
Babadook: Connectionless, Persistent Powershell “Backdoor” - fgeorgy
http://wroot.org/posts/babadook-connection-less-powershell-persistent-and-resilient-backdoor/
======
Arainach
After a certain point, it stops being a clever prank and becomes much more of
"my coworker is a jerk". The author of the article got lucky that upper
management decided to put up with his antics rather than fire him for them.

~~~
nraynaud
I forbade my team from doing that, your teammates should have your back, not
being hostile or publicly shaming each others. I want them to trust their co-
worker, to be able to leave each other on their machine to go to the bathroom
even if Facebook and mail are logged in.

Plus if you don't know who is entering your room you don't have a problem with
the keyboard but with your door lock. And if one team member is going rogue,
well, he already has the passwords.

~~~
Stefan-H
This mentality is patently wrong to me. You have to realize that maintenance,
house keeping, and any manner of other people may enter your area(either
legitimate people, or people in disguise). Additionaly, if I were to "go
rogue" you better believe I would take advantage of being able to frame
someone else and remove attributation from my shoulders. The in-office risk
asside, you are also training terrible habits. These habits could lead to your
employees leaving their computers unlocked in coffeee shops, at conferences,
in their hotel rooms, etc. You have to instill the habit of if you are leaving
your computer, you lock you computer into people and make sure they understand
why that is.

~~~
Zaephyr
The author is obviously smart and dedicated - and I’d probably be forced to
terminate him. He is an non-supervisory employee, who has not been given
administrative access to these computers. He created and deployed a program to
other computers without permission that actively thwarted attempts to be
shutdown, and modified it get around a GPO that was more than likely pushed
out because of what he was doing. This is malware - for a good purpose but
still an undesirable application being run without permission.

If the company has decided that computers need to be locked when away from
keyboard there will be a policy and procedure for reporting and dealing
infractions. This won’t be it. While in this case the program might have been
mostly harmless, one never knows when a programming error might spin things
out of control. It’s clever, funny to some, but if it accidentally resulted in
downtime the stuff the flows downhill would come fast and be unpleasant in
some organizations. Plus, annoying your teammates isn’t the best idea long
term. I know this may seem harsh, but from my experience organizations with
the most need for this security would be the least likely to approve of this
method.

~~~
Stefan-H
My coment is not at all talking about what the OP was doing. I think that he
went beyond what he ought to have. I am specifically referring to the
mentality of "employees should trust their coworkers and can therefore leave
their computers unlocked".

~~~
nraynaud
I didn't say they have to keep their computer unlocked, some of them did lock,
but I did not enforce a locking policy because I don't think it was necessary
in the context. And if I did have to enforce screen locking in other places,
it would be out of question to use _any_ passive aggressive behavior or public
shaming towards a teammate, if you need trust from your employees, you treat
them well. My first reflex would be to look at technology, because locking the
computer is a stupid and consistent task and technology is for stupid
consistent things.

I think people are too focused on working for military and paranoïa, we need a
range of behaviors, from the paranoid to the welcoming, that guy watching your
screen could start an interesting discussion about your project, and give you
the contact to the right person to help you. You don't want that in a military
context, you highly desire it when you're building a vegan pet food
marketplace for hipsters.

Not everyone needs to develop like in Aerospace, not everyone needs to develop
like in video games, not everyone needs de behave like a NSA agent, and not
everyone needs to behave like a farmer's market salesman, we need a range of
behaviors.

And whatever the policy, you never, ever, let co-workers be dicks to each
others, no "pranks", no public shaming, no sending a prank email from each
other's computer. If security is really an big issue, then not locking a
computer is a strike, it goes between the boss, the offender and HR, not a
matter of joke.

------
andreasley
Aren't there better ways to ensure "desktop protection" than relying on
conscious actions of employees?

For the company in question, security seems to be very important as shown by
the fact that each computer sits on its own VLAN. Maybe they should consider
using something like wireless tokens that lock the workstation if the token is
too far away (e.g. [http://www.gkchain.com](http://www.gkchain.com)).

I've also worked in companies where lots of doors require a key card, which
also unlocks the computer (by means of a card reader at the workstation). So
if you leave the room, you take the card with you anyway and the computer gets
locked automatically.

~~~
sitharus
back in 2006ish I used bluetooth proximity of my Mac running 10.4 and a Sony
Ericsson cellphone to auto-lock my machine. It'd kick in around 10 metres
away, which was about the size of my team's area. Quite handy, but the feature
was removed.

~~~
pbhjpbhj
Having bluetooth enabled on your cellphone might ultimately be the method used
to crack in to your network though .. so there's a tradeoff of security in
such a scenario.

~~~
thebournepopret
How can Bluetooth be used as a vector?

~~~
itsameta4
HID spoofing.

------
TeMPOraL
This is cool and it's one of my favourite types of projects - where you have
to hack your way through security to pull off a prank. However, I think it
would be better and more impressive if the author limited the collateral
damage. Spawnkilling other programs _is_ an effective way of protection, but I
think it disturbs people too much by interfering with normal (for a technical
person) computer use.

Interestingly, the author pretty much delivered half of a Malware Writer 101
here. I had to deal with methods like these when removing crap from non-tech
computer users more time than I would like.

------
ianamartin
The CTO of a company I worked for had a solution for this problem that, while
crass, was effective.

Any time he saw an unlocked and unattended workstation he would set the home
page of the browser to a hard core porn site.

Then later after the person was back at the desk he would claim to need to
check on something real quick. He'd fire up the web browser, and up comes the
porn site.

Then he'd pretend to be all pissed off and start yelling at the person for
browsing porn at work.

Eventually, he'd explain what happened and made his point.

~~~
andrelaszlo
This could, I think, be classified as sexual harassment. At least in Sweden
("sexuellt ofredande") where I live.

If my boss did that, I'd probably quit. So yeah, I guess it's "effective".

~~~
ianamartin
Most definitely.

------
RawInfoSec
If you want to get employees to lock their workstations, make it a policy and
fire the ones who repeatedly break it. If you have to get their attention via
childish pranks it's a waste of everyones time.

Also, the IT provider has put a lot effort into security for a reason. The
second any employee starts shell coding of any type, it becomes a risk to the
company. Management, as always, is blind to this and is probably why they
rewarded the author. What they should have done is fire the person for
breaching the company's User Access policy. (You do have one, right?)

It may be the employees lunch hour, but it's not their right to abuse company
property.

~~~
TeMPOraL
> _the IT provider has put a lot effort into security for a reason_

It really depends. All too often the reason for various restrictions IT set up
is to limit their own workload. It sometimes goes to the point of making
everyone else's work harder. It's especially irritating in schools and
universities, where I could swear IT departments often live by the idea of "if
we make a system X completely unusable, nobody will use it, so we won't have
people breaking things".

~~~
RawInfoSec
I can safely say that it's never to limit our own workload. Considering we'd
get paid less if we had nothing to do, it would be pretty dumb to work towards
that goal. It's to save the company from going bankrupt with explosive costs
of maintaining infrastructure in a hostile environment.

Any and all restrictions are there to prevent risk, to both data security and
operational costs. There's nothing worse than allowing a user to do as they
please because as Bruce Schneier once said, "A user will choose dancing pigs
over security every time."

This is why we work with management to show them the costs of allowing users
the ability to roam free. Management makes the decisions, IT implement it.

Security is hard. It is highly invasive to usability. It's not your IT
department's fault, it's actually yours.

------
bv7867
Posting this using a throwaway as I don't want to be associated with this one.

I did a demonstrator a couple of years ago of why we should be using 2FA for
everything. We added a single binary to the post-build event in Visual Studio
and checked it and the binary into the VCS. The binary grabbed the person who
did the build's Chrome password database and used powershell to POST it to a
private address. Then we chucked it through some shareware that reads the file
and mailed the password back to the engineer we were demonstrating it to.

It's pretty easy to backdoor a machine without even having console access.

Be careful people.

------
reitanqild
At one place I worked we had a team agreement that it was ok to do _small_
pranks to people who left machines unlocked.

Often small changes can have huge benefits, the smallest effective security
hack I can remember was a one word change:

We changed "last person to leave for x activates lock" to "first person to
leave for x activates lock".

------
ilurk
Not persistent as babadook but in similar pranking fashion for Linux:

[https://github.com/Snaipe/confloose](https://github.com/Snaipe/confloose)

[https://github.com/GreedLabs/Zloose](https://github.com/GreedLabs/Zloose)

------
millstone
Maybe a dumb question: who exactly is locking your desktop supposed to protect
against? Do some offices have untrusted people running around with access to
workstations?

I can see the necessity of locking when you go home, so the maintenance staff
does not have access, but presumably this happened during the day.

~~~
TeMPOraL
Rouge employees happen. Or an attacker may be posing as cleaning staff (in my
company we have cleaning during business hours, and every few days we all
leave our room while the cleaning lady vacuums).

But primarily, it's not about distrust towards your cow-orkers - it's because
not locking your workstation leaves you (and the company) vulnerable to
external attackers that made their way to the office via acting confident.
Social engineering is extremely effective and quite easy to perform, if you
can keep your cool.

~~~
MichaelGG
Cleaners seem like a huge way in. They often come at night and have
unrestricted access. What's stopping them from keylogging or worse? How tight
of security can the cleaning crew even run? It's not like you're paying a ton
extra to vet folks, and it can't be that desirable a job.

~~~
TeMPOraL
Indeed. Add to that the fact that many cleaning companies employs their crews
as "contractors", pay them almost nothing and treat them like human trash
(ditto for security personel in relatively safe areas), and you have a perfect
attack vector - it won't be hard to find someone who will plug that little
stick behind a computer in exchange for some cash and you being nice to them.

------
chris_wot
I quite enjoyed the technical solution, but I think the author is a bit of a
dick. And I have to ask myself why group policy wasn't setup to lock
automatically after 10-15 minutes of inactivity?

------
djyaz1200
Am I missing something or is this pretty much like stealing a car that was
unlocked with the keys left in it?

~~~
outworlder
As far as car analogies go, this is not too far off the mark.

------
therealidiot
> Everybody would laugh about it but still wasn’t giving the needed outcome

It's scary how many people don't take their machine's (or their network)
security seriously.

I used to run reverse shells on machines that my coworkers left unlocked
(easier as our network is more relaxed) - after launching annoying things they
got the point very quickly and now nobody leaves their machines unlocked.

