Introduction on Botnets and RATs Characteristics and Functionalities of RATs (Direct vs Reverse connection, tcp vs udp etc.) Case Study of 1 RAT

1. Karan Bansal

2. According to legend, the
ancient Greeks used a giant
horse to defeat the Trojans. It
was received as a gift, but
inside the horse was the enemy.

3.  What is a RAT?
 Characteristics of Trojan
 Types of Connection
 Common Tools for Remote Access
 Case Study of a RAT

4.  RAT (Remote Access Trojan) is a remote control software that allows an attacker
to remote control a system.
 Typically consists of a serve listening on specific TCP/UDP ports on victim’s
machine.
 Hidden behind a façade of an appealing and harmless nature.

5.  A simple example of a Trojan horse would be a program named waterfalls.scr
claiming to be a free waterfall screensaver which when run instead would allow
access to a user’s computer remotely.

6.  A simple example of a Trojan horse would be a program named waterfalls.scr
claiming to be a free waterfall screensaver which when run instead would allow
access to a user’s computer remotely.
 AIDS (Trojan Horse) : Also known as Aids Info Disk or PC Cyborg Trojan, is a
Trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by
AIDS to count the number of times the computer has booted. Once this boot count
reaches 90, AIDS hides directories and encrypts the names of all files on the drive
rendering the system unusable.

7.  Once installed, RATs perform their unexpected or even unauthorized operations
and use an array of techniques to hide their traces to remain invisible and stay on
victim systems for the long haul.

8.  Once installed, RATs perform their unexpected or even unauthorized operations
and use an array of techniques to hide their traces to remain invisible and stay on
victim systems for the long haul.
 Monitor the victim machine using various techniques –
 Screen/Camera Capture and Control
 File Management
 Computer Control
 Registry Management
 Shell Control
 Logging Keystrokes

9.  Direct Connection: In such RATs client connects to a single or multiple servers
directly. Stable servers are multi-threaded, allowing for multiple connections with
increased reliability.

10.  Direct Connection: In such RATs client connects to a single or multiple servers
directly. Stable servers are multi-threaded, allowing for multiple connections with
increased reliability.
 Reverse Connection: The client opens the port that the server connects to. It is
generally used to bypass firewall restrictions on open ports.
 No problems with routers blocking incoming data, because the connection is started
outgoing for a server.
 Allows for mass-updating of servers by broadcasting commands, because many servers
can easily connect to a single client.
 Needed if victim is behind a NAT.
 If the Internet connection is closed down and an application still tries to connect to
remote hosts it may be infected with malware in case of Direct Connection.

11.  For someone to get a Trojan, they must download a file in most cases.
 The trap may be very easy to fall into if the file looks good into surface.
 You can be infected by visiting a rogue website.
 Emails –
 If you are using Microsoft Outlook, you are vulnerable to many problems which internet
explorer has even if you don’t use IE directly.
 Open Ports –
 Computers running their own servers (HTTP, SMTP, FTP etc.) may be having various
vulnerabilities which can be exploited.
 These services open a network port (TCP/UDP) giving attackers a means for interacting
with these programs anywhere on the internet.

13.  Remote Access
 Email Sending
 Data Destructive
 Downloader
 Server Trojan (Proxy, FTP, HTTP etc.)
 DOS Attacks
 Security Software Disabler

14.  BackOrifice : It enables a user to control a computer running the Microsoft
Windows operating system from a remote location. The name is a pun on
Microsoft BackOffice Server software.
 NetBus : Netbus is a software program for remotely controlling a Microsoft
Windows computer system over a network. It was created in 1998 and has been
very controversial for its potential of being used as a backdoor.
 SubSeven : A popular Trojan mainly used by script kiddies for causing mischief,
such as hiding the computer cursor, changing system settings or loading up
pornographic websites. Although, it can be used for more serious criminal
applications such as stealing credit card details with a keylogger.

15.  Dark Comet :
 Provides comprehensive administration capabilities over the infected machine.
 It was first identified in 2011 and still infects thousands of computers without being
detected.
 Allows the user to control the system with GUI.
 Dark Comet uses Crypters to hide it existence from antivirus tools.
 It performs several malicious administrative tasks such as: disabling Task Manager,
Windows Firewall, and Windows UAC.
 Uses Reverse-Connection Architecture.
 When executing, the server connects to the client and allows client to control and monitor the
server.
 Most commonly distributed via drive-by attacks and social networking sites.
 In Drive-by attacks a malicious script embedded on a webpage executes and tries to
exploit some vulnerability in a system.

16. Any Questions?