Shawn Denbow and Jesse Hertz's Summer 2012 project to reverse-engineer remote admin tools used to spy on dissidents in oppressive countries
Remote Administration Tools (RATs) allow a remote attacker to control and access the system. In this paper, we present our analysis of their protocols, explain how to decrypt their traffic, as well as present vulnerabilities they have found.
Basic RAT Architecture
Most RATs employ a “reverse-connecting” architecture.
The “client” program, resides on the attacker’s machine and is used to control
a compromised system. If often features a full UI designed for ease of use.
In contrast, the “server” program is a much smaller stub which is installed on
the compromised computer. These servers feature no UI, and take measures
to disguise their presence... Continue -> DOWNLOAD PDF
The DarkComet RAT
DarkComet is one of the most popular RATs in use today, gaining recent
notoriety after its use by the Syrian government [13]. The encryption method
used in DarkComet has already been extensively analyzed by various
researchers [2] [3], so we will not reiterate here.
We reverse engineered the DarkComet protocol and analyzed it for
vulnerabilities.
After a quick look at its protocol, it is easy to see that it uses a “|” as it’s
delimiter between string parameters. Although, there is no delimiter between
the command and the first parameter.... Continue -> DOWNLOAD PDF
Bandook is written in a mix of C++ and Delphi [5] [6]. The server is able to use
process injection, API unhooking, and kernel patching to bypass (some
versions) of the Windows firewall. The server itself is fairly limited in
functionality, but has the ability to be extended through a plugin architecture:
the client can upload plugin code to the server. The client comes with several
plugins which need to be installed on the server to enable full functionality. By
default, the server attempts to hide itself by creating a process based on the
default browser settings.
It lacks any real cryptography to protect its traffic. Instead, it obfuscates its
traffic by XORing against the constant 0xE9:... Continue -> DOWNLOAD PDF
The CyberGate RAT
CyberGate is another RAT written in Delphi. It’s also the only RAT we saw that
featured protection against reverse engineering. Using LordPE to obtain a
dump, you can see the following strings:
Both PEiD and Detect It Easy could not identify what packer had been used.
We worked on unpacking it, until we finally discovered a tool called
ProtectionID. This was able to identify the packer as Safengine Licensor. From
some basic research, we discovered that unpacking the Safengine Licensor is a
project in itself. Due to our time constraint, we found it would be best to
continue our efforts analyzing another RAT.... Continue -> DOWNLOAD PDF
The Xtreme RAT Server
The stub sets itself up using a classic technique found in basic malware. It first
uses CreateProcess() to create a new process (named based on the default
browser.)
Next, it uses WriteProcessMemory() to copy code to the newly created process
(PE header starts at 0x1610000).... Continue -> DOWNLOAD PDF
Conclusion
RATs represent an under-researched but highly active area of malware “in thewild”. With both governments and non-state actors using RATs for
surveillance, knowledge about them carries increasing significance. A good
understanding of their protocols is critical to network and system
administrators deploying tools that can notice the presence of a RAT.
All of the RATs we analyzed were written in Delphi. This gave the RATs some
resilience against classical security mistakes (buffer/heap overflows) that are
much easier to make in a language like C or C++. However, we still found
serious vulnerabilities in DarkComet, which was the most widely deployed of
the RATs we studied. Our analysis of the communications should provide a
solid foundation for other researchers interested in further reverse engineering
and vulnerability research on RATs... Continue -> DOWNLOAD PDF
DOWNLOAD Taming The Rats eBOOK
DOWNLOAD HERE
DOWNLOAD DarkComet, Bandook, CyberGate, Xtreme RAT Script
DarkComet Arbitrary File Read SQL Injection Script
DOWNLOAD HERE
Bandook MITM Script
DOWNLOAD HERE
CyberGate MITM Script
DOWNLOAD HERE
Xtreme RAT MITM Script
DOWNLOAD HERE
ALL PAssword: theatregelap.com
