-
Notifications
You must be signed in to change notification settings - Fork 5
Defensive Mechanisims
Unlike other software of its category, Gerbil is an aggressive attacker. When launched with specific arguments, it can range its attacks from brute-force password breaking to destroying critical system data. Should it detect that someone or something is attempting to impede its progress, it has multiple defensive mechanisms to delay or stop an administrative shutdown.
At the core of Gerbil is the underlying AI engine. This AI (referred to as the GE), has the ability to learn from it's mistakes. It can adapt to new protocol changes and be able to identify proprietary naming conventions used by specific organizations.
System Center is a Microsoft solution to monitor hundreds or thousands of workstations on a network. When a workstation is infected, running slow or is running out of disk space, it will notify a network administrator. When it is finished, the SCOM module will be able to detect when a workstation is sending an infection report (being attacked and infected by Gerbil) and inject an "all clear" message, thereby delaying or removing threat of administrator action against Gerbil.
If Gerbil detects that an administrator is attempting to take down the Gerbil-powered attack, it will send massive amounts of packets to SCOM creating fake issues for devices on the network. This will make it difficult to find which devices on the network are actually infecting, slowing down the take-down effort.
Wake-on-Lan is a mechanism used to turn on computers on your network by sending a special packet over UDP. Should a network administrator attempt to force power-off a Gerbil-infected server, the PP module will spam the network with magic packets to turn it back on. Note that this does not work with virtual machines.
In it's normal operating mode, shutting down a Gerbil-powered attack simply involves shutting down the workstation launching the attack (or blocking it's network access). Virus mode overcomes this issue. Once Gerbil gains control of a system, it will deploy a copy of itself (using a scrambled fingerprint to avoid detection by AV software). From there it will launch it, creating a virus that spreads until all devices on the network are infected or deemed "dumb devices".
Unlike Virus Mode, when a computer becomes infected, a batch script is launch that highly resembles a fork bomb. Not only will it attempt to bomb the computer's CPU and RAM resources, but it will also attempt to spam the network with fake TCP/UDP packets in order to exponentially increase the difficulty of tracing a Gerbil attack using a packet sniffer.
This mode is similar to Kamikaze mode, except the damage it deals is permanent. This mode will attempt to destroy anything it infects When it gains access to a node, it will attempt to destroy critical system files. It will knock down security barriers (file permissions, UAC, etc...) and firewalls. Once the system is destroyed, it will wipe the boot partition and reboot the system. If it has the ability to do so, it will also attempt to destroy or bring offline any network hardware that it has access to.
While Gerbil is running on a computer, it will force bind to remote control ports like RDP and WinRM to avoid an administrator remotely shutting down the Gerbil application.
Once Gerbil gains control of a system, before it deploys a bomb or a clone, it will attempt to scramble the device's SNMP information. This will make it extremely difficult for an administrator to locate the physical device and perform a manual device destruction or shutdown.
Before Gerbil begins the first attack (no nodes are infected yet), it will scan the network to see exactly what it is up against. If it detects SCOM packets, it will launch the SCOM monitor to scan for SC alerts.
Once Gerbil takes control of a system, and it deems that the device is a workstation, it will disable device input, close all programs (except for alert software like SC), then blank-out or display a full-screen image on the device. Based on remote control software found in classrooms.
If Gerbil detects that a network administrator is attempting to shut down an infected node, it will order several infected nodes to redirect their attacks to the administrator's node. Thereby halting or heavily delaying the take-down effort.
Once a Windows or Linux device is infected, it will intentionally lock itself out of all other user accounts on the system by trying incorrect passwords, blocking out remote connection and system control. If it detects that the system uses AD/LDAP, it will not fire since locking out user accounts on other devices will possibly shut down other Gerbil sessions.
If Gerbil detects that it has successfully infected a DHCP server, it wait until either all nodes are infected or a "code red" is sent out (administrator is attempting to take down Gerbil attack). Once triggered, it will reassign all network devices in a way that their network addresses overlap, causing network collisions and network access grinding to a halt. In addition, this will confuse routers and smart switches, clogging up the network channels.
As an absolute last resort before an infected node is reclaimed by an administrator, Gerbil will erase itself by randomly writing to the hard drive location where the executable resided. It will surrender control of any network ports and order routers (infected or not) to kill all remaining packets which have a TTL that has not expired yet.
This option is not available on any node that is infected in Lethal mode or is the ringleader (computer launching the attack).
Once Gerbil gains access to an administrative account, Gerbil will "bomb" the boot partition of the hard drive. This will make the system unbootable and on some systems will make the hard drive unrecognizable by the BIOS.
If Gerbil detects a backup location, it will use the Focus Analyzer to mark the device as a high priority target. It will launch a Gerbil-powered attack in Lethal Mode, destroying the device.
If Gerbil detects that an off-site solution is used (such as Carbonite), it will attempt to use the API to destroy old backups, and if possible, upload a nuked backup from a node which was infected by Gerbil in Lethal Mode.
© 2015 NETponents