Vulnerabilities / Threats
10/11/2012
05:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Popular RATs Found Riddled With Bugs, Weak Crypto

Research by former interns for Matasano Security exposes flaws in remote administration tools

RATs have bugs, too: New research shows that remote administration tools often used for spying and targeted attacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers.

A pair of interns for Matasano Security recently published their findings of vulnerabilities they discovered while reverse-engineering popular RATs, specifically DarkComet, Bandook, CyberGate, and Xtreme RAT. Shawn Denbow of Rensselaer Polytechnic Institute and Jesse Hertz of Brown University, both undergraduate computer science students now in their senior year, found that the RATs contain flaws common in mainstream software, such as SQL injection, arbitrary file reading, and weak encryption.

"This shows that it is possible, and that it's not hard, to pick apart attacker tools and come up with proactive defenses against them," says John Villamil, senior security consultant with Matasano, who served as Denbow and Hertz's adviser for the project. "If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them]."

Vulnerability research into attacker tools is rare, but not unheard of. "It's very rare to see this type of research," Villamil says.

RATs, which typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, for example, basically give the attacker a foothold in the infected machine as well as the targeted organization.

[ Criminals are using phishing e-mails, keystroke loggers, and Remote Access Trojans to steal financial employee login credentials. See FBI Warns Of Scams Targeting Financial Industry. ]

The researchers, in conjunction with their research paper (PDF), released tools for decrypting RAT traffic and proof-of-concept exploits for the bugs they found. They found that the tools include weak, or no, encryption: Bandook, for example, uses obfuscation, not encryption, to protect its traffic between the victim's machine and the C&C server.

Such vulnerabilities in the command-and-control communications itself can be useful to incident response, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "That's a clear, usable piece of intelligence. You want to decrypt what they are doing in their network," Hoglund says. "If you're recording information during incident response ... you can see what directories are being queried, what files they are searching for."

Hoglund says this type of intelligence could be used to regain control over the computers infected with the RAT, as well as to intercept command-and-control traffic.

Matasano's Villamil says legally, organizations obviously can't hack back at the attacker. But knowing weaknesses in the attacker's RAT can give them the intelligence on what specific information or type of files the attackers are after, and allow for some disinformation defense. "They could feed him false data, or secure what he has access to," he says.

The downside is that exposing holes in these tools tips off attackers to ditch the flawed tools for other ones, he says. Even so, the tools studied by the Matasano interns are openly available ones not typically employed by more sophisticated and financed attackers, he says. "More sophisticated attackers employ custom tools ... for exfiltrating data," he says.

What do the flaws in the RATs say about their creators? "In my opinion, people who make this type of tools are not good programmers, just from looking at the way the code is laid out," Villamil says. In addition to the glaringly weak encryption, some of the tools included cut-and-pasted code from various sources, he says.

"The people using those tools either don't realize how weak they are, or they don't care," he says.

The RATs studied in the research project were all written in Delphi language. "This gave the RATs some resilience against classical security mistakes (buffer/heap overflows) that are much easier to make in a language like C or C++. However, we still found serious vulnerabilities in DarkComet, which was the most widely deployed of the RATs we studied. Our analysis of the communications should provide a solid foundation for other researchers interested in further reverse engineering and vulnerability research on RATs," the researchers wrote.

"A good understanding of their protocols is critical to network and system administrators deploying tools that can notice the presence of a RAT," they said.

But even with their weaknesses, RATs are still effective tools for cyberspionage and other persistent threats, Villamil says. "Even with the holes, RATs do the job. Once an attacker is inside, they don't care if you find the tools or if you find out information about it," he says. "They have an objective."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web