Presentation is loading. Please wait.

Presentation is loading. Please wait.

To Catch a Ratter: Monitoring the Behavior of

Published byLindsey Hines Modified over 6 years ago

Similar presentations

Presentation on theme: "To Catch a Ratter: Monitoring the Behavior of"— Presentation transcript:

1 To Catch a Ratter: Monitoring the Behavior of
Amateur DarkComet RAT Operators in the Wild Authors: Brown Farinholt, Mohammad Rezaeiradt, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, Kirill Levchenko Presented by: Ben Mitchell

2 Motivation - Current problems
Recent shift from large scale threats like botnets to lower volume threats designed to target specific users or systems. Increase in human operated malware such as remote access trojans (RATS). Surprisingly there is a lack of understanding of RATS Low barrier to entry, many tutorials to help people learn to use RATS

3 Motivation - Goal of the paper
To better understand the behavior of RAT operators in realistic situations.

4 Background - What is a RAT?
Remote access trojan Usually downloaded invisibly along with a benign program, such as a game, or sent as an attachment Controlled individually by remote human operator Gives full administrative control over the target computer to the operator

5 Background - What can RATs be used for?
File access Webcam access Microphone access Launching attacks Remote desktop (RDP) Keylogging credentials

6 Background - RAT infection process

7 Background - DarkComet
A popular commercial RAT Allows a operator to control the system with a Graphical User Interface Is commonly used to spy on victims by taking screen captures, key-logging, or interacting with webcams/microphones.

8 Methodology - Sample collection
VirusTotal is an online service that analyzes files and URLs enabling the identification of viruses, worms, trojans Used VirusTotal to obtain 19,109 samples of DarkComet malware 19,109 samples

9 Methodology - Sample extraction
DarkComet offers two runtime package options, UPX and MPress. Of the 19,109 samples collected: 18% were packed with UPX or Mpress 74% were not packed 8% were malformed 74% not packed 18% UPX / Mpress 8% malformed

10 Methodology - Sample extraction
In total 17,516 samples were unpacked When unpacked the following was collected: The password used to encrypt the controller network traffic Version of DarkComet used A list of addresses of the stub’s controller: domain names, IP addresses, and ports. 74% not packed 18% UPX / Mpress 8% malformed DarkComet Version Passwords Controller IP address, Ports, domain names

11 Methodology - Scanning
A host infected by DarkComet it establishes contact with controllers through TCP Afterwards controllers reply with a specific message To find controllers we can open a socket and wait for the specific message Two tools are used to carry out this scanning, ZMAP and Shodan

12 Methodology - Controller monitoring
Controller IP address, Ports, domain names Of the 17,516 samples unpacked, 13,339 valid addresses were obtained Extracted domain names were resolved hourly through DNS resolution techniques. Over the course of the project these 13,339 addresses were linked to 9,877 unique operators. 13,339 domains 9,877 controllers Unique DarkComet controllers

13 Methodology - Operator monitoring
Two separate experiments each lasting 2 weeks Goal of experiments to monitor the behavior of live DarkComet operators in realistic machines Samples selected and installed from previously collected DarkComet malware 1,165 samples used in 2,747 total runs Methods used to select which samples were run 1,165 samples used Executed 2747 times combined

14 Methodology - Experiment 1
20 identical honeypots used to host DarkComet malware Each honeypot received similar responses from operators Encrypted network traffic between operator and host recorded 20 honeypots used

15 Methodology - Experiment 2
8 honeypots used to host DarkComet malware Each honeypot has a carefully designed, unique persona College student Male PC gamer Male Doctor Bitcoin miner Bank Teller Control, unmodified Female political figure Male Academic researcher

16 Methodology - Behavioral Reconstruction
Recorded network traffic decrypted using passwords gathered from unpacking DarkComet samples DarkComet network signatures gathered from static analysis and exhaustive testing Signature engine takes recorded decrypted network traffic and returns the source and action carried out E.g. operator accessed webcam <Timestamp>

17 Results - Who is using RATs?
Countries of the IP addresses of scanned DarkComet controllers User-types of the IP addresses of scanned DarkComet controllers Large number of Turkish and Russian addresses Casual ratters from residential areas

18 Results - When are RAT operators active
Most active after midday More active on weekends than weekdays

19 Results - What actions RAT operators take
First action Second action Third action Fourth action Last action

20 Results - Motives 61% User Access 58% Credentials 16% Vantage point
58% Credentials 16% Vantage point (webcam mic, chat, pics, documents) (Steam accounts, bitcoin wallets, accounts) (DDoS attacks, fraud, deploying hacking tools)

21 Results - Operator interaction
Operators used RDP actively for longer duration when personas were present Overall similar levels of total operator connection times 5 personas presented higher average operator interaction durations than the control honeypot Operators most interested with Banker

22 Results - Criticism Only analyzing DarkComet samples
Leading to potentially skewed results Other RATs to consider, Sub7, BlackShades, NetBus, Back Orifice, JSpy

23 Results - Criticism Only taking samples from VirusTotal
Potentially missing more skilled undetectable operators Heavy emphasis on casual ratters

24 Results - Criticism Control Male PC gamer Male Doctor Female political figure Male Academic researcher Bitcoin miner College student Bank Teller Analysis of persona results was not detailed enough Operator actions on each persona were not discussed individually Reasoning for each persona being chosen was not given

25 Thank You Questions?

Download ppt "To Catch a Ratter: Monitoring the Behavior of"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Threats To A Computer Network

Threats To A Computer Network
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.

SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MIS 5211.001 Week 7 Site:

MIS Week 7 Site:
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Similar presentations

Ads by Google