Tuesday, October 7, 2008

The Moth Trojan Uses WMI Event Consumers for Deployment

http://ha.cked.net/projects.html

The Moth trojan is a POC trojan which implements WMI event consumers as a unique method of malicious code deployment, within Managed Object Fomat code.

The trojan itself is a party trick, and uses the Microsoft Text To Speech API to verbally abuse you as you try and find it.

The Moth was offically released at Kiwicon 08

The trojan is based around WMI event consumers and WMI event filters. Event consumers are created to 'consume' the event of executing a series of local applications such as notepad.exe, avgui.exe and taskmgr.exe.

Event consumers could be constructed for any number of Windows events, such as CPU fan failure, reported hard drive errors or a user logging in.

The Moth is written as a series of persistant ActiveScript event consumers which contain embedded VBScript code.

When the event is raised by WMI, the consumer is activated and the VBScript executes. On Windows XP WMI consumers are executed as SYSTEM and they are executed as NETWORK_SERVICE under Vista.

By using the FSO (File System Object) it is possible to embed additional executables within the consumers VBScript, and use the event consumer to recreate files on disk and execute them. Oh the joys of VBScript!

Typical forensic methodology only focuses on 'looking down', such as looking for Trojans/Rootkits which hook/manipulate system calls. The Moth is an application level Trojan, in the sense that you must 'look up'. I found this approach to be unique and relativly creative, you would be shocked how many people do know about Windows and WMI and are unable to find the Moth.

The Moth is 100% open source, and available for download.

Inside the .zip file you will find the installer for MS Text To Speech library (Which powers the verbal abuse engine) and the .MOF file itself. To install the .MOF you simply type mofcomp xxxx.mof Installing a WMI event consumer does REQUIRE administrative authority!

-----------------------------------------

Also, check out this very cool write on the workings of the trojan...
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)