To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild Authors: Brown Farinholt, Mohammad Rezaeiradt, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, Kirill Levchenko Presented by: Ben Mitchell

Motivation - Current problems Recent shift from large scale threats like botnets to lower volume threats designed to target specific users or systems. Increase in human operated malware such as remote access trojans (RATS). Surprisingly there is a lack of understanding of RATS Low barrier to entry, many tutorials to help people learn to use RATS

Motivation - Goal of the paper To better understand the behavior of RAT operators in realistic situations.

Background - What is a RAT? Remote access trojan Usually downloaded invisibly along with a benign program, such as a game, or sent as an email attachment Controlled individually by remote human operator Gives full administrative control over the target computer to the operator

Background - What can RATs be used for? File access Webcam access Microphone access Launching attacks Remote desktop (RDP) Keylogging credentials

Background - RAT infection process

Background - DarkComet A popular commercial RAT Allows a operator to control the system with a Graphical User Interface Is commonly used to spy on victims by taking screen captures, key-logging, or interacting with webcams/microphones.

Methodology - Sample collection VirusTotal is an online service that analyzes files and URLs enabling the identification of viruses, worms, trojans Used VirusTotal to obtain 19,109 samples of DarkComet malware 19,109 samples

Methodology - Sample extraction DarkComet offers two runtime package options, UPX and MPress. Of the 19,109 samples collected: 18% were packed with UPX or Mpress 74% were not packed 8% were malformed 74% not packed 18% UPX / Mpress 8% malformed

Methodology - Sample extraction In total 17,516 samples were unpacked When unpacked the following was collected: The password used to encrypt the controller network traffic Version of DarkComet used A list of addresses of the stub’s controller: domain names, IP addresses, and ports. 74% not packed 18% UPX / Mpress 8% malformed DarkComet Version Passwords Controller IP address, Ports, domain names

Methodology - Scanning A host infected by DarkComet it establishes contact with controllers through TCP Afterwards controllers reply with a specific message To find controllers we can open a socket and wait for the specific message Two tools are used to carry out this scanning, ZMAP and Shodan

Methodology - Controller monitoring Controller IP address, Ports, domain names Of the 17,516 samples unpacked, 13,339 valid addresses were obtained Extracted domain names were resolved hourly through DNS resolution techniques. Over the course of the project these 13,339 addresses were linked to 9,877 unique operators. 13,339 domains 9,877 controllers Unique DarkComet controllers

Methodology - Operator monitoring Two separate experiments each lasting 2 weeks Goal of experiments to monitor the behavior of live DarkComet operators in realistic machines Samples selected and installed from previously collected DarkComet malware 1,165 samples used in 2,747 total runs Methods used to select which samples were run 1,165 samples used Executed 2747 times combined

Methodology - Experiment 1 20 identical honeypots used to host DarkComet malware Each honeypot received similar responses from operators Encrypted network traffic between operator and host recorded 20 honeypots used

Methodology - Experiment 2 8 honeypots used to host DarkComet malware Each honeypot has a carefully designed, unique persona College student Male PC gamer Male Doctor Bitcoin miner Bank Teller Control, unmodified Female political figure Male Academic researcher

Methodology - Behavioral Reconstruction Recorded network traffic decrypted using passwords gathered from unpacking DarkComet samples DarkComet network signatures gathered from static analysis and exhaustive testing Signature engine takes recorded decrypted network traffic and returns the source and action carried out E.g. operator accessed webcam <Timestamp>

Results - Who is using RATs? http://www.pngall.com/technology-png Countries of the IP addresses of scanned DarkComet controllers User-types of the IP addresses of scanned DarkComet controllers Large number of Turkish and Russian addresses Casual ratters from residential areas

Results - When are RAT operators active http://www.pngall.com/technology-png Most active after midday More active on weekends than weekdays

Results - What actions RAT operators take First action Second action Third action Fourth action Last action http://www.pngall.com/technology-png

Results - Motives 61% User Access 58% Credentials 16% Vantage point http://www.pngall.com/technology-png 58% Credentials 16% Vantage point (webcam mic, chat, pics, documents) (Steam accounts, bitcoin wallets, email accounts) (DDoS attacks, fraud, deploying hacking tools)

Results - Operator interaction http://www.pngall.com/technology-png Operators used RDP actively for longer duration when personas were present Overall similar levels of total operator connection times 5 personas presented higher average operator interaction durations than the control honeypot Operators most interested with Banker

Results - Criticism Only analyzing DarkComet samples Leading to potentially skewed results Other RATs to consider, Sub7, BlackShades, NetBus, Back Orifice, JSpy http://www.pngall.com/technology-png

Results - Criticism Only taking samples from VirusTotal Potentially missing more skilled undetectable operators Heavy emphasis on casual ratters http://www.pngall.com/technology-png

Results - Criticism Control Male PC gamer Male Doctor Female political figure Male Academic researcher Bitcoin miner College student Bank Teller Analysis of persona results was not detailed enough Operator actions on each persona were not discussed individually Reasoning for each persona being chosen was not given http://www.pngall.com/technology-png

Thank You Questions?