Popular RATs Found Riddled With Bugs, Weak Crypto

Research by former interns for Matasano Security exposes flaws in remote administration tools
RATs have bugs, too: New research shows that remote administration tools often used for spying and targeted attacks contain common flaws that ultimately could be exploited to help turn the tables on the attackers.

A pair of interns for Matasano Security recently published their findings of vulnerabilities they discovered while reverse-engineering popular RATs, specifically DarkComet, Bandook, CyberGate, and Xtreme RAT. Shawn Denbow of Rensselaer Polytechnic Institute and Jesse Hertz of Brown University, both undergraduate computer science students now in their senior year, found that the RATs contain flaws common in mainstream software, such as SQL injection, arbitrary file reading, and weak encryption.

"This shows that it is possible, and that it's not hard, to pick apart attacker tools and come up with proactive defenses against them," says John Villamil, senior security consultant with Matasano, who served as Denbow and Hertz's adviser for the project. "If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them]."

Vulnerability research into attacker tools is rare, but not unheard of. "It's very rare to see this type of research," Villamil says.

RATs, which typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, for example, basically give the attacker a foothold in the infected machine as well as the targeted organization.

[ Criminals are using phishing e-mails, keystroke loggers, and Remote Access Trojans to steal financial employee login credentials. See FBI Warns Of Scams Targeting Financial Industry. ]

The researchers, in conjunction with their research paper (PDF), released tools for decrypting RAT traffic and proof-of-concept exploits for the bugs they found. They found that the tools include weak, or no, encryption: Bandook, for example, uses obfuscation, not encryption, to protect its traffic between the victim's machine and the C&C server.

Such vulnerabilities in the command-and-control communications itself can be useful to incident response, says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. "That's a clear, usable piece of intelligence. You want to decrypt what they are doing in their network," Hoglund says. "If you're recording information during incident response ... you can see what directories are being queried, what files they are searching for."

Hoglund says this type of intelligence could be used to regain control over the computers infected with the RAT, as well as to intercept command-and-control traffic.

Matasano's Villamil says legally, organizations obviously can't hack back at the attacker. But knowing weaknesses in the attacker's RAT can give them the intelligence on what specific information or type of files the attackers are after, and allow for some disinformation defense. "They could feed him false data, or secure what he has access to," he says.

The downside is that exposing holes in these tools tips off attackers to ditch the flawed tools for other ones, he says. Even so, the tools studied by the Matasano interns are openly available ones not typically employed by more sophisticated and financed attackers, he says. "More sophisticated attackers employ custom tools ... for exfiltrating data," he says.

What do the flaws in the RATs say about their creators? "In my opinion, people who make this type of tools are not good programmers, just from looking at the way the code is laid out," Villamil says. In addition to the glaringly weak encryption, some of the tools included cut-and-pasted code from various sources, he says.

"The people using those tools either don't realize how weak they are, or they don't care," he says.

The RATs studied in the research project were all written in Delphi language. "This gave the RATs some resilience against classical security mistakes (buffer/heap overflows) that are much easier to make in a language like C or C++. However, we still found serious vulnerabilities in DarkComet, which was the most widely deployed of the RATs we studied. Our analysis of the communications should provide a solid foundation for other researchers interested in further reverse engineering and vulnerability research on RATs," the researchers wrote.

"A good understanding of their protocols is critical to network and system administrators deploying tools that can notice the presence of a RAT," they said.

But even with their weaknesses, RATs are still effective tools for cyberspionage and other persistent threats, Villamil says. "Even with the holes, RATs do the job. Once an attacker is inside, they don't care if you find the tools or if you find out information about it," he says. "They have an objective."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5