Project 11: Poison Ivy Rootkit (15 points)

What You Need for This Project

Background

Poison Ivy is a Remote Administration Tool (RAT) that is very popular among criminals and state-sponsored cyber-attackers. It was used to compromise RSA in 2011.

The developer provides a free version, which is detected by antivirus products, but at one point the Poison Ivy developer ("Jonas") was offering custom-built versions guaranteed to avoid antivirus detection.

First Machine: Your C&C Server

Start the Windows Server 2008 VM. This will be your C&C (Command and Control) Server.

Installing 7-Zip

In your Windows 2008 Server virtual machine, open Internet Explorer, go to http://7-zip.org, download 7-zip, and install it.

Displaying Filename Extensions

Click Start, Computer.

Click Organize, "Folder and Search Options".

Clear the "Hide extensions for known file types" box, as shown below.

Click OK.

Finding the IP Address of Your C&C Server

From your Windows desktop, click Start. In the search box, enter CMD and press the Enter key.

In the Command Prompt window, enter the IPCONFIG command and press the Enter key. Several IP addresses appear.

Find the adapter that goes to your LAN. In S214, it's the adapter with an IP address starting with "192.168.1". Make a note of that IP address.

Downloading Poison Ivy

In your Windows 2008 C&C Server, open Internet Explorer and go to http://www.poisonivy-rat.com/index.php

Click Downloads.

Alternative Download Location

If that page is blocked, which it is at CCSF, download it here. This is a 7-zip encrypted archive with the password of sam

Poison%20Ivy%202.3.2.7z

Download the latest version.

Save the PI2.3.2.rar file on your desktop.

On your desktop, right-click the PI2.3.2.rar file.

Click 7-Zip, Extract to "PI2.3.2\".

When the file is extracted, open the PI2.3.2 folder and double-click the "Poison Ivy 2.3.2.exe" file.

Troubleshooting

If Poison Ivy refuses to launch at all, and a message says it "has stopped working", Windows Data Execution Prevention (DEP) may be blocking it.

To turn off DEP, go into Advanced System Settings as you did in project 2.

If the DEP is set as shown below, it's wrong. Set it to "Turn on DEP for essential Windows programs and services only".

Then restart your Windows server.

Creating a Trojan

In the "Poison Ivy" window, click File, "New Server".

A "Profiles" screen appears, as shown below.

Click "Create Profile". Enter your name in the box and click OK.

In the "Connection" box, change the address in the DNS/Port box from "127.0.0.1" to your real IP address, as shown below.

This is the Command & Control (C&C) server for your bots. It will be hardcoded into the Trojan.

Click Add. A "DNS/Port" box opens. Click your IP address to highlight it.

In the "DNS/Port" box, click OK.

In the lower right of the "Poison Ivy" window, click Next.

In the "Install" section, you can make the trojan more stealthy.

For now, leave the settings unchanged and click Next.

In the "Advanced" page, don't change anything. The "Key logger" is tempting, but it froze my target when I tried to use it.

Click Next.

On the "Build" page, in the lower right, click Generate.

A "Save As" box pops up.

Save the trojan as YOURNAME.exe on your desktop.

In the "Poison Ivy" window, click OK.

Starting the C&C Server

In the "Poison Ivy" window, click File, "New Client".

A page appears, showing options to change the port, or add a password.

Leave everything unchanged and click Start.

A "Poison Ivy - [Listening on Port: 3460 (Connections: 0)]" window appears, as shown below.

Infecting the Target

Start your Windows XP virtual machine.

Open a Command prompt and ping your C&C server. If you don't get responses, you must troubleshoot your networking before proceeding.

Move the YOURNAME.exe file from the C&C server to the target machine. You should be able to drag and drop the file from one desktop to another. If that fails, use email, or a USB stick, or shared folders.

On the target machine, double-click the YOURNAME.exe file.

Viewing your Bot

The target appears in the Poison Ivy window, as shown below, showing your name in the ID line.

This machine is now your bot, under your control.

Saving a Screen Image

Make sure the target appears in the Poison Ivy window, as shown above.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 11a", replacing "YOUR NAME" with your real name.

Exploiting the Target

In the "Poison Ivy" window, double-click on the target machine.

A box appears showing all the things you can do to the target, as shown below.

Try out the options. Here are the ones that worked best for me.

Processes

Windows Password Hashes

Screen Capture

Turning in Your Project

Email the image to: cnit.123@gmail.com with a subject line of "Proj 11 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Last Modified: 12:32 pm 3-22-14

Sources

http://www.theregister.co.uk/2013/08/27/poison_ivy_rat_apt/

http://www.darkztar.com/forum/showthread.php?13696-Guide-to-Poison-Ivy-(a-RAT)

http://dwaterson.com/2013/04/14/a-rat-named-poison-ivy/

http://www.securityweek.com/poison-ivy-kit-enables-easy-malware-customization-attackers

poison-ivy RAT in vmware xp -ROOTRULERZ - YouTube