Vulnerabilities / Threats
05:19 PM
Connect Directly

Popular RATs Found Riddled With Bugs, Weak Crypto

Research by former interns for Matasano Security exposes flaws in remote administration tools

RATs have bugs, too: New research shows that remote administration tools often used for spying and targeted attacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers.

A pair of interns for Matasano Security recently published their findings of vulnerabilities they discovered while reverse-engineering popular RATs, specifically DarkComet, Bandook, CyberGate, and Xtreme RAT. Shawn Denbow of Rensselaer Polytechnic Institute and Jesse Hertz of Brown University, both undergraduate computer science students now in their senior year, found that the RATs contain flaws common in mainstream software, such as SQL injection, arbitrary file reading, and weak encryption.

"This shows that it is possible, and that it's not hard, to pick apart attacker tools and come up with proactive defenses against them," says John Villamil, senior security consultant with Matasano, who served as Denbow and Hertz's adviser for the project. "If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them]."

Vulnerability research into attacker tools is rare, but not unheard of. "It's very rare to see this type of research," Villamil says.

RATs, which typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, for example, basically give the attacker a foothold in the infected machine as well as the targeted organization.

[ Criminals are using phishing e-mails, keystroke loggers, and Remote Access Trojans to steal financial employee login credentials. See FBI Warns Of Scams Targeting Financial Industry. ]

The researchers, in conjunction with their research paper (PDF), released tools for decrypting RAT traffic and proof-of-concept exploits for the bugs they found. They found that the tools include weak, or no, encryption: Bandook, for example, uses obfuscation, not encryption, to protect its traffic between the victim's machine and the C&C server.

Such vulnerabilities in the command-and-control communications itself can be useful to incident response, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "That's a clear, usable piece of intelligence. You want to decrypt what they are doing in their network," Hoglund says. "If you're recording information during incident response ... you can see what directories are being queried, what files they are searching for."

Hoglund says this type of intelligence could be used to regain control over the computers infected with the RAT, as well as to intercept command-and-control traffic.

Matasano's Villamil says legally, organizations obviously can't hack back at the attacker. But knowing weaknesses in the attacker's RAT can give them the intelligence on what specific information or type of files the attackers are after, and allow for some disinformation defense. "They could feed him false data, or secure what he has access to," he says.

The downside is that exposing holes in these tools tips off attackers to ditch the flawed tools for other ones, he says. Even so, the tools studied by the Matasano interns are openly available ones not typically employed by more sophisticated and financed attackers, he says. "More sophisticated attackers employ custom tools ... for exfiltrating data," he says.

What do the flaws in the RATs say about their creators? "In my opinion, people who make this type of tools are not good programmers, just from looking at the way the code is laid out," Villamil says. In addition to the glaringly weak encryption, some of the tools included cut-and-pasted code from various sources, he says.

"The people using those tools either don't realize how weak they are, or they don't care," he says.

The RATs studied in the research project were all written in Delphi language. "This gave the RATs some resilience against classical security mistakes (buffer/heap overflows) that are much easier to make in a language like C or C++. However, we still found serious vulnerabilities in DarkComet, which was the most widely deployed of the RATs we studied. Our analysis of the communications should provide a solid foundation for other researchers interested in further reverse engineering and vulnerability research on RATs," the researchers wrote.

"A good understanding of their protocols is critical to network and system administrators deploying tools that can notice the presence of a RAT," they said.

But even with their weaknesses, RATs are still effective tools for cyberspionage and other persistent threats, Villamil says. "Even with the holes, RATs do the job. Once an attacker is inside, they don't care if you find the tools or if you find out information about it," he says. "They have an objective."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.