RAT - Kill or Get Killed! by Karan Bansal
Download as PPTX, PDF•1 like•445 views
The document discusses Remote Access Trojans (RATs), which are malicious software that allows attackers to remotely control a victim's computer. It details the characteristics, types of connections, common tools, and notable examples of RATs, emphasizing their deceptive appearances and methods to avoid detection. Additionally, it outlines the various techniques employed by RATs to monitor and manipulate infected systems.
RAT - Kill or Get Killed! by Karan Bansal
- 1. Karan Bansal
- 2. According to legend, the ancient Greeks used a giant horse to defeat the Trojans. It was received as a gift, but inside the horse was the enemy.
- 3. What is a RAT? Characteristics of Trojan Types of Connection Common Tools for Remote Access Case Study of a RAT
- 4. RAT (Remote Access Trojan) is a remote control software that allows an attacker to remote control a system. Typically consists of a serve listening on specific TCP/UDP ports on victim’s machine. Hidden behind a façade of an appealing and harmless nature.
- 5. A simple example of a Trojan horse would be a program named waterfalls.scr claiming to be a free waterfall screensaver which when run instead would allow access to a user’s computer remotely.
- 6. A simple example of a Trojan horse would be a program named waterfalls.scr claiming to be a free waterfall screensaver which when run instead would allow access to a user’s computer remotely. AIDS (Trojan Horse) : Also known as Aids Info Disk or PC Cyborg Trojan, is a Trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number of times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on the drive rendering the system unusable.
- 7. Once installed, RATs perform their unexpected or even unauthorized operations and use an array of techniques to hide their traces to remain invisible and stay on victim systems for the long haul.
- 8. Once installed, RATs perform their unexpected or even unauthorized operations and use an array of techniques to hide their traces to remain invisible and stay on victim systems for the long haul. Monitor the victim machine using various techniques – Screen/Camera Capture and Control File Management Computer Control Registry Management Shell Control Logging Keystrokes
- 9. Direct Connection: In such RATs client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple connections with increased reliability.
- 10. Direct Connection: In such RATs client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple connections with increased reliability. Reverse Connection: The client opens the port that the server connects to. It is generally used to bypass firewall restrictions on open ports. No problems with routers blocking incoming data, because the connection is started outgoing for a server. Allows for mass-updating of servers by broadcasting commands, because many servers can easily connect to a single client. Needed if victim is behind a NAT. If the Internet connection is closed down and an application still tries to connect to remote hosts it may be infected with malware in case of Direct Connection.
- 11. For someone to get a Trojan, they must download a file in most cases. The trap may be very easy to fall into if the file looks good into surface. You can be infected by visiting a rogue website. Emails – If you are using Microsoft Outlook, you are vulnerable to many problems which internet explorer has even if you don’t use IE directly. Open Ports – Computers running their own servers (HTTP, SMTP, FTP etc.) may be having various vulnerabilities which can be exploited. These services open a network port (TCP/UDP) giving attackers a means for interacting with these programs anywhere on the internet.
- 13. Remote Access Email Sending Data Destructive Downloader Server Trojan (Proxy, FTP, HTTP etc.) DOS Attacks Security Software Disabler
- 14. BackOrifice : It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. NetBus : Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor. SubSeven : A popular Trojan mainly used by script kiddies for causing mischief, such as hiding the computer cursor, changing system settings or loading up pornographic websites. Although, it can be used for more serious criminal applications such as stealing credit card details with a keylogger.
- 15. Dark Comet : Provides comprehensive administration capabilities over the infected machine. It was first identified in 2011 and still infects thousands of computers without being detected. Allows the user to control the system with GUI. Dark Comet uses Crypters to hide it existence from antivirus tools. It performs several malicious administrative tasks such as: disabling Task Manager, Windows Firewall, and Windows UAC. Uses Reverse-Connection Architecture. When executing, the server connects to the client and allows client to control and monitor the server. Most commonly distributed via drive-by attacks and social networking sites. In Drive-by attacks a malicious script embedded on a webpage executes and tries to exploit some vulnerability in a system.
- 16. Any Questions?