Aperture Science

So Matt Graber posted a few weeks ago three items of significant importance for PowerShell security folks.

The first, is he has performed an extremely detailed analysis of PowerWorm, the PowerShell malware that TendMicro found about a month ago and I wrote about as well. Matt has gone one better though, and rewritten the code, make it safe, and cleaned up the abstraction and obfuscation and put all of the code up on GitHub.

I recommend everyone, both those who are interested in PowerShell and those who are interested in malware to take a look.

Matt talks about why the PowerShell execution policy doesn’t help, the code uses the –endcodedcommand parameter when calling powershell.exe. I didn’t know about this till recently, and I was shocked at its effectiveness. If you haven’t looked into this one, I so thoroughly recommend you do, it is amazing.

There is plenty of other interesting things though, considering how this malware users PowerShell and WMI to persist. As I mentioned earlier, the use of the Net.WebClient explained why Polipo was needed as well as Tor.

I also was highly interested in the use of freegeoip.com, I have already started writing some code to make use of this site. I recommend you take a look.

Please go and look at the Matt’s post, and at his GitHub code.

But wait, there is much more! PowerWorm has picked up the functionality of CryptoLocker!!!!

Matt also tweeted a link to this post at Bleeping Computer, which describes a new variant of PowerWorm, dubbed PoshCoder or PoshKoder. This variant is encrypting files and folders in a manner similar to CryptoLocker, and then demanding the victim pays a fee of a couple of bitcoin.

The posts on Bleeping Computer do reference more volatile code, so I do warn you that it isn’t safe to play with unlike Matt’s deactivated code, so be careful. If you want to play, look at Matt’s code.

One interesting thing, is amongst these posts, it appears the malware writer makes an appearance. Whilst I and those on the forum could be wrong, there are some cryptic comments by one of the posters who makes even me wonder.

What is interesting, is that what Matt, TendMicro, myself and most others thought was harmless, has been successfully weaponized, and done so entirely in PowerShell. This malware, PoshCoder, is just as dangerous as CryptoLocker, but nowhere near as detectable. Right now, the low infection rates have prevented this from becoming a massive problem.

Last thing, paying the ransom doesn’t seem to be effective. There is a glitch somewhere and decryption isn’t working correctly. So bad news for anyone infected, you probably can’t get your files back.

Good news, some people have reported that Microsoft Security Essentials is detecting the malware.

Last night Matt Graeber of @mattifestation published a tweet that quickly gained my interest:

Woot! More PowerShell (albeit lame) found in the wild. http://t.co/jQk1kL6TRD

— Matt Graeber (@mattifestation) March 28, 2014

 Matt's interesting Tweet

Matt was commenting on a TrendMicro post, Word and Excel Files Infected Using Windows PowerShell, in regards to another (in Matt’s words, “lame”,) discovery of PowerShell Malware. TrendMicro discovered two pieces of malware W97M_CRIGENT.A and X97M_CRIGENT.A, which really in the big picture are quite unremarkable pieces of malware.

There are however, some functions/features of this malware that will be interesting to anyone who saw my presentation.

Firstly, the malware enters via an infected Word or Excel document, much like the initial entry during my presentation. The malware that TrendMicro discovered is significantly more complex than mine is, making use of some interesting DNS queries and cloud storage provides for hosting things like Tor and Polipo. The use of DNS TXT records I find incredibly interesting.

One thing I thought was left out of the TrendMicro post is, why Polipo? Well the answer is extremely obvious to someone who has spent a significant amount of time developing PowerShell or even .Net code! The answer is, and I say this without seeing the code, they (the malware author) wanted to use the Net.WebClient object, which does not support SOCKS proxies. The author wanted to route the traffic via Tor, and needed Polipo to provide a HTTP proxy to route the WebClient traffic via Tor. How do I know this, well, I have deployed an extremely similar configuration for another project I was working on.

Once the malware has Tor and Polipo locally, it connects to the C&C server via the Tor network. The malware uploads a chunk of information to the C&C server, including:

• IP Address
• Country code
• Country name
• Region code
• Region name
• City
• Zipcode
• Latitude
• User account privilege
• OS version
• OS architecture
• Domain
• OS Language
• Microsoft Office applications
• Microsoft Office versions

Most of this are easily gathered with PowerShell, I pretty much included most of these in my presentation, if you remember:

An excerpt from my PowerShell Shenanigan’s code, found here.

Whilst I do not have all of the information there, it is extremely easy to extend what I had.

The malware seems to be a throw back from 90s, running off and infecting Word and Excel documents as a mechanism for propagation.

Whilst the use of PowerShell really did not seem to why TrendMicro thought it was blog worthy, they seemed to focus on the use of Tor; I think it is a wholly interesting piece of code.

I would love to look at the samples, as would Carlos Perez (@Carlos_Perez). I would love to see how well developed the PowerShell is! If anyone has seen the samples, please contact me!

Just a quick blog post this time, mainly focusing on some configuration items you “may” need to do if you are working with WinRM, in particular in workgroup environments. These are settings you may need to configure client side when trying to interact with servers. You probably saw these in the notes section of Get-WinRMPassword.

Firstly, how do you view your configuration?

winrm get winrm/config

Next, if you are connecting to systems where HTTP listeners have been configured on the server, if your running on a later Windows Client, you will need to allow for the connection to be made. By default “unencrypted” that is HTTP sessions will not be allowed.

winrm set winrm/config/service @{AllowUnencrypted="true"}

Now I recommend enabling basic auth, just incase.

winrm set winrm/config/client/auth @{Basic="true"}

Finally, the server a client connects to, actually needs to be listed in trusted hosts. This can be done like this:

winrm set winrm/config/client @{TrustedHosts="myserver"}

Note that the command above will clear any other trusted host entries you might have.

And that is pretty much all you need to do!

The easiest to understand guides are (in no particular order):

• vCenter Orchestrator Plug-Ins - Configure WinRM to Use HTTP
• vCenter Orchestrator Plug-Ins - Configure WinRM to Use HTTPS
• Installation and Configuration for Windows Remote Management
• Authentication for Remote Connections