Reseachers Investigate Skeleton Key Attacks on User Passwords


News image


Researchers at Edinburgh Napier University have been investigating the Skeleton Key malware within their virtualised security infastructure. 


The core of the attack is around compromising a Windows domain. In order to centralise the control of usernames, roles, passwords and rights, a domain controller is used to store the common database for the whole of the domain. This is such a critical task, that there is often a secondary controller, which will contain an up-to-date copy of the domain data. Users when they log into a host (\\HOST - where \\ is the top level of the domain) are then authenticated against the domain controller, and will gain access from there. Any compromise or failure of the domain infrastructure can cause major problems within an organisation.

Technical details

On a Windows server, the ole32.dll file is used to link objects within Microsoft documents, and is non-malicious. The CTU team, where investigation the 64-bit version found that an attacker could use a related DLL (mstua64.dll) to compromise the system. This DLL contains debug information that allows the attacker to examine the contents of memory used when patching a system. The malware was then named ole64.dll, ole.dll or msuta64.dll (see Figure 2). Debug information is used within a program when it is being tested, and allows the developer to examine debug messages and variables. On the release of the compiled version of the code, the developer would switch-off debug options, but in this case they have been left on.

The process involves the attacker compromising a host within the domain, and then sustaining a remote connection. Next the attacker gains the administrator credentials to search for administrative shares within the domain. Once found the attacker moves the compromised DLLs into c:\windows\systems32 on the domain controller, and then runs then with:

psexec -accepteula \\%DCNAME% rundll32 [DLL filename] ii [NTLM password hash]

where [NTLM password hash] is the hashed password that the attacker wants to use for a user, and [DDL filename] is the name of one of the compromised DLLs.

Psexec is a useful tool for many domain managers, as it allows for the execution of commands on remote systems. It can, though, be used for malicious purpose by an attacker, where intruders can run remote commands with administrative rights, including transferring the output of the execution from one system to another (using administrative shares and the SMB - Server Message Block – protocol). This operation is typically known as creating a pipe for data.

More details here.

[Read More]

Associated people

William Buchanan
Director of CDCS
+44 131 455 2759
Dynamic Forensics Evaluation and Training (DFET)
Dynamic Forensics Evaluation and Training (DFET) will create new training methods/techniques to support judicial authorities, law enforcement agencies and associated stakeholders in the fight against cybercrime through the development of a virtual (cloud-based) cybercrime training environment to...
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.