Article by:. rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh

Slides:



Advertisements
Similar presentations
Malware Identification and Classification
Advertisements

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
Trojan Horse Program Presented by : Lori Agrawal.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
MIS Week 7 Site:
Automated Malware Analysis
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
JavaScript, Fourth Edition
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Security at NCAR David Mitchell February 20th, 2007.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Remote Controller & Presenter Make education more efficiently
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol
1 REMOTE CONTROL SYSTEM V7 2 Introduction.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Mac OS X backdoor Trojan, now in beta? 報告人:劉旭哲. Introduction It targets users of Mac OS X As even the malware itself admits, it is not yet finished. It.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
Standard Demo 1 © Hacking Team All Rights Reserved.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
Understanding and breaking the cyber kill chain
Penetration Testing Reconnaissance 2
Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain
Understand Names Resolution
Botnets A collection of compromised machines
CS 492/592: Malware
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Modern Honey Net An Introduction.
Malware Reverse Engineering Process
Daniel Kouril, Ivo Nutar Masaryk University
To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild By Jun Hao Xu Authors: Brown Farinholt, Mohammad Rezaeiradt,
Malware Reverse Engineering Process
To Catch a Ratter: Monitoring the Behavior of
Security Fundamentals
ADVANCED PERSISTENT THREATS (APTs) - Simulation
Botnets A collection of compromised machines
Welcome To : Group 1 VC Presentation
Database Driven Websites
6. Operating Systems Finger printing & Scanning
System And Application Software
Chapter 3. Basic Dynamic Analysis
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
The Internet of Unsecure Things
Chapter 4: Protecting the Organization
Lecture 3: Secure Network Architecture
Acknowledgement Content from the book:
AbbottLink™ - IP Address Overview
CMSC 491/691 Malware Analysis
Crisis and Aftermath Morris worm.
Designing IIS Security (IIS – Internet Information Service)
Features Overview.
Wireless Spoofing Attacks on Mobile Devices
Talking Malware Analysis with MITRE
G061 - Network Security.
Presentation transcript:

To Catch A Ratter Monitoring the Behaviour of Amateur DarkComet RAT Operators in the Wild Article by: rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin†Stevens Le Blondk, Damon McCoy, Kirill Levchenko Presented by: Jack Barker

Remote Access Trojans Allows attackers to remotely control an infected machine Operated manually by a human operator (controller) Ransomware and botnets are automated in contrast Webcam / Microphone Filesystem Remote desktop Chat client Keylogging

Remote Access Trojans A target is sent an executable (stub) When the stub is running, it connects to the controller The controller then has unrestricted access to the computer Common theme: accessing a victims computer for personal information DarkComet is a commercial rat with these features, and is the focus of this piece of research

Remote Access Trojans Low barrier of entry Widespread usage Voyeurism Sextortion and Blackmail Surveillance and Espionage Attacks can be targeted, but often a RAT is sent out to multiple victims/spread online Common theme: accessing a victims computer for personal information DarkComet is a commercial rat with these features, and is the focus of this piece of research

Motivation What do rat operators do with the machines they are attacking? Project Goal: Understand the behaviour of RAT operators in the wild What do they do with infected machines? Lots of study on other stuff related to rats This is the first related to controller behaviour What features are used the most? What do the attackers want?

01 02 03 04 Methodology Overview Find DarkComet samples Execute samples in honeypots 02 Record information about how the RATs are used 03 Assess data 04

Procuring Fresh Malware Regularly querying VirusTotal Up to date set of YARA rules Can determine where they were uploaded from (mostly Russia and Turkey) 10 new samples on average per hour 19,109 unique DarkComet samples over the course of the study

Configuration Extraction The encryption keys can be extracted from a stub Communication between controller and stub is encrypted Password Version Campaign ID List of stub controller IP addresses Automatically unpacked and information retrieved 8% malformed 18% packed with Mpress or UPX 17,516 of the samples could be unpacked

Controller Monitoring Continuously probe ever known DarkComet controller to determine if it is online DNS resolution Determine the IP address of DarkComet controllers with a domain Resolved hourly Often used because an operators IP will be changing – operator safety Targeted scanning Scans each DarkComet controller every 30 minutes Addresses taken from configuration extraction 9,877 unique DarkComet controllers

Live Operator Monitoring Two separate ~ two week experiments Purpose: To monitor the behaviour of DarkComet operators in realistic machines by executing the samples gathered Samples for operator monitoring were chosen based on a metric which included how old the sample was and whether the controller was active

Analysis 52.9 hours connected to controller (out of 2400 machine hours) Average session lasted 4 minutes (7 minutes when RDP was used) Webcam Monitoring Password Theft File Exfiltration Audio Capture Keylogging Webcam in 61% of trials Stored passwords in 43% of trials Filesystem in 40% of trials Audio capture and keylogging in just over ¼ of attacks However there was difference seen between sessions which used remote desktop, where 76% of remote desktop sessions attemted to access the webcam compared to only 16% of those who were attacking through the commandline only

Analysis Downloading files from honeypot (8%) Command Line Activity (92 in total) 60% reconnaissance 26% manipulation 10% destruction Visiting URLS, 123 URLS: 26 adult content 13 gaming 7 blogs 48 unique files dropped RAT stubs, worms, scripts Remaining URLS VPN, search, banking, social, and some 404

Analysis Direct Communication 53% harassment 2% extortion 16% misdirection 9% recognition (e.g “HACKED BY #JBAR927”) Very visible 62% of all operators visible to victim

Criticism Only used DarkComet on Windows 7 Other RAT’s could be used differently Victims with different OS may be attacked differently (e.g Linux) Honeypots were very restricted in network access Cuckoo was used to reduce impact of VM Their analysis of Russia and Turkey could be impacted by VPNs Some files dropped during sample extraction not analysed 62% of all operators visible to victim

Conclusions Method for gathering and extracting stubs devised Realistic honeypots used to launch stubs into Cuckoo sandbox used to analyse interaction Majority of attackers made use of remote desktop and attempted to access the webcam and filesystem 62% of all operators visible to victim

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.