Posted on Wednesday, 23rd September 2009 by Michael
Fun with Poison Ivy
Poison Ivy is a remote access Trojan (Tool) that can be found at the following URL: http://poisonivy-rat.com and a support forum can be found here http://ratforge.net/forums/ . Please note that these are Trojans and www.digitaloffensive.com nor any of its staff are responsible for any use or misuse that you do with these files.
Recently I had the opportunity to take a close look at the poison ivy rat and run it through a real world scenario in a controlled lab environment. The tool comes as a single exe that allows you to build a server executable from variables you select in the GUI configuration under the new server option. Neither the client nor the server was detected by Norton, McAfee, AVG or trend. This may have been that the version I was using was released only a day earlier. I did find it a bit weird that inside Vmware that it would not run and would constantly crash. This made me think right away that the creator did not want their code analyzed but a quick Google showed that many people had this issue which was quickly fixed by disabling DEP.
One of the biggest reasons I loved this Trojan so much was that it provided us with a shoveled shell / connection. This means that no matter what ports where open inbound on their firewall we were guaranteed access because most of them were not doing egress filtering. Poison Ivy provided an easy and repeatable server creation process using profiles to easily save and quickly load your favorite configurations. The wizard walks you through each step asking you what you would like to choose. Screen 1 we created our connections which is where we put in the phone home IP or IP’s as well as the shared password. Screen 2 walks you through the install options: IE. Run on startup, place in registry, place in active control, copy itself to folders and more. The third screen provides the advance features options. Here we can change its mutex name so we can run multiple instances of poison ivy on each machine, inject the Trojan into the browser, make it persistent, inject it into running process and my favorite hide in ADS (alternate data streams, thank you Microsoft). The 4th menu allows you to add additional build features such as an external packer to hide it from AV better. The final screen is actual generation of the Trojan server executable.
In the lab we used core impact as well as several other commercial and non commercial exploit tools to gain access to the machines and install poison ivy. Once we had poison ivy installed we were able to view the users screen in near real time by changing the screen shot capture to 5 seconds (don’t suggest doing this over a internet connection), record all the key logs they typed, spawn remote shells, control processes and services as well as countless other things. One of the other real good things it did was to show us in red every place it had hooked in so we can make sure we did not accidentally kill it while killing other processes or files. Once installed poison ivy was able to maintain our access through the day even when it was killed it would re-spawn itself and connect back to us letting us know it was alive.
The only down fall of Poison Ivy was that since it is connect back Trojan the user has the ability to find our IP and to block it in the firewall. Though there are several ways around this. The one that is built into Poison Ivy is to be able to update the code on the fly by replacing the exe with a newly compiled one allowing it to talk back to a new IP or FQDN.
In short I would like to give kudos to the Poison Ivy team for a fine crafted tool and for supplying us several hours of fun while remaining UN detected by AV.
Posted in Papers | Comments (0)