The Poison Ivy malware kit is old. It was first seen in 2005, which makes it about 762 years old in Internet years. But that doesn’t mean it’s no longer useful, as evinced by the data collected by Microsoft in a new report on the tool, which shows that it is still in active use and is turning up on thousands of infected PCs.
Microsoft said it has removed Poison Ivy from more than 16,000 machines since adding it to the coverage of its Malicious Software Removal Tool in early October. The five most prevalent versions of the malware accounted for more than 8.5 percent of all of the malware removed by the MSRT in that time period, the company said. Microsoft’s malware Protection Center has released a detailed report on Poison Ivy, as well, which lays out the structural details of the tool, its various components, infection methods and how attackers obtain it.
Perhaps best known as the remote access Trojan (RAT) that was used as part of the attack on RSA this spring, Poison Ivy has been around for more than six years, although it’s now out of active development. The tool is openly distributed through a public Web site and it’s also available for sale on underground forums in modified versions that are more difficult to detect. Poison Ivy also was used in the recently exposed Nitro attacks against some organizations in the chemical industry.
In essence, Poison Ivy is a server that sits on an infected machine and waits for commands from the client controlled by a remote attacker. It has a slew of capabilities, and gives even a semi-skilled attacker plenty of options once it’s installed. Using Poison Ivy, an attacker can log keystrokes, download and upload files, inject code into running processes, redirect Internet traffic and a host of other things.
“Poison Ivy enables its operators to create customized remote access trojan servers, which they then distribute to unsuspecting victims through exploits, social engineering, and other attack methods. Once the trojan component is executed on a victim’s machine, full control is handed over to the malware operator through the use of a client that is built into the builder of the malware,” Microsoft said in the report on Poison Ivy.
“The kit generates different types of payloads depending on the needs of the operator. The most typical scenario involves generating a PE binary (a Windows® executable), which then must be run on a target computer. The builder component can also be instructed to output a server as shellcode, which can then be used directly in an exploit.”
The payloads that Poison Ivy can generate come in a variety of flavors, including Windows executables and various types of shellcode.
Unlike some newer attack tools and malware kits, Poison Ivy does not include any kind of infection mechanism. Each individual attacker is responsible for finding methods for infecting his own victims. It often shows up in phishing emails and also is sometimes used as the payload in attacks that exploit known or unknown vulnerabilities in Windows or applications. The last public version of Poison Ivy was released more than three years ago, but it’s possible that the author has still been creating private versions for specific customers since then.