Monday, 21 January 2013

RATs - Remote Access Trojans

RATs - Remote Access Trojans - are often used by cyber attackers to maintain a foothold in the infected computers and make them do things unbeknownst to their owners. But, in order to do that and not be spotted, RATs must employ a series of obfuscation techniques.

Take for example the FAKEM RAT variants recently analyzed by Trend Micro researchers: in order to blend in, some try to make their network traffic look like Windows Messenger and Yahoo! Messenger traffic, and others as HTML. Usually delivered via spear phishing emails, once executed the malware copies itself using the into the %System% folder. When contacting and sending information to remote servers, the malicious traffic begins with headers similar to actual Windows Messenger and Yahoo! Messenger traffic. But checking the traffic after it clearly shows its malicious nature.

The communication between the compromised computer and the RAT's controller is also encrypted. The RAT starts with sending out information about the compromised system, and can receive simple codes and commands that make it do things like execute code, go to sleep, execute shell commands, allows the attacker to browse directories, access saved passwords, and more. "Now that popular RATs like Gh0st and PoisonIvy have become well-known and can easily be detected, attackers are looking for methods to blend in with legitimate traffic," the researchers noted .

"While it is possible to distinguish the network traffic FAKEM RAT variants produce for the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask the traffic it produces may be enough to provide attackers enough cover to survive longer in a compromised environment."

Security News ...(Banking Trojan spread over skype)

The banking Trojan known as Shylock has been updated with new functionality, including the ability to spread over Skype. The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare's "The Merchant of Venice".
 Shylock is one of the most advanced Trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

According to security researchers from CSIS Security Group, the Skype infection is based on a malicious plugin called msg.gsm and allows the malware to send messages and transfer files, clean messages and transfers from Skype history and even bypass the Skype warning for connecting to servers.

Beside the new ability to spread through Skype, Shylock can also spread through local shares and removable drives. Infection by the Trojan allows hackers to steal cookies, inject HTTP into a website, setup VNC and upload files, among other functions.

The program also bypasses the warning and confirmation request that Skype displays when a third-party program tries to connect and interact with the application.

According to a map showing the distribution of Shylock infections that was published by CSIS, there's a high concentration of victims in the UK. However, there are also many Shylock-infected computers throughout mainland Europe and the US.