Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/11/2012
05:19 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Popular RATs Found Riddled With Bugs, Weak Crypto

Research by former interns for Matasano Security exposes flaws in remote administration tools

RATs have bugs, too: New research shows that remote administration tools often used for spying and targeted attacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers.

A pair of interns for Matasano Security recently published their findings of vulnerabilities they discovered while reverse-engineering popular RATs, specifically DarkComet, Bandook, CyberGate, and Xtreme RAT. Shawn Denbow of Rensselaer Polytechnic Institute and Jesse Hertz of Brown University, both undergraduate computer science students now in their senior year, found that the RATs contain flaws common in mainstream software, such as SQL injection, arbitrary file reading, and weak encryption.

"This shows that it is possible, and that it's not hard, to pick apart attacker tools and come up with proactive defenses against them," says John Villamil, senior security consultant with Matasano, who served as Denbow and Hertz's adviser for the project. "If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them]."

Vulnerability research into attacker tools is rare, but not unheard of. "It's very rare to see this type of research," Villamil says.

RATs, which typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, for example, basically give the attacker a foothold in the infected machine as well as the targeted organization.

[ Criminals are using phishing e-mails, keystroke loggers, and Remote Access Trojans to steal financial employee login credentials. See FBI Warns Of Scams Targeting Financial Industry. ]

The researchers, in conjunction with their research paper (PDF), released tools for decrypting RAT traffic and proof-of-concept exploits for the bugs they found. They found that the tools include weak, or no, encryption: Bandook, for example, uses obfuscation, not encryption, to protect its traffic between the victim's machine and the C&C server.

Such vulnerabilities in the command-and-control communications itself can be useful to incident response, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "That's a clear, usable piece of intelligence. You want to decrypt what they are doing in their network," Hoglund says. "If you're recording information during incident response ... you can see what directories are being queried, what files they are searching for."

Hoglund says this type of intelligence could be used to regain control over the computers infected with the RAT, as well as to intercept command-and-control traffic.

Matasano's Villamil says legally, organizations obviously can't hack back at the attacker. But knowing weaknesses in the attacker's RAT can give them the intelligence on what specific information or type of files the attackers are after, and allow for some disinformation defense. "They could feed him false data, or secure what he has access to," he says.

The downside is that exposing holes in these tools tips off attackers to ditch the flawed tools for other ones, he says. Even so, the tools studied by the Matasano interns are openly available ones not typically employed by more sophisticated and financed attackers, he says. "More sophisticated attackers employ custom tools ... for exfiltrating data," he says.

What do the flaws in the RATs say about their creators? "In my opinion, people who make this type of tools are not good programmers, just from looking at the way the code is laid out," Villamil says. In addition to the glaringly weak encryption, some of the tools included cut-and-pasted code from various sources, he says.

"The people using those tools either don't realize how weak they are, or they don't care," he says.

The RATs studied in the research project were all written in Delphi language. "This gave the RATs some resilience against classical security mistakes (buffer/heap overflows) that are much easier to make in a language like C or C++. However, we still found serious vulnerabilities in DarkComet, which was the most widely deployed of the RATs we studied. Our analysis of the communications should provide a solid foundation for other researchers interested in further reverse engineering and vulnerability research on RATs," the researchers wrote.

"A good understanding of their protocols is critical to network and system administrators deploying tools that can notice the presence of a RAT," they said.

But even with their weaknesses, RATs are still effective tools for cyberspionage and other persistent threats, Villamil says. "Even with the holes, RATs do the job. Once an attacker is inside, they don't care if you find the tools or if you find out information about it," he says. "They have an objective."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.