Josh: 00:00

Back in college, in my capstone course, we had to give a presentation on a topic of our choosing.

00:06

I chose botnets. Even then, I always thought that showing something was more impactful than

00:12

just explaining. Towards the end of my presentation, I had my computer hooked

00:17

up to the projector so that the entire class could see my screen.

00:20

I had the management council open for the Remote Access Trojan, RAT for short, called Dark Comet that I had downloaded and set up.

00:30

I then had my friend, who was also in the room for the same class, open a Word document that I sent him.

00:37

The Word doc was actually an EXE, surprise surprise, that I used a cryptor on to obfuscate the code so that his computer's antivirus wouldn't catch it.

00:46

When he opened it, a few seconds later, his computer showed up on the management council.

00:52

I then demoed to the class how I could see his keystrokes, view a live version of his desktop, go through his files.

00:59

It was as if I was sitting in front of his keyboard.

01:02

After showing how easy it was, my professor wanted to explain to the class the ramifications of doing something like this outside of an academic setting.

01:11

The entire presentation was recorded, so here's the clip.

01:15

It is cheaper for you to commit first-degree murder than to do this in this country.

01:25

Now, for those of you who are a little confused with what murder means, Josh pisses me off.

01:30

I decided that, guess what, it's Josh's time.

01:35

I take my particular M14A.

01:38

I sit down and mention...

01:40

Josh walks by...

01:42

Clank!

01:44

Cheaper than this!

01:49

Are you...

01:49

I mean...

01:50

Stare.

01:51

Okay, this is not...

01:53

This is white-collar crime, guys.

01:55

The fines for white-collar crimes are ridiculous.

01:58

Yes, gun analogies in schools in America, a tale as old as time.

02:03

But really, I think he got his point across.

02:06

And as far as I know, no one from my class was arrested.

02:10

For computer-related crimes, that is.

02:13

The rat I used in my presentation was Dark Comet, but the one we'll be talking about today was popular in the mid-2000s and was still in use over a decade after its launch.

02:24

Poison Ivy was used to attack governments, human rights groups, and multi-billion dollar organizations on this episode of In the Shell.

02:35

Does this close a national security program?

02:37

Are being used without the operator's knowledge?

02:40

And if it sounds malicious, it's because it is.

02:42

40 attacks just this year on educational organizations.

02:45

And now to the massive cyber attack targeting hotels and casinos in Las Vegas.

02:49

To a possible cyber attack at one of the nation's busiest airports.

02:51

A cyber security firm, CrowdStrike, has caused this outage.

02:55

That it takes you longer to do something by putting it into a computer and calling it up again than if you just kept simple records yourself in the house.

03:05

Poison Ivy, which is also referred to as Poison, came to this scene around 2005.

03:11

You could find it at PoisonIvy-Rat.com, which is no longer up.

03:16

But the Wayback Machine has quite a few snapshots if you want to check it out.

03:20

Now what's different about Poison is that it was a rat.

03:24

A lot of people in this scene say that rats are for script kitties, or the equivalent of training wheels for hackers, because it doesn't take much skill to use them.

03:33

They are ridiculously simple to use, and a malicious actor can basically point and click their way through the setup.

03:40

Once the attacker downloads the software, or buys it from the dark web, the next step is to build the executable that will be sent out to their targets.

03:48

When building the executable, you tell it where to phone home to.

03:52

In this case, what is the IP or URL of the C2.

03:56

C2 stands for Command and Control, and this is where the malicious actor, or botmaster, will control their botnet from.

04:04

From the C2, they can access all the machines, and browse the user's files, record audio, or take a screenshot.

04:11

Now getting back to the specifics of Poison, Poison was more so targeted for the use of stealing data and spying on users.

04:18

Unlike other rats, which were meant for DDoSing organizations...

04:22

or mass exploitation, here were some of the features that it offered.

04:26

Capture and record a user's screen, audio, and webcam.

04:30

List active ports.

04:32

Log keystrokes.

04:34

Manage open windows.

04:36

Manage passwords.

04:38

Manage registry, processes, services, devices, and installed applications.

04:43

Perform multiple simultaneous transfers.

04:46

Open a remote shell.

04:48

It could function as a relay server.

04:51

Search user files.

04:52

Update, restart, and terminate itself.

04:55

It really just let you own the user's computer, which is why it was so dangerous.

05:00

So while rats were considered toys to some, they were often paired with sophisticated attacks,

05:05

using a zero-day exploit, along with clever social engineering.

05:10

The goal was to get their malicious executable onto the target's computer.

05:14

have them execute it. The Poison Ivy binary the target executed could function in a number of

05:20

ways, all depending on how the malicious actor configured it. In the default config, it was

05:26

divided into two parts, the initialization and maintenance code and the networking code.

05:32

When executed, the initialization and maintenance code is injected into the already running

05:37

explorer.exe process. Explorer.exe is like the control center for everything you see and click

05:44

on in Windows. It's the process that runs your desktop, your taskbar, and the file explorer.

05:51

If you are using Windows, it's what makes the whole system feel familiar and easy to navigate.

05:57

Without it, you would just see a blank screen with no icons, no start menu, and no way to find your

06:02

files, which means that this process is always running on all.

06:06

Windows computers. So after the initialization and maintenance code is injected, the networking

06:13

portion of the code then launches a hidden web browser process using the system's default web

06:18

browser and injects itself into that process. And just to keep things stealthy, Poison Ivy's

06:25

network traffic often used ports that are commonly used, ports 80 and 443. These are the standard

06:31

ones used for HTTP and HTTPS, which we all use every day, and you are currently using to listen

06:38

to this episode. So while your IT team might see the traffic on these ports as normal, Poison Ivy

06:44

is just slipping through using the same avenues as secure web browsing. It's important to note that

06:51

the initial binary that the user executed didn't contain all the code for the rat. It was just

06:56

enough to compromise the system and get things started.

07:00

Now that the networking portion of the code was running, it then downloads the rest of the code

07:05

and data it needs for all the features and functionality configured by the malicious actor.

07:11

Poison Ivy also has a complex, custom networking protocol which operates over TCP.

07:17

Most of the communication was encrypted using the Camellia cipher, which is similar to the

07:22

more widely known AES and uses a 256-bit key. The key for the encrypted communication is

07:29

derived from a password provided by the attacker when building the Poison Ivy server.

07:35

The password was set to admin by default, and like a majority of people and system

07:40

administrators at the time, most malicious actors didn't change it. The key is validated at the

07:46

beginning of the TCP session using a challenge response algorithm. The Poison server sends 250

07:51

bytes of randomly generated data to the client. The client then encrypts this data using the key

07:52

and 50

07:52

and 50

07:57

and sends it back to the server for validation. The victim is now fully infected and their machine

08:04

is calling back to the poison C2 where the malicious actor now has full control over the

08:09

target's computer. Now a little more about that encryption key. FireEye, which is a cyber security

08:16

company now known as Trellix, created a tool called Calamine, very fitting name, that could

08:22

be used to help decipher the encrypted traffic on an infected machine. You could specify a list of

08:28

passwords that tries the key but out of the box it would try the default of admin which worked a

08:34

number of times. They also released a pi command script for immunity debugger which digs right into

08:41

the memory of a running poison ivy process.

08:44

out config details like passwords or IPs used by attackers. Essentially, it was a way for

08:51

investigators to rewind and watch what Poison Ivy was doing under the hood, even when it's trying

08:56

to hide its tracks. Poison was so widely used that security professionals had a hard time

09:02

tracing attacks that used it to any specific group or attacker. Its most notorious use was in 2011

09:09

and the compromise of RSA Secure ID, which led to the compromise of the military contractor

09:16

Lockheed Martin. But I plan on covering that story in its own episode in the future.

09:23

Poison's ability to be controlled in a familiar Windows interface combined with a ton of useful

09:28

features is what made it so widely used and adopted by attackers. A state-sponsored threat

09:34

actor could easily spin up a team that could learn how to do it.

09:36

to use the point-and-click interface. Some other notable attack campaigns using Poison included

09:44

AdminAt338, which was active since 2008. And this campaign mostly targeted the financial

09:50

services industry, but was also seen targeting companies in the telecom, government, and defense

09:56

sectors. The bug, spelled with a three, which was first detected in 2009. And this campaign

10:03

primarily targeted higher education and healthcare. Menupass, which also launched in 2009. This

10:10

campaign appeared to originate from China, targeting U.S. and overseas defense contractors.

10:16

And last but not least, the Nitro attacks, which occurred between 2011 and 2012, aimed at stealing

10:23

sensitive information primarily from companies in the chemical, defense, and energy industries.

10:30

It's also believed that these attacks originated from China, like the previous one I mentioned.

10:36

The power and invasiveness of rats is unmatched.

10:40

They give full access into a user's computer, and with the ability to record audio and video,

10:45

they open up a multitude of ways for them to abuse a victim.

10:49

Poison Ivy has led to countless cybersecurity incidents that caused many sleepless nights

10:55

for systems administrators and security professionals around the world.

11:02

In the Shell is written, researched, and recorded by me, the Rat Keeper.

11:07

If you've made it this far, your computer was either compromised by Poison Ivy and you couldn't stop the episode,

11:14

or you enjoyed it.

11:15

If it's the latter, then I have a small request.

11:19

Please click the share button wherever you are listening, and send the...

11:21

This episode is someone you think would like to hear about rats.

11:27

I would truly appreciate it.

11:32

That's it. Take care, and I'll see you next time.