Hacking with Remote Admin Tools (RATs)
Zoltan BalazsCTO @MRG Effitas
Budapest IT Security MeetupJanuary 2014
Remote admin tools
Could be legitimateUsually it is not
All the features for remote administrationUpload/download filesRegistry editorShell commandsRemote desktop
Using RAT might be illegal, and might be considered as a crime!Don’t try this at home!
Why are these skiddie toolz important?
Only pentesters use meterpreterScript kiddies use RATsNot just "1337 |-|4x0r5” use RATs!
Know your enemy!Malware incident responseForensic investigation
Typical RAT scenario
1998
DEF CON 6 on August 1, 1998
Dictionary to skiddie language
Skiddie worldserver clientFUD
cryptorprivate/elite/gold version
Average worldclient malware on victim
server code @skiddieFully UnDetectablesome lame packer
full version (not demo)
Tutorialz for script bunniez
How to fail at OPSEC?
https://www.youtube.com/results?search_query=setup+rat+tutorialhttp://www.youtube.com/watch?v=NkkqPLVscC4
#opsecfail
#opsecfail
#opsecfail
#opsecfail
#opsecfail
The skiddie’s youtube list on Cyber Threat Task Force (google cache only)
But a script kitty’s life is not just about work
But FUN as well!
Fun manager - Fun menu
Extra fun
Fun feature 3
Fun feature 4 – Matrix chat
Fun feature 5
Ultimate fun …
Ultimate fun feature 6 - Piano
Hacking Internet Explorer
Scary features
Scary feature 1
DLL inject into iexplore.exeProxy awareTransparent proxy authenticationLocal software firewall bypassNo new process running
Scary feature 2 – Melt/uninstall
Melt server deletes the dropper
No wipeForensics restoration possible
Uninstall server deletes the persistence file
No wipeForensics restoration possible
Scary feature - Alternate data stream
Scary feature 3 - Anti AV
Scary feature 4 – Anti VM, Anti sandbox
Private/elite version
Downloading and running binaries from people like this is a bad idea!hxxp://www.theatregelap.com/2012/06/xtremerat-v-36-private.html
JRATMultiplatformEvade some software firewalls (java.exe allowed)Easier to obfuscateScreenshots ©Symantec
AndroRAT
© VRT Snort blog
Cryptor
High profile attacks
High profile attacks