what! windows azure and powershell powered malware by kieran jacobsen
TRANSCRIPT
![Page 1: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/1.jpg)
What!WINDOWS AZURE AND POWERSHELL POWERED MALWARE
BY KIERAN JACOBSEN
![Page 2: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/2.jpg)
The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.
Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code.
Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home!
Malware IS DANGEROUS
![Page 3: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/3.jpg)
The Bad Guy
Name: Boris
Previous Title: System Administrator @ Queensland Department of Widget Management
Technical Skills: PowerShell
Group Policy
Windows Azure
some hacking knowledge
![Page 4: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/4.jpg)
The Malware
Written in PowerShell
IT IS VERY OBVIOUS!
Signed by SSL Certificate issued by 3rd Party Root Authority
A machine is considered infected when: C:\Infected contains required files
Drive infection scheduled task is running
C&C scheduled task is running
Command and Control is cloud based, uses Windows Azure VM Role Windows Server 2012 with IIS and WebDAV
![Page 5: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/5.jpg)
The Malware: Infect-WebPC.ps1
Infects a client
Clients download and execute script
Downloads other files for infection, creates scheduled tasks to communicate with Command and Control
![Page 6: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/6.jpg)
The Malware: Invoke-CandC.ps1
Runs as scheduled task
Uploads “registration” file to Command and Control server, file contains running processes and services
Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host
Runs each command using invoke-expression
Commands can be executable or any PowerShell command
![Page 7: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/7.jpg)
A Quick Note: Code Signing
Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable
Does not prove good intentions
Due to Crypto basis, more trusted by technically minded users
Many sources of abuse: Forgery
Deception
Theft
See Also: http://www.f-secure.com/weblog/archives/00002437.html
http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/
![Page 8: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/8.jpg)
The Network
Simple, flat network
Limited outbound protocols allowed, HTTP, HTTPS, DNS
Single Windows Server 2012, running DC and File and Print
Windows 7 SOE All users local administrators
UAC was disabled due to an application compatibility issue
VNC runs on all machines, as a service account –which is a domain admin
![Page 9: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/9.jpg)
What Boris Knows
Usernames, computer names, IP addressing…
Security and Firewall policies
That passwords have all been changed
Group Policy restrictions – PowerShell Execution Policies
Personal details of those remaining Email addresses
Pets and favourite animals
Hobbies and interests
![Page 10: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/10.jpg)
The Plan of Attack
1. Infect previous co-workers
1. Alice: His former Boss
2. Bob: The co-worker he didn’t like
3. Eve: The paranoid security administrator
4. Jane: The C-Level exec
2. Get a Domain Admin account username and password
3. ?
4. Profit!
![Page 11: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/11.jpg)
A Quick note: PowerShell Execution Policies
There are 6 states for the execution policy
Unrestricted All scripts can run
Remote Signed No unsigned scripts from the Internet can run
All Signed No unsigned scripts can run
Restricted No scripts are allowed to run
Undefined (Default) If no policy defined, then default to restricted
Bypass Policy processor is bypassed
![Page 12: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/12.jpg)
Demo: Boris infects Alice’s PC
![Page 13: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/13.jpg)
Demo: Boris infects Bob’s PC
![Page 14: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/14.jpg)
Demo: Boris infects Eve’s PC
![Page 15: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/15.jpg)
Code: Bypassing Restricted Execution Policy
![Page 16: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/16.jpg)
Demo: Boris gets a domain admin username and password
![Page 17: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/17.jpg)
Demo: Demo infects the server
![Page 18: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/18.jpg)
Demo: Boris cracks open AD
![Page 19: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/19.jpg)
Cloud Cracker Results
![Page 20: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/20.jpg)
Malicious HID Devices
HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads
Device shown today: Hak5 USB Rubber Duckie
Retails for: USD 60
Contains Micro SD storage card and 60MHz CPU
When placed in plastic case, will appear like any other USB device
Appears as a HID Keyboard – Bypassing USB Storage controls
Simple programming language, can do anything you could do with a keyboard
Cross Platform
![Page 21: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/21.jpg)
Demo: Boris goes for complete domination, infects Jane’s PC
![Page 22: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/22.jpg)
So what do we do?
Boris never made a connection to the network, it always connected to his PC
Boris could have easily done this with a significant level of anonymity
PowerShell Execution Policies
URL White Listing
Application White Listing
Email filtering
USB Device Control
Solution: User Education
![Page 23: What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e715503460f94b6f431/html5/thumbnails/23.jpg)
Questions? More Info…
Website: http://aperturescience.su
Twitter: @kjacobsen
Email [email protected]
GitHub Project: http://bit.ly/pscandc
Tools: PwdumpX: http://bit.ly/pwdumpx
Quarks PW Dump: http://bit.ly/quarkspwdump
Cloudcracker.com: http://bit.ly/cloudcracker
Usb rubber duckie: http://bit.ly/TFe7EG
Hak5: http://hak5.org