris infects Eve’s PC

  15. Code: Bypassing Restricted Execution Policy

  16. Demo: Boris gets a domain admin username and password

  17. Demo: Demo infects the server

  18. Demo: Boris cracks open AD

  19. Cloud Cracker Results

  20. Malicious HID Devices • HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads • Device shown today: Hak5 USB Rubber Duckie • Retails for: USD 60 • Contains Micro SD storage card and 60MHz CPU • When placed in plastic case, will appear like any other USB device • Appears as a HID Keyboard – Bypassing USB Storage controls • Simple programming language, can do anything you could do with a keyboard • Cross Platform

  21. Demo: Boris goes for complete domination, infects Jane’s PC

  22. So what do we do? • Boris never made a connection to the network, it always connected to his PC • Boris could have easily done this with a significant level of anonymity • PowerShell Execution Policies • URL White Listing • Application White Listing • Email filtering • USB Device Control • Solution: User Education

  23. Questions? More Info… • Website: http://aperturescience.su • Twitter: @kjacobsen • Email Kieran@thekgb.su • GitHub Project: http://bit.ly/pscandc • Tools: • PwdumpX:http://bit.ly/pwdumpx • Quarks PW Dump:http://bit.ly/quarkspwdump • Cloudcracker.com: http://bit.ly/cloudcracker • Usb rubber duckie: http://bit.ly/TFe7EG • Hak5: http://hak5.org

More Related