Presentation is loading. Please wait.

Presentation is loading. Please wait.

Article by:. rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh

PublishTrevor Stanley Modified over 6 years ago

Similar presentations

Presentation on theme: "Article by:. rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh"— Presentation transcript:

1 To Catch A Ratter Monitoring the Behaviour of Amateur DarkComet RAT Operators in the Wild
Article by: rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin†Stevens Le Blondk, Damon McCoy, Kirill Levchenko Presented by: Jack Barker

2 Remote Access Trojans Allows attackers to remotely control an infected machine Operated manually by a human operator (controller) Ransomware and botnets are automated in contrast Webcam / Microphone Filesystem Remote desktop Chat client Keylogging

3 Remote Access Trojans A target is sent an executable (stub)
When the stub is running, it connects to the controller The controller then has unrestricted access to the computer Common theme: accessing a victims computer for personal information DarkComet is a commercial rat with these features, and is the focus of this piece of research

4 Remote Access Trojans Low barrier of entry Widespread usage
Voyeurism Sextortion and Blackmail Surveillance and Espionage Attacks can be targeted, but often a RAT is sent out to multiple victims/spread online Common theme: accessing a victims computer for personal information DarkComet is a commercial rat with these features, and is the focus of this piece of research

5 Motivation What do rat operators do with the machines they are attacking? Project Goal: Understand the behaviour of RAT operators in the wild What do they do with infected machines? Lots of study on other stuff related to rats This is the first related to controller behaviour What features are used the most? What do the attackers want?

6 01 02 03 04 Methodology Overview Find DarkComet samples
Execute samples in honeypots 02 Record information about how the RATs are used 03 Assess data 04

7 Procuring Fresh Malware
Regularly querying VirusTotal Up to date set of YARA rules Can determine where they were uploaded from (mostly Russia and Turkey) 10 new samples on average per hour 19,109 unique DarkComet samples over the course of the study

8 Configuration Extraction
The encryption keys can be extracted from a stub Communication between controller and stub is encrypted Password Version Campaign ID List of stub controller IP addresses Automatically unpacked and information retrieved 8% malformed 18% packed with Mpress or UPX 17,516 of the samples could be unpacked

9 Controller Monitoring
Continuously probe ever known DarkComet controller to determine if it is online DNS resolution Determine the IP address of DarkComet controllers with a domain Resolved hourly Often used because an operators IP will be changing – operator safety Targeted scanning Scans each DarkComet controller every 30 minutes Addresses taken from configuration extraction 9,877 unique DarkComet controllers

10 Live Operator Monitoring
Two separate ~ two week experiments Purpose: To monitor the behaviour of DarkComet operators in realistic machines by executing the samples gathered Samples for operator monitoring were chosen based on a metric which included how old the sample was and whether the controller was active

11 Analysis 52.9 hours connected to controller (out of 2400 machine hours) Average session lasted 4 minutes (7 minutes when RDP was used) Webcam Monitoring Password Theft File Exfiltration Audio Capture Keylogging Webcam in 61% of trials Stored passwords in 43% of trials Filesystem in 40% of trials Audio capture and keylogging in just over ¼ of attacks However there was difference seen between sessions which used remote desktop, where 76% of remote desktop sessions attemted to access the webcam compared to only 16% of those who were attacking through the commandline only

12 Analysis Downloading files from honeypot (8%)
Command Line Activity (92 in total) 60% reconnaissance 26% manipulation 10% destruction Visiting URLS, 123 URLS: 26 adult content 13 gaming 7 blogs 48 unique files dropped RAT stubs, worms, scripts Remaining URLS VPN, search, banking, social, and some 404

13 Analysis Direct Communication 53% harassment 2% extortion
16% misdirection 9% recognition (e.g “HACKED BY #JBAR927”) Very visible 62% of all operators visible to victim

14 Criticism Only used DarkComet on Windows 7
Other RAT’s could be used differently Victims with different OS may be attacked differently (e.g Linux) Honeypots were very restricted in network access Cuckoo was used to reduce impact of VM Their analysis of Russia and Turkey could be impacted by VPNs Some files dropped during sample extraction not analysed 62% of all operators visible to victim

15 Conclusions Method for gathering and extracting stubs devised
Realistic honeypots used to launch stubs into Cuckoo sandbox used to analyse interaction Majority of attackers made use of remote desktop and attempted to access the webcam and filesystem 62% of all operators visible to victim

Download ppt "Article by:. rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh"

Similar presentations

Malware Identification and Classification

Malware Identification and Classification
Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
MIS 5211.001 Week 7 Site:

MIS Week 7 Site:
Automated Malware Analysis

Automated Malware Analysis
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
JavaScript, Fourth Edition

JavaScript, Fourth Edition
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Similar presentations

Ads by Google