23
What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Embed Size (px)

Citation preview

Page 1: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

What!WINDOWS AZURE AND POWERSHELL POWERED MALWARE

BY KIERAN JACOBSEN

Page 2: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.

 

Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code.

Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home!

 

Malware IS DANGEROUS

Page 3: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The Bad Guy

Name: Boris

Previous Title: System Administrator @ Queensland Department of Widget Management

Technical Skills: PowerShell

Group Policy

Windows Azure

some hacking knowledge

Page 4: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The Malware

Written in PowerShell

IT IS VERY OBVIOUS!

Signed by SSL Certificate issued by 3rd Party Root Authority

A machine is considered infected when: C:\Infected contains required files

Drive infection scheduled task is running

C&C scheduled task is running

Command and Control is cloud based, uses Windows Azure VM Role Windows Server 2012 with IIS and WebDAV

Page 5: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The Malware: Infect-WebPC.ps1

Infects a client

Clients download and execute script

Downloads other files for infection, creates scheduled tasks to communicate with Command and Control

Page 6: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The Malware: Invoke-CandC.ps1

Runs as scheduled task

Uploads “registration” file to Command and Control server, file contains running processes and services

Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host

Runs each command using invoke-expression

Commands can be executable or any PowerShell command

Page 7: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

A Quick Note: Code Signing

Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable

Does not prove good intentions

Due to Crypto basis, more trusted by technically minded users

Many sources of abuse: Forgery

Deception

Theft

See Also: http://www.f-secure.com/weblog/archives/00002437.html

http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/

Page 8: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The Network

Simple, flat network

Limited outbound protocols allowed, HTTP, HTTPS, DNS

Single Windows Server 2012, running DC and File and Print

Windows 7 SOE All users local administrators

UAC was disabled due to an application compatibility issue

VNC runs on all machines, as a service account –which is a domain admin

Page 9: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

What Boris Knows

Usernames, computer names, IP addressing…

Security and Firewall policies

That passwords have all been changed

Group Policy restrictions – PowerShell Execution Policies

Personal details of those remaining Email addresses

Pets and favourite animals

Hobbies and interests

Page 10: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

The Plan of Attack

1. Infect previous co-workers

1. Alice: His former Boss

2. Bob: The co-worker he didn’t like

3. Eve: The paranoid security administrator

4. Jane: The C-Level exec

2. Get a Domain Admin account username and password

3. ?

4. Profit!

Page 11: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

A Quick note: PowerShell Execution Policies

There are 6 states for the execution policy

Unrestricted All scripts can run

Remote Signed No unsigned scripts from the Internet can run

All Signed No unsigned scripts can run

Restricted No scripts are allowed to run

Undefined (Default) If no policy defined, then default to restricted

Bypass Policy processor is bypassed

Page 12: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Boris infects Alice’s PC

Page 13: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Boris infects Bob’s PC

Page 14: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Boris infects Eve’s PC

Page 15: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Code: Bypassing Restricted Execution Policy

Page 16: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Boris gets a domain admin username and password

Page 17: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Demo infects the server

Page 18: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Boris cracks open AD

Page 19: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Cloud Cracker Results

Page 20: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Malicious HID Devices

HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads

Device shown today: Hak5 USB Rubber Duckie

Retails for: USD 60

Contains Micro SD storage card and 60MHz CPU

When placed in plastic case, will appear like any other USB device

Appears as a HID Keyboard – Bypassing USB Storage controls

Simple programming language, can do anything you could do with a keyboard

Cross Platform

Page 21: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Demo: Boris goes for complete domination, infects Jane’s PC

Page 22: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

So what do we do?

Boris never made a connection to the network, it always connected to his PC

Boris could have easily done this with a significant level of anonymity

PowerShell Execution Policies

URL White Listing

Application White Listing

Email filtering

USB Device Control

Solution: User Education

Page 23: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN

Questions? More Info…

Website: http://aperturescience.su

Twitter: @kjacobsen

Email [email protected]

GitHub Project: http://bit.ly/pscandc

Tools: PwdumpX: http://bit.ly/pwdumpx

Quarks PW Dump: http://bit.ly/quarkspwdump

Cloudcracker.com: http://bit.ly/cloudcracker

Usb rubber duckie: http://bit.ly/TFe7EG

Hak5: http://hak5.org