Posted on Monday, 25th January 2010 by Michael
Poison Ivy Revisited
Over a year ago I wrote a post on the Poison Ivy Trojan (Tool) by the team over at http://poisonivy-rat.com. The original post can be found here http://digitaloffensive.genxweb.net/2009/09/fun-with-poison-ivy/. I wanted to take a few minutes to add another function I discovered at the last CCDC that made this tool that much better.
If you read my original post on this tool at the link above you will see in the third paragraph where it says “Screen 3” I mention how you can inject this into processes. Not only does it inject into the process but every time the process is called Poison Ivy is re-executed. Now this was helpful because most of the kids at the CCDC were expecting to see Poison Ivy used again as it was in the past and they had a good idea on how to find it and stop it. So we had to become craftier then them. So I decided to attach it to the cmd.exe as well as the security tools they were using to monitor our connections such as TCPview and TCPKiller. This allowed Poison Ivy to continue running every time they tried to stop us.
This brings up another good point when ever doing forensics work on a computer that may be infected either check the md5 sum of the tools that you are using on the machine or bring your own tools to run on a non writeable media. This will make sure that you are not causing any additional damage and that the results you are receiving are correct and not altered.
As I play with this more and as it is warranted I will add additional Tips about this powerful RAT. IF you have any questions or concerns please feel free to contact me.
Posted in Papers | Comments (1)
January 26th, 2010 at 5:16 pm
Reminds me of back in the day when I played with Back Orifice. Looks like I could have hours of fun with this little tool!