8/9/2019 Craig Lightning the Moth Trojan

1/18

The Moth Trojan

Paul Craig

Security-Assessment.com

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

2/18

Who Am I?

Paul Craig, Principal Security Consultant

Security-Assessment.com

My Role

Application Penetration Tester

Published Security Author

Active Security Researcher

Devoted Hacker

Feedback?

Email: paul@ha.cked.net

Just buy me a beer!

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

3/18

The Moth Trojan

e o ro an

Idea: I Have Always Wanted My Own Trojan.

Hollywood hacker style.

In the theme of Hackers, War-Games, Sword-Fish.

Something AMAZING.

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

4/18

The Moth Trojan

as o e one. Goal: Write a 100% Undetectable Trojan.

Wor un er ot Vista an XP.

Contain Ninja Magic.

Something Original

Completely New!

I Present To You:

e o ro an

KIWICON EXCLUSIVE RELEASE

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

5/18

The Moth Trojan

crew n - rus, a r es Help, my computer is suffering from demonic possession.

Welcome to the Moth.

Verbally abusive Trojan.

Abusive, Abrasive, Mocking.

Choice!

So The Big Question

What is the Moth?

Additional learning is required to understand

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

6/18

8/9/2019 Craig Lightning the Moth Trojan

7/18

The Moth Trojan

ven u scr ers re r en n anage ec orma Supported under XP, Vista+

Compiled event subscribers are included into the CIM repository. Common Information Model

%SystemRoot%\System32\WBEM\

Event Consumers Subscribe To WMI Events.

From an Event Provider Component.

s uo a rov er.

Power Management Provider.

2008 Security-Assessment.com

Event Log Provider.

8/9/2019 Craig Lightning the Moth Trojan

8/18

The Moth Trojan

x r ns c ven s(being outside a thing; outward or external; operating or coming from without)

Predefined events that cannot be linked directl to chan e.

Example: An event that describes a computer switching to

stand-by mode.

Intrinsic Eventsbelon in to a thin b its ver nature

Event that occurs in response to a change.

Creating a Win32_LogicalDisk will raise a

__InstanceCreationEvent event.

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

9/18

The Moth Trojan

o u mp y: When you do anything in Windows, you create a WMI event.

T ese events can e su scri e to using an event consumer.

WMI will forward any raised event to the associated consumer.

Temporary Event Consumer.

.

Will not survive a reboot.

Permanent Event Consumer.

Permanent, will survive a reboot. Works along as WMI is running.

2008 Security-Assessment.com

, .

8/9/2019 Craig Lightning the Moth Trojan

10/18

The Moth Trojan

e au n ows ven onsumer asses. 5 predefined event consumer classes.

ActiveScriptEventConsumer Execute a predefined script in an arbitrary scriptinglan ua e when an event is delivered.

LogFileEventConsumer Write customized strings to a text log file when anevent is delivered.

an event is delivered.SMTPEventConsumer Sends an e-mail message using SMTP each time

an event is delivered.

CommandLineEventConsumer Launch an arbitrary process in the local systemcontext when an event is delivered.

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

11/18

The Moth Trojan

o ac o y r g na o n - a s e o ro an

Ma icious Manage O ject Format Co e

Multiple, malicious, persistent, ActiveScript event consumers. 100% VBScript/WQL

Consumes __InstanceCreationEvent.

Subscribes to events created when you run specific executables.

.

VBScript is executed as the user SYSTEM.

Works on Vista.

Executed as NETWORK_SERVICE.

2008 Security-Assessment.com

SeImpersonate privileges available.

8/9/2019 Craig Lightning the Moth Trojan

12/18

xamp e:

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

13/18

The Moth Trojan

ns a ng e o Installing the Moth REQUIRESAdministrative authority.

WMI is a core component o Win ows.

The Moth Trojan becomes a CORE component of Windows.

Install from MOF File: Mofcomp.exe mothtrojan.mof

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

14/18

The Moth Trojan

r ng es o s . The Moth can be used to drop and execute files.

Ar itrary executa es em e e in VBScript.

Excellent method of re-deployment. Used in conjunction with your favourite rootkit.

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

15/18

The Moth Trojan

o ro an s a n que e o o ng a c ous o e. AFAIK the first malicious event subscriber, ever.

Using unctiona ity un nown y most peop e.

A lication Level Tro an.

Typical Trojan technique is Getting Low

, , .

My Approach Is the Complete Opposite!

Get as High as Possible!

Hide malicious code within native Windows functionality. VBScript!

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

16/18

The Moth Trojan

s ea y n e ec a e You CAN detect the Moth Trojan.

Requires WMI A ministrator too s.

WMI console application. Enumerate all event consumers.

.

Uses relatively unknown functionality.

Who knew About CIM/WBEM/WMI this morning?

2008 Security-Assessment.com

8/9/2019 Craig Lightning the Moth Trojan

17/18

The Moth Trojan

a se an ou o

A Trojan which is launched when user Joe logs in.

Remove w en t e user A min ogs in.

S eed Tro an:

Activates when the CPU fan slows below 100 RPM.

Lay dormant until twenty bad sectors are reported in thehard drive.

Infect Your Friends

Co malicious files to an USB ke inserted.

Rootkit Dropper & Executor

-

2008 Security-Assessment.com

.

8/9/2019 Craig Lightning the Moth Trojan

18/18

The Moth Trojan

ource o e: Currently Unpublished Source Code:

ttp: a.c e .net mot .zip

Includes MS Text To Speech API

2008 Security-Assessment.com