Presentation is loading. Please wait.

Presentation is loading. Please wait.

To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild By Jun Hao Xu Authors: Brown Farinholt, Mohammad Rezaeiradt,

Published byCharles Carson Modified over 6 years ago

Similar presentations

Presentation on theme: "To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild By Jun Hao Xu Authors: Brown Farinholt, Mohammad Rezaeiradt,"— Presentation transcript:

1 To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild
By Jun Hao Xu Authors: Brown Farinholt, Mohammad Rezaeiradt, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, Kirill Levchenko

2 RAT (Remote Access Trojans)
What are they? RAT are type of malware that gives a remote attacker total interactive access to a victim machine. RAT can breach and perform features that jeopardize your computer such as: Capture audio from microphone Capture video from webcam Log keyboard input Browse files on machine Requires a hands-on operator interacting with each compromised machine.

3 Common off-the-shelf RAT with dedicated community
DarkComet Community Forum DarkComet GUI Common off-the-shelf RAT with dedicated community Low Barrier of Entry Exhibits an architecture and communication protocol typical of most RATs.

4 Motivation Knowledge of how RATs are used is limited so this paper explores the motivation and behavior of RAT operators.

5 Methodology 1. Collection
Obtained unique samples of DarkComet by regularly querying VirusTotal Intelligence, an online virus scanner. Most popular sources are from Russia and Turkey.

6 Methodology 2. Extraction
Only samples could be automatically unpacked due to 8% of samples being malformed Each unpacked sample, we extracted: Password used to encrypt network communication to controller. Version of DarkComet used. Campaign ID assigned to the stub by operator. List of addresses of the stub’s controller(s) e.g. domain names, IP addresses, ports. ss

7 Methodology 3. Scanning Internet Wide Scan to find overall number of DarkComet Operators and detected a total of 9877 unique operators throughout experiment. Trivial to detect whether DarkComet controller service is running. Infected host must establish contact with controller by opening TCP connection. Controller responds back with a specific banner to host. asdasdasd

8 4. Controller Monitoring
Methodology 4. Controller Monitoring From the samples, 13,339 samples were present with valid addressing information; Domain name or IP Addresses. Determine which controllers most likely to connect during the experiment. Ranked based on activeness.

9 Methodology 5. Operator Monitoring Experiment 1 Experiment 2
20 Honey Pots ran concurrently 8 Honey Pots run concurrently Identical Honey Pots with minimal cosmetic difference Unmodified Windows installation PC Gamer (male) Medical doctor (male) U.S. political figure (female) Academic researcher (male) Bitcoin miner College student (female) Bank teller. Honeypot Limitations • No webcam or microphone • No responses to attacker-initiated chat, communication • No keystrokes for keylogger • Network containment policy 5. Operator Monitoring Two experiments were conducted, each lasting two weeks. The purpose was to monitor the behavior of live DarkComet operators in realistic machines. Execution of 1165 samples. The samples were chosen based on recent response times from scanner.

10 6. Behavior Reconstruction
Methodology 6. Behavior Reconstruction Over the course of the two experiments, 1165 samples were executed giving us 2747 total sessions to analyze. Reconstructed the network traffic of each session to analyze the operations that occurred Capture and Timestamp screen any time it changes for Remote Desktop (RDP) sessions.

11 Results Overview 1165 Unique Dark Comet Samples were run over the course of two, several week long experiments resulting in 2747 sessions. Out of these sessions 785 resulted in engagement with the operator. Average DarkComet session lasted about 4 minutes while average session with RDP lasted 7 minutes. IP Addresses from Russia and Turkey were the most prevalent in the experiment.

12 Operator Action First Action Second Action Third Action Fourth Action
Final Action Webcam is the dominant first action taken by majority of operators. Sessions generally composed of: webcam access, RDP, password theft, file exploration, audio capture and keylogging.

13 Operator Engagement Number of Trials next to Line
Shorter engagement in sessions with no RDP involved. (<20 Seconds) RDP (Active) had 60% more action and engagement compared to other types. More Engagement and Action in RDP Sessions with Experiment 2 which involved fake personas. Top 3 Personas happen to be designed with more detailed file systems than others. Engagement factor is closely related to depth of file system

14 Motives 61% 45% 58% 16% User Reconnaissance Credentials Vantage Point
Knowledge of how RATs are used is limited so this paper explores the motivation and behavior of RAT operators. With Webcam and Microphone Without Webcam/Mic (Chat, Docs, Pics) 61% 45% 58% 16% User Reconnaissance Credentials Vantage Point

15 Criticism Same Operator in Different Honey Pot environments
Experiment didn’t mention comparing behaviour of same operators in different honeypot environments and focuses more on comparing different operators. Could lead to more refined and obvious results. DarkComet Other RATs need to be considered. Different RATs can have more/less functionality or better/worse functionality. This can skew the results.

16 Thank You

Download ppt "To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild By Jun Hao Xu Authors: Brown Farinholt, Mohammad Rezaeiradt,"

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Direct Attacks on Computational Devices

Direct Attacks on Computational Devices
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Remote Access Network Management Kelly Given Allison Traina.

Remote Access Network Management Kelly Given Allison Traina.
Threats To A Computer Network

Threats To A Computer Network
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
From Defence to offence

From Defence to offence
Remote Desktop Security Raghav Chawla, Jon Ussery Group 20.

Remote Desktop Security Raghav Chawla, Jon Ussery Group 20.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
1 ITGS - introduction A computer may have: a direct connection to a net (cable); or remote access (modem). Connect network to other network through: cables.

1 ITGS - introduction A computer may have: a direct connection to a net (cable); or remote access (modem). Connect network to other network through: cables.

Similar presentations

Ads by Google