Scribd Logo
Upload

Welcome to Scribd!

  • 153 views

    Craig Lightning The Moth Trojan

    Uploaded by

    chepimanca
    The Moth Trojan is a 100% Undetectable Trojan. Work under both Vista and XP. The Moth uses the Windows Management Instrumentation (WMI) Extension to the Windows Driver Model. (wdm) Provides an interface f components to send notifications f other components.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Craig Lightning The Moth Trojan

    Uploaded by

    chepimanca
    153 views18 pages
    The Moth Trojan is a 100% Undetectable Trojan. Work under both Vista and XP. The Moth uses the Windows Management Instrumentation (WMI) Extension to the Windows Driver Model. (wdm) Provides an interface f components to send notifications f other components.

    Original Title

    Craig Lightning the Moth Trojan

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The Moth Trojan is a 100% Undetectable Trojan. Work under both Vista and XP. The Moth uses the Windows Management Instrumentation (WMI) Extension to the Windows Driver Model. (wdm) Provides an interface f components to send notifications f other components.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    153 views18 pages

    Craig Lightning The Moth Trojan

    Uploaded by

    chepimanca
    The Moth Trojan is a 100% Undetectable Trojan. Work under both Vista and XP. The Moth uses the Windows Management Instrumentation (WMI) Extension to the Windows Driver Model. (wdm) Provides an interface f components to send notifications f other components.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 18

    The Moth Trojan

    Paul Craig
    Security-Assessment.com

    © 2008 Security-Assessment.com
    ƒ Who Am I?
    ƒ Paul Craig, Principal Security Consultant
    y
    Security-Assessment.com

    ƒ Myy Role
    ƒ Application Penetration Tester
    ƒ Published Security Author
    ƒ Active Security Researcher
    ƒ Devoted Hacker

    ƒ Feedback?
    ƒ Email: [email protected]
    ƒ Just buy me a beer!

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ The Moth Trojan

    ƒ Idea: I Have Always Wanted My Own Trojan.


    ƒ Hollywood hacker style.
    ƒ In the theme of Hackers, War-Games, Sword-Fish.
    ƒ Somethingg AMAZING.

    ƒ But Somehow I never got around to it…

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ “It Has To Be Done


    Done.””
    ƒ Goal: Write a 100% Undetectable Trojan.
    ƒ Workk under
    d both
    b h Vista and
    d XP.

    ƒ Contain “Ninja Magic”.


    ƒ Something Original
    ƒ Completely New!

    ƒ Without Further Delay


    I Present To You:
    Th M
    The Moth
    th T
    Trojan
    j

    KIWICON EXCLUSIVE RELEASE

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Screw Anti
    Anti-Virus,
    Virus Call A Priest!
    ƒ “Help, my computer is suffering from demonic possession.”

    ƒ Welcome to the Moth.


    ƒ Verbally abusive Trojan.
    ƒ Abusive, Abrasive, Mocking.
    ƒ Choice!

    ƒ So The Big Question


    ƒ What is the Moth?
    ƒ Additional learning is required to understand…
    ƒ Delve into some lesser known Windows functionality.

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Windows Management Instrumentation (WMI)


    ƒ Extension to the Windows Driver Model. (WDM)
    ƒ Provides
    d an interface
    f ffor components to send
    d notifications
    f to
    other components.

    ƒ WMI is Microsoft's implementation of WBEM.


    ƒ Web
    W b Based
    B d Enterprise
    E t i Management.
    M t

    ƒ WMI Has Eventing capabilities


    ƒ WMI Events raised when ANYTHING happens in Windows.
    ƒ WMI can notify
    tif an Event
    E t Subscriber
    S b ib for f any raised
    i d event.
    t
    ƒ WMI Query Language (WQL) is used to drive event queries.

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Event Subscribers Are Written in Managed Object Format


    ƒ Supported under XP, Vista+

    ƒ Compiled event subscribers are included into the CIM repository.


    ƒ Common Information Model
    ƒ %SystemRoot%\System32\WBEM\

    ƒ Event Consumers Subscribe To WMI Events.


    ƒ Events can originate from many places
    ƒ From an Event Provider Component.
    ƒ Disk
    Di k Q
    Quota
    t PProvider.
    id
    ƒ Power Management Provider.
    ƒ Event Log Provider.
    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Extrinsic Events
    (being outside a thing; outward or external; operating or coming from without)

    ƒ Predefined events that cannot be linked directly to change.


    ƒ Example: An event that describes a computer switching to
    stand-by mode.

    ƒ Intrinsic Events
    ((belonging
    g g to a thing
    g byy its veryy nature))

    ƒ Event that occurs in response to a change.


    ƒ Standard WMI events raised when anything happens.
    ƒ Creating a Win32_LogicalDisk will raise a
    __InstanceCreationEvent event.

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ To Put It Simply:
    ƒ When you do anything in Windows, you create a WMI event.
    ƒ These
    h events can be
    b subscribed
    b b d to using an event consumer.
    ƒ WMI will forward any raised event to the associated consumer.

    ƒ Temporary Event Consumer.


    ƒ Only function when specifically loaded by a user.
    ƒ Will not survive a reboot.

    ƒ Permanent Event Consumer.


    ƒ Permanent, will survive a reboot.
    ƒ Works along as WMI is running.

    ƒ Windows Permits 1,000


    1 000 Event Consumers Per User Account.
    Account

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Default Windows Event Consumer Classes.


    Classes
    ƒ 5 predefined event consumer classes.

    ActiveScriptEventConsumer Execute a predefined script in an arbitrary scripting


    language
    g g when an event is delivered.
    LogFileEventConsumer Write customized strings to a text log file when an
    event is delivered.
    NTEventLogEventConsumer Log a message to the Windows NT event log when
    an event is delivered.
    SMTPEventConsumer Sends an e-mail message using SMTP each time
    an event is delivered.
    CommandLineEventConsumer Launch an arbitrary process in the local system
    context when an event is delivered.

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ So Back To My Original Point - What is The Moth Trojan

    ƒ Malicious
    l Managed
    d Object
    b Format Code
    d
    ƒ Multiple, malicious, persistent, ActiveScript event consumers.
    ƒ 100% VBScript/WQL
    ƒ Consumes __InstanceCreationEvent.
    ƒ Subscribes to events created when you run specific executables.

    ƒ Implements Microsoft Text To Speech ActiveX control


    control.
    ƒ VBScript is executed as the user SYSTEM.

    ƒ Works on Vista.
    ƒ Executed as NETWORK_SERVICE.
    ƒ SeImpersonate privileges available.
    © 2008 Security-Assessment.com
    Example:

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Installing The Moth


    ƒ Installing the Moth REQUIRES Administrative authority.
    ƒ WMI is a core component off Windows.
    d
    ƒ The Moth Trojan becomes a CORE component of Windows.

    ƒ Install from MOF File: Mofcomp.exe mothtrojan.mof

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Writing Files To Disk.


    Disk
    ƒ The Moth can be used to drop and execute files.
    ƒ Arbitrary
    b executables
    bl embedded
    b dd d in VBScript.
    ƒ Excellent method of re-deployment.
    ƒ Used in conjunction with your favourite rootkit.

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Moth Trojan is a Unique Method of Hiding Malicious Code.


    Code
    ƒ AFAIK the first malicious event subscriber, ever.
    ƒ Using functionality
    f l unknown
    k by
    b most people.
    l

    ƒ Application
    pp Level Trojan.
    j
    ƒ Typical Trojan technique is “Getting Low”
    ƒ Manipulate API calls, Kernel calls, Hardware calls.

    ƒ My Approach Is the Complete Opposite!


    ƒ Get as High as Possible!
    ƒ Hide malicious code within native Windows functionality.
    ƒ VBScript!

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Is It Really Undetectable?
    ƒ You CAN detect the Moth Trojan. /
    ƒ Requires WMI Administrator
    d tools.
    l
    ƒ WMI console application.
    ƒ Enumerate all event consumers.

    ƒ You Need To Know Where To Look.


    ƒ Uses relatively unknown functionality.
    ƒ Forensic methodology does not focus on WMI!
    ƒ Who knew About CIM/WBEM/WMI this morning?

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ What Else Can You Do With MOF?


    ƒ A Trojan which is launched when user Joe logs in.
    ƒ Removedd when
    h the
    h user Admin
    d logs
    l in.

    ƒ Speed
    p Trojan:
    j
    ƒ Activates when the CPU fan slows below 100 RPM.
    ƒ Worst Day Trojan:
    ƒ Lay dormant until twenty bad sectors are reported in the
    hard drive.
    ƒ Infect Your Friends
    ƒ Copy
    py malicious files to anyy USB keyy inserted.
    ƒ Rootkit Dropper & Executor
    ƒ Re
    Re-deploy
    deploy an existing rootkit whenever it is removed
    removed.

    © 2008 Security-Assessment.com
    The Moth Trojan

    ƒ Source Code:
    ƒ Currently Unpublished Source Code:
    h
    http://ha.cked.net/moth.zip
    //h k d / h

    ƒ Includes MS Text To Speech API

    © 2008 Security-Assessment.com

    You might also like