Embed Size (px)
Citation preview
REMOTE ACCESS TROJANS
Karan Bansal
A BRIEF HISTORYAccording to legend, the ancient Greeks used a giant horse to defeat the Trojans. It was received as a gift, but inside the horse was the enemy.
TALK OUTLINE What is a RAT? Characteristics of Trojan Types of Connection Common Tools for Remote Access Case Study of a RAT
DEFINITION RAT (Remote Access Trojan) is a remote control software that allows an
attacker to remote control a system. Typically consists of a serve listening on specific TCP/UDP ports on victim’s
machine. Hidden behind a façade of an appealing and harmless nature.
EXAMPLE A simple example of a Trojan horse would be a program named
waterfalls.scr claiming to be a free waterfall screensaver which when run instead would allow access to a user’s computer remotely.
EXAMPLE A simple example of a Trojan horse would be a program named
waterfalls.scr claiming to be a free waterfall screensaver which when run instead would allow access to a user’s computer remotely.
AIDS (Trojan Horse) : Also known as Aids Info Disk or PC Cyborg Trojan, is a Trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number of times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on the drive rendering the system unusable.
CHARACTERISTICS Once installed, RATs perform their unexpected or even unauthorized
operations and use an array of techniques to hide their traces to remain invisible and stay on victim systems for the long haul.
CHARACTERISTICS Once installed, RATs perform their unexpected or even unauthorized
operations and use an array of techniques to hide their traces to remain invisible and stay on victim systems for the long haul.
Monitor the victim machine using various techniques – Screen/Camera Capture and Control File Management Computer Control Registry Management Shell Control Logging Keystrokes
TYPES OF CONNNECTION Direct Connection: In such RATs client connects to a single or multiple
servers directly. Stable servers are multi-threaded, allowing for multiple connections with increased reliability.
TYPES OF CONNNECTION Direct Connection: In such RATs client connects to a single or multiple
servers directly. Stable servers are multi-threaded, allowing for multiple connections with increased reliability.
Reverse Connection: The client opens the port that the server connects to. It is generally used to bypass firewall restrictions on open ports. No problems with routers blocking incoming data, because the connection is
started outgoing for a server. Allows for mass-updating of servers by broadcasting commands, because many
servers can easily connect to a single client. Needed if victim is behind a NAT. If the Internet connection is closed down and an application still tries to connect
to remote hosts it may be infected with malware in case of Direct Connection.
MEANS OF INFECTION For someone to get a Trojan, they must download a file in most cases. The trap may be very easy to fall into if the file looks good into surface. You can be infected by visiting a rogue website. Emails –
If you are using Microsoft Outlook, you are vulnerable to many problems which internet explorer has even if you don’t use IE directly.
Open Ports – Computers running their own servers (HTTP, SMTP, FTP etc.) may be having
various vulnerabilities which can be exploited. These services open a network port (TCP/UDP) giving attackers a means for
interacting with these programs anywhere on the internet.
PAYLOADS Remote Access Email Sending Data Destructive Downloader Server Trojan (Proxy, FTP, HTTP etc.) DOS Attacks Security Software Disabler
COMMON TOOLS FOR REMOTE ACCESS BackOrifice : It enables a user to control a computer running the Microsoft
Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software.
NetBus : Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.
SubSeven : A popular Trojan mainly used by script kiddies for causing mischief, such as hiding the computer cursor, changing system settings or loading up pornographic websites. Although, it can be used for more serious criminal applications such as stealing credit card details with a keylogger.
CASE STUDY Dark Comet :
Provides comprehensive administration capabilities over the infected machine. It was first identified in 2011 and still infects thousands of computers without
being detected. Allows the user to control the system with GUI. Dark Comet uses Crypters to hide it existence from antivirus tools. It performs several malicious administrative tasks such as: disabling Task
Manager, Windows Firewall, and Windows UAC. Uses Reverse-Connection Architecture.
When executing, the server connects to the client and allows client to control and monitor the server.
Most commonly distributed via drive-by attacks and social networking sites. In Drive-by attacks a malicious script embedded on a webpage executes and tries
to exploit some vulnerability in a system.
THANK YOU
Any Questions?
