App Review Those Nasty RATS Part 2

[cruelsister]

Those not familiar with RATs of this type may want to review Part 1 to follow.

 

[Av Gurus]

I would like to see VoodooShield in this test.
Tnx for video

 

[Der.Reisende]

Thank you for sharing another great vid, Sis.
Nice to see both products working well *thumbs up*

 

[cruelsister]

For those looking for a career in Computer Security, understanding how RATs work can be very, very beneficial. Over the past few years many hacking groups will install RATs of varying type on innocent servers, then using these infected Servers as a platform to carry out an attack on the real target. Depending on the skill of the attack Group, the layers of innocent compromised Servers may be 3 or 4 deep in order to hide anyone from following the trail back to the Group, this exposing them. Just as a security application will look for evidence of compromise, so will the malware RAT look for evidence of detection on the initial Server. If such detection is in evidence, the other Server layers (termed Failsafers) can be cut out thus protecting the attackers.

A whole industry is currently under development that concerns itself with things like this, the best known being iSight, Area1 and Shape Security. catering to the Enterprise sector, annual protection contracts frequently exceed 1 million USD annually. Point being that their may be Gold in RATs for the right people.

 

[FleischmannTV]

In this case you decided to run this manually in the Comodo sandbox. Yet most users would rely on the auto-sandbox. Wouldn't this malware be overseen by the auto-sandbox because of the certificate?

 

[Kate_L]

This type of malware is from 2009/2010. I find it interesting that old techniques still work nowadays.

 

[1qay1qay]

Thanks for video... waiting for next

 

[Evgeny]

Nice video, but you have already used that music in the past .

 

[Lucent Warrior]

Excellent video, and that music is very therapeutic.

 

[jamescv7]

@cruelsister: You got that point, RAT is already considered as espionage weapon from any institution to attack from their opponent. Honestly virtualization software is still new for some organization that they don't even know it is alternative than traditional approach.

 

[cruelsister]

A few things:

1). Fleischmann- The reason I tested Comodo in this way was to lay the foundation for something more elaborate that will be seen in part 5, which will essentially be a video demonstration of data I sent them last December.

2). Kate- this sort of malware, signed and targeted, has in all probability been extent on certain servers for years and is still not detected. And as pointed out in Part 1, the technique is much, much older than 2009; but as long as IT "Pro's" remain ignorant to the threat it should work well into the future to the detriment of us all.

3). LC- The song sounds better in a warm bath with candles and a glass of wine.

4). James- Superb point. I've wanted so many times to smash some people in the head with a bat (not that I would do so, being kind and gentle) in order to wake them up to such threats. How many breaches must occur before there is a realization that traditional methods of security are antiquated?

 

[Rishi]

Thank you very informative series you have got going, the variety they have(cover a lot C++, Java, Python,VB, Perl) and tricks to avoid the modern AV technologies is just scary. Sandboxing and virtualization excel here.

 

[DardiM]

...
3). LC- The song sounds better in a warm bath with candles and a glass of wine.
...

=> Champagne

Thanks for your reviews, each time very instructive

 

[shmu26]

I assume you had a good reason not to publicize the vendor whose name appears on this abused certificate.
As you mentioned, some security softs use a trusted vendors list.
Would you recommend keeping the trusted vendors list as short as possible, for instance, microsoft + google/mozilla + vendors of necessary hardware drivers?