Professional Documents
Culture Documents
LAB 15 B - Poison Ivy Rootkit
LAB 15 B - Poison Ivy Rootkit
Background
Poison Ivy is a Remote Administration Tool (RAT) that is very popular among criminals and state-sponsored cyber-attackers. It was
used to compromise RSA in 2011.
The developer provides a free version, which is detected by antivirus products, but at one point the Poison Ivy developer ("Jonas") was
offering custom-built versions guaranteed to avoid antivirus detection.
Installing 7-Zip
In your Windows 2008 Server virtual machine, open Internet Explorer, go to http://7-zip.org, download 7-zip, and install it.
Clear the "Hide extensions for known file types" box, as shown below.
Click OK.
In the Command Prompt window, enter the IPCONFIG command and press the Enter key. Several IP addresses appear.
Find the adapter that goes to your LAN. In S214, it's the adapter with an IP address starting with "192.168.1". Make a note of that IP
address.
Click Downloads.
Poison%20Ivy%202.3.2.7z
When the file is extracted, open the PI2.3.2 folder and double-click the "Poison Ivy 2.3.2.exe" file.
Troubleshooting
If Poison Ivy refuses to launch at all, and a message says it "has stopped working", Windows Data Execution Prevention
(DEP) may be blocking it.
To turn off DEP, go into Advanced System Settings as you did in project 2.
If the DEP is set as shown below, it's wrong. Set it to "Turn on DEP for essential Windows programs and services only".
Click "Create Profile". Enter your name in the box and click OK.
In the "Connection" box, change the address in the DNS/Port box from "127.0.0.1" to your real IP address, as shown below.
This is the Command & Control (C&C) server for your bots. It will be hardcoded into the Trojan.
Click Add. A "DNS/Port" box opens. Click your IP address to highlight it.
In the "Install" section, you can make the trojan more stealthy.
In the "Advanced" page, don't change anything. The "Key logger" is tempting, but it froze my target when I tried to use it.
Click Next.
A "Poison Ivy - [Listening on Port: 3460 (Connections: 0)]" window appears, as shown below.
Infecting the Target
Start your Windows XP virtual machine.
Open a Command prompt and ping your C&C server. If you don't get responses, you must troubleshoot your networking before
proceeding.
Move the YOURNAME.exe file from the C&C server to the target machine. You should be able to drag and drop the file from one
desktop to another. If that fails, use email, or a USB stick, or shared folders.
Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual
machine.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.
Type mspaint into the Search box and press the Enter key.
Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.
Save the document with the filename "YOUR NAME Proj 11a", replacing "YOUR NAME" with your real name.
A box appears showing all the things you can do to the target, as shown below.
Try out the options. Here are the ones that worked best for me.
Processes
Send a Cc to yourself.
Sources
http://www.theregister.co.uk/2013/08/27/poison_ivy_rat_apt/
http://www.darkztar.com/forum/showthread.php?13696-Guide-to-Poison-Ivy-(a-RAT)
http://dwaterson.com/2013/04/14/a-rat-named-poison-ivy/
http://www.securityweek.com/poison-ivy-kit-enables-easy-malware-customization-attackers