Popular RATs Found Riddled With Bugs, Weak Crypto

  /     /     /  
Publicated : 22/11/2024   Category : security


Popular RATs Found Riddled With Bugs, Weak Crypto


Research by former interns for Matasano Security exposes flaws in remote administration tools



RATs have bugs, too: New research shows that remote administration tools often used for spying and targeted attacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers.
A pair of interns for Matasano Security recently published their findings of vulnerabilities they discovered while reverse-engineering popular RATs, specifically DarkComet, Bandook, CyberGate, and Xtreme RAT. Shawn Denbow of Rensselaer Polytechnic Institute and Jesse Hertz of Brown University, both undergraduate computer science students now in their senior year, found that the RATs contain flaws common in mainstream software, such as SQL injection, arbitrary file reading, and weak encryption.
This shows that it is possible, and that its not hard, to pick apart attacker tools and come up with proactive defenses against them, says John Villamil, senior security consultant with Matasano, who served as Denbow and Hertzs adviser for the project. If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them].
Vulnerability research into attacker tools is rare, but not unheard of. Its very rare to see this type of research, Villamil says.
RATs, which typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, for example, basically give the attacker a foothold in the infected machine as well as the targeted organization.
[ Criminals are using phishing e-mails, keystroke loggers, and Remote Access Trojans to steal financial employee login credentials. See
FBI Warns Of Scams Targeting Financial Industry
. ]
The researchers,
in conjunction with their research paper
(PDF), released tools for decrypting RAT traffic and proof-of-concept exploits for the bugs they found. They found that the tools include weak, or no, encryption: Bandook, for example, uses obfuscation, not encryption, to protect its traffic between the victims machine and the C&C server.
Such vulnerabilities in the command-and-control communications itself can be useful to incident response, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. Thats a clear, usable piece of intelligence. You want to decrypt what they are doing in their network, Hoglund says. If youre recording information during incident response ... you can see what directories are being queried, what files they are searching for.
Hoglund says this type of intelligence could be used to regain control over the computers infected with the RAT, as well as to intercept command-and-control traffic.
Matasanos Villamil says legally, organizations obviously cant hack back at the attacker. But knowing weaknesses in the attackers RAT can give them the intelligence on what specific information or type of files the attackers are after, and allow for some disinformation defense. They could feed him false data, or secure what he has access to, he says.
The downside is that exposing holes in these tools tips off attackers to ditch the flawed tools for other ones, he says. Even so, the tools studied by the Matasano interns are openly available ones not typically employed by more sophisticated and financed attackers, he says. More sophisticated attackers employ custom tools ... for exfiltrating data, he says.
What do the flaws in the RATs say about their creators? In my opinion, people who make this type of tools are not good programmers, just from looking at the way the code is laid out, Villamil says. In addition to the glaringly weak encryption, some of the tools included cut-and-pasted code from various sources, he says.
The people using those tools either dont realize how weak they are, or they dont care, he says.
The RATs studied in the research project were all written in Delphi language. This gave the RATs some resilience against classical security mistakes (buffer/heap overflows) that are much easier to make in a language like C or C++. However, we still found serious vulnerabilities in DarkComet, which was the most widely deployed of the RATs we studied. Our analysis of the communications should provide a solid foundation for other researchers interested in further reverse engineering and vulnerability research on RATs, the researchers wrote.
A good understanding of their protocols is critical to network and system administrators deploying tools that can notice the presence of a RAT, they said.
But even with their weaknesses, RATs are still effective tools for cyberspionage and other persistent threats, Villamil says. Even with the holes, RATs do the job. Once an attacker is inside, they dont care if you find the tools or if you find out information about it, he says. They have an objective.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Popular RATs Found Riddled With Bugs, Weak Crypto