Remote Administration Trojans

1
Remote Administration Trojans

• A
• Packet-Ninja
• Research Project

2
The Situation

• 63 of all email on the Internet is spam.
• 1 in 12 email messages contain a virus.
• 1.8 Million consumers were defrauded by Phishing
  schemes last year.
• In Cyberspace, a Dark Alliance Oct 9, 2004
• www.ecommercetimes.com/story/37164.html

3
The Infection

• Spam contains viruses that leave back doors on
  the infected computer.
• But who would be stupid enough to click on an
  attachment?
• Now, as Dan has shown us, just seeing a graphic
  is enough for the hacker to plant a back door.

4
The Infection

• It doesnt have to be an attachment.
• Some of the most clickables in email are
  weblinks that users follow, not realizing it may
  be a virus waiting for them on the other end
• supposed pornography links
• supposed patches from a vendor
• too good to be true links

5
Too Good to be True
6
Too Good to be True
7
Too Good to be True
8
The Infection

• How would your non-technical mother / sister /
  friend go about finding Ad-Aware or any other
  program youve recommended to them.
• Hackers are shifting from SeeJanetNaked file
  names to Ad-Aware or SpyWare Search
  Destroy.
• How does a home user tell which is which?

9
The Infection

• Especially confusing are the fake error
  installs.
• WinZip Error
• Cannot open file it does not appear to be a
  valid archive. If you downloaded this file, try
  downloading the file from another site.
• Thats the error message one backdoor displays
  when users run the file Backdoor.IE_Patch.exe

10
The Dropper

• Most of the backdoors we see in common email and
  file-swapping virus distributions are really just
  droppers.
• Their purpose is to allow a hacker an easy
  install of a more robust tool for manipulating
  his new toy (YOUR COMPUTER).

11
The Dropper

• Most of the backdoors we see in common email and
  file-swapping virus distributions are really just
  droppers.
• Their purpose is to allow a hacker an easy
  install of a more robust tool for manipulating
  his new toy (YOUR COMPUTER).

12
Remote Administration Trojans (RATS)

• A partial list of Remote Administration Trojans
  from Pest Patrol
• C\danger\rats\Pests Classified in the Category
  RAT.htm

13
Remote Administration Trojans (RATS)

• Demo
• Three common RATs.
• 1 Sub7
• 2 Optix
• 3 Beast 2.07

14
RATs Sub7

• Sub7 is the oldest and most famous Remote
  Administration Trojan.
• The version in the demo was the last
  distributed version, dated Feb 2003.
• Made world-famous at DefCon 8

15
RATs Sub7
16
RATs Sub7

• A Hackguard study of infected Sub7 machines
  suggested the infection methods were
• 20 infected email attachment
• 50 downloaded infected file from Internet
• 10 network share or infected floppy or CD
• 10 IE or Netscape bug load from website

17
RATs Sub7

• Demo
• connect
• show file system (misc)
• Matrix tech support (messages)
• play wav files (file mgr)
• Flip screen (fun)
• irc bot (irc bot)

18
RATs Sub7

• Other features
• remote port scan
• webcam / audio record
• text2speech
• port redirector (may allow VPN entry)
• Estimates of infected machines have ranged from
  250,000 to several million at peak of CodeRed
  which was often used as a Sub7 Dropper

19
RATs Optix

• The server created by the version of Optix in
  this demo was NOT detected by a three week old
  Norton Anti-virus definition.
• Optix is by EvilEyeSoftware.
• Their website claims 297,230 intentional
  downloads.(more than 2,000 this week!) and has
  had 6 million unique visitors.

20
Evil Eye Disclaimer
21
Undetectables

• Evil Eye Software offers undetectable servers for
  a high price. Money transfer is !!!WIRE TRANSFER
  ONLY!!! (ensures legality). The details are as
  follows
• All you do is contact us and we will contact the
  various programmer(s) of the product(s) you want
  undetected copies of. IF they decide to take you
  up on your offer for no less than US300 or
  US200 then they will re-code their product
  slightly in a a large majorty of areas so as to
  make it undetected to all the top virus scanners
  (we test with Norton, Mcafee, Kaspersky and
  F-Secure). However, in testing on these with the
  highest settings of detection enabled, it ensures
  that all other virus scanners should not pick up
  the product.
• If you get a product that has been made
  undetected and you discover a particular virus
  scanner that your product is detected on at any
  time, then you can just let us know and we will
  quickly make it undetectable to your specific
  virus scanner if this happens (which is not
  likely). Once you receive your product it will
  also be as different as we can make it to any
  other buyers' product, so, you really do buy a
  "unique" copy.
• The actual server you buy will be functionally no
  different than the public versions in most cases,
  
• The main rule for these deals will be MONEY FIRST
  and then product will be sent in email on receipt
  of funds!

22
Undetectables

• By comparison, an Undetectable version of Nuclear
  Winter Rat costs 15. Same guarantee.
• Almost every major RAT offers to sell an
  undetectable.

23
RATs Optix

• Demo
• connect
• (info) Key Logger
• (message) Msg Block
• FTP Server
• Registry Manager

24
RATs Beast

• Demo
• Build Server
• IRC Bot armies no longer main contact method
• email
• IRC
• AOL AIM
• MSN Chat
• Yahoo Instant Message

25
RATs Beast

• Demo
• Build Server
• new feature this release
• DISABLE XP FIREWALL

26
RATs Beast

• Demo
• Show/Kill Processes

27
The Research

• Objectives
• Develop techniques for discovery in the wild
• Document default settings of major RATs
• Develop IDS sigs or port-scan fingerprinting to
  discover infected devices
• Develop a strategy for informing infected machine
  owners (LE or ISP?)
• Develop a strategy for identifying handlers

28
The Research

• Interested? Know of other related projects?
• Contact Gary Warner
• gar_at_askgar.com
• Birmingham InfraGard
• (home of the Packet Ninjas)