Upload
chepimanca
View
218
Download
0
Embed Size (px)
Citation preview
8/9/2019 Craig Lightning the Moth Trojan
1/18
The Moth Trojan
Paul Craig
Security-Assessment.com
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
2/18
Who Am I?
Paul Craig, Principal Security Consultant
Security-Assessment.com
My Role
Application Penetration Tester
Published Security Author
Active Security Researcher
Devoted Hacker
Feedback?
Email: [email protected]
Just buy me a beer!
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
3/18
The Moth Trojan
e o ro an
Idea: I Have Always Wanted My Own Trojan.
Hollywood hacker style.
In the theme of Hackers, War-Games, Sword-Fish.
Something AMAZING.
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
4/18
The Moth Trojan
as o e one. Goal: Write a 100% Undetectable Trojan.
Wor un er ot Vista an XP.
Contain Ninja Magic.
Something Original
Completely New!
I Present To You:
e o ro an
KIWICON EXCLUSIVE RELEASE
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
5/18
The Moth Trojan
crew n - rus, a r es Help, my computer is suffering from demonic possession.
Welcome to the Moth.
Verbally abusive Trojan.
Abusive, Abrasive, Mocking.
Choice!
So The Big Question
What is the Moth?
Additional learning is required to understand
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
6/18
8/9/2019 Craig Lightning the Moth Trojan
7/18
The Moth Trojan
ven u scr ers re r en n anage ec orma Supported under XP, Vista+
Compiled event subscribers are included into the CIM repository. Common Information Model
%SystemRoot%\System32\WBEM\
Event Consumers Subscribe To WMI Events.
From an Event Provider Component.
s uo a rov er.
Power Management Provider.
2008 Security-Assessment.com
Event Log Provider.
8/9/2019 Craig Lightning the Moth Trojan
8/18
The Moth Trojan
x r ns c ven s(being outside a thing; outward or external; operating or coming from without)
Predefined events that cannot be linked directl to chan e.
Example: An event that describes a computer switching to
stand-by mode.
Intrinsic Eventsbelon in to a thin b its ver nature
Event that occurs in response to a change.
Creating a Win32_LogicalDisk will raise a
__InstanceCreationEvent event.
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
9/18
The Moth Trojan
o u mp y: When you do anything in Windows, you create a WMI event.
T ese events can e su scri e to using an event consumer.
WMI will forward any raised event to the associated consumer.
Temporary Event Consumer.
.
Will not survive a reboot.
Permanent Event Consumer.
Permanent, will survive a reboot. Works along as WMI is running.
2008 Security-Assessment.com
, .
8/9/2019 Craig Lightning the Moth Trojan
10/18
The Moth Trojan
e au n ows ven onsumer asses. 5 predefined event consumer classes.
ActiveScriptEventConsumer Execute a predefined script in an arbitrary scriptinglan ua e when an event is delivered.
LogFileEventConsumer Write customized strings to a text log file when anevent is delivered.
an event is delivered.SMTPEventConsumer Sends an e-mail message using SMTP each time
an event is delivered.
CommandLineEventConsumer Launch an arbitrary process in the local systemcontext when an event is delivered.
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
11/18
The Moth Trojan
o ac o y r g na o n - a s e o ro an
Ma icious Manage O ject Format Co e
Multiple, malicious, persistent, ActiveScript event consumers. 100% VBScript/WQL
Consumes __InstanceCreationEvent.
Subscribes to events created when you run specific executables.
.
VBScript is executed as the user SYSTEM.
Works on Vista.
Executed as NETWORK_SERVICE.
2008 Security-Assessment.com
SeImpersonate privileges available.
8/9/2019 Craig Lightning the Moth Trojan
12/18
xamp e:
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
13/18
The Moth Trojan
ns a ng e o Installing the Moth REQUIRESAdministrative authority.
WMI is a core component o Win ows.
The Moth Trojan becomes a CORE component of Windows.
Install from MOF File: Mofcomp.exe mothtrojan.mof
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
14/18
The Moth Trojan
r ng es o s . The Moth can be used to drop and execute files.
Ar itrary executa es em e e in VBScript.
Excellent method of re-deployment. Used in conjunction with your favourite rootkit.
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
15/18
The Moth Trojan
o ro an s a n que e o o ng a c ous o e. AFAIK the first malicious event subscriber, ever.
Using unctiona ity un nown y most peop e.
A lication Level Tro an.
Typical Trojan technique is Getting Low
, , .
My Approach Is the Complete Opposite!
Get as High as Possible!
Hide malicious code within native Windows functionality. VBScript!
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
16/18
The Moth Trojan
s ea y n e ec a e You CAN detect the Moth Trojan.
Requires WMI A ministrator too s.
WMI console application. Enumerate all event consumers.
.
Uses relatively unknown functionality.
Who knew About CIM/WBEM/WMI this morning?
2008 Security-Assessment.com
8/9/2019 Craig Lightning the Moth Trojan
17/18
The Moth Trojan
a se an ou o
A Trojan which is launched when user Joe logs in.
Remove w en t e user A min ogs in.
S eed Tro an:
Activates when the CPU fan slows below 100 RPM.
Lay dormant until twenty bad sectors are reported in thehard drive.
Infect Your Friends
Co malicious files to an USB ke inserted.
Rootkit Dropper & Executor
-
2008 Security-Assessment.com
.
8/9/2019 Craig Lightning the Moth Trojan
18/18
The Moth Trojan
ource o e: Currently Unpublished Source Code:
ttp: a.c e .net mot .zip
Includes MS Text To Speech API
2008 Security-Assessment.com