Websites, whether they are personal ones or belong to large corporations and governments, are constantly under attack.
Even when web administrators do their best to secure their properties from remote-file inclusions, malicious shell uploads, SQL injection or brute force attacks to name a few, they are still susceptible to threats that are out of their control.
Google recently stepped in to provide website protection services that include Distributed Denial of Service attacks mitigation as well as other types of attacks aimed at blocking politically sensitive websites.
The program, dubbed Project Shield is now open as an invite-only service and is free (for now).
Image courtesy of http://www.digitalattackmap.com/
Last week we talked about the Remote Administration Trojan DarkComet and all the wonderful and scary things it can do. In response to the twitter post announcing the blog, the author of DarkComet tweeted an answer to my big bold question:
“Considering that this is a Remote Administration Tool, to be used for good and what not….WHY DOES IT HAVE DDOS FUNCTIONALITY!?”
His answer was that he typically uses it for “Performing tests on his personal network to make sure it can protect against those kinds of attacks.” To simplify the answer, it’s like he built a bomb in order to see if his house was explosion-proof. He isn’t lying, it is possible to test your own defenses with such a weapon. I will leave it up to you, the reader, to decide whether or not that is a good enough reason to include the capability to perform Distributed Denial of Service attacks in his software.
Moving on, I know that I talked about how dangerous DarkComet was and that while there were a lot of illegitimate uses for it, it was mostly designed as a network administration tool and therefore, could be used for legitimate purposes. This week I am going to tell you about the opposite of DarkComet, a very powerful and very dangerous RAT Trojan known as BlackShades NET.
There are quite a few different types of RAT malware floating around in the wild right now that are used by people ranging from amateur hackers all the way up to cyber-crime organizations. DarkComet is one of them and BlackShades NET is another, more dangerous one.
BlackShades is a very powerful RAT which sports all the functionality of DarkComet and then some. The methods in which it infects its victims spread over a large band of different methods, to name a few:
- Fake torrent downloads on Person to Person (P2P) sites
- Malicious links spread on social media sites (Facebook, twitter, etc)
- Malicious links spread in chat rooms
- Drive-by attacks
- Java exploits
- Spreading via hacked social media/chat accounts
- Phishing e-mails
This list applies to most methods of spreading RATs and malware in general.
Last week, I talked a little about the Flame Trojan and how much the average user would need to worry about being infected with it, which is none. State-sponsored RAT malware, like Flame, would likely not infect average users and even in the off chance that it did, the operators behind the malware would probably remove the Trojan before being discovered. Its purpose is for very specifically targeted cyber-espionage, not stealing your Facebook password.
So are you completely safe from malware like Flame? Well not exactly. Take out the state-sponsored aspect of Flame and you’ve got a RAT or Remote Administration Trojan, of which there are many out there that are used every single day to spy on the average people. Before you get too freaked out, Malwarebytes Anti-Malware detects and removes these threats all the time, so don’t worry too much about being a victim as long as you properly protect your system.
This blog post is one of many which I am going to use to:
- Discuss some of the RAT malware currently seen in the wild
- What they can do
- How they work
- How to protect yourself from them
This first blog is about DarkComet, a freely available Remote Administration “Tool” which was developed by DarkCoderSC, an independent programmer and computer security specialist from France. He advertises DarkComet as a tool and not a Trojan because of its many useful functions which could be used to administer a network at a very close level. However, he also mentions that his tool is often used by hackers and hence it is often detected by antivirus engines as being malicious. While the tool is free to download and use, he offers the “VIP” service, which gives the user access to direct support, updates about the product and the ability to post new ideas or software bugs, all for 20 Euros or $25.
The Flame malware could do a lot of stuff, although not completely analyzed we know that it can take screenshots, modify/create/delete files and execute a keylogger. However, the capability of most RATs takes that functionality and multiplies it significantly. DarkComet is no different; it can execute over 60 different server side functions, meaning the type of things it can execute/monitor/control on the infected system.
Note: For the sake of talking about RATs, you need to turn the usual definition of “client-server” around. In this case the “server” is the RAT implant running on the infected system while the “client” is the controller application used by the attacker.
Here is a list of some of the pretty nasty things which this RAT can do:
- Find out all system information, including hardware being used and the exact version of your operating system, including security patches.
- Control all the processes currently running on your system
- View and modify your registry
- Modify your Hosts file
- Control your computer from a remote shell
- Modify your startup processes and services, including adding a few of its own
- Execute various types of scripts on your system
- Modify/View/Steal your files
- Put files of its own on your system
- Steal your stored password
- Listen to your microphone
- Log your keystrokes (duh)
- Scan your network
- View your network shares
- Mess with your MSN Messenger / Steal your contacts / Add new contacts!
- Steal from your clipboard (things you’ve copied)
- Control your printer
- Lock/Restart/Shutdown your computer
- Update the implant with a new address to beacon to or new functionality
Those are only some of what this baby can do; I left out a few of the big ones because I wanted to go into more detail about them. Also, they are my favorite!
The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to present solutions for protecting networks and systems from external attacks such as what happened with the MoD. In addition, we will provide a quick run-down of various security practices which, when not followed, can leave doors open for malicious actors attempting to gain access to internal networks, not only for the MoD but any organization or personal user.
The attack which was launched against the MoD was a DDoS attack. DDoS stands for Distributed Denial of Service and is launched by what is referred to as a bot network or “botnet.” A botnet consists of a group of compromised systems which have been infected by a malware implant, or “bot.” The implant will beacon back to a central controller and receive further commands by the person running the botnet or a “Bot Herder.” In the case of a DDOS attack, every bot will send large amounts of network traffic in the direction of one particular server. A web server will often have limits as to how many simultaneous conversations it can have with another system. Therefore, when tens of thousands of infected systems begin a conversation with the same server, the flood of traffic will block legitimate users from being able to communicate with the web server. If continued, this can overload the server and potentially crash it. It’s like trying to shake hands with 100 people at once. A high level approach to preventing DDOS attacks would be to utilize redundant systems which could absorb some of the connection load in the case of an attack or heavy traffic, while still keeping the web site available to legitimate users.