Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware questions - RATs and other backdoor trojans


  • Please log in to reply
8 replies to this topic

#1 user3895

user3895

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 26 June 2015 - 05:13 AM

Hi,

I don't know if this is the right forum to ask speculative questions but you guys at BC seem to really know what you're doing and I'd like to ask a couple of malware related questions that I can't seem to find answers to elsewhere.

 

I'm interested in RATs and other trojans with backdoor functionality as I've only just become aware of how serious those infections can be and especially with all the stories of webcam spying going around, I'm a tad paranoid.

 

1. Backdoor functionality - Say I was infected with a backdoor trojan/RAT and managed to remove it, I know that although the infection is gone, the computer is now considered compromised and should be formatted and the OS reinstalled. What exactly do you mean by 'compromised'? Does this mean that attackers can inject more malware into your system and attack you that way? Or does it give them a window to hack you without traceable means? For example, if they put more trojans/worms/viruses in your computer, logic suggests that your AV or whatever would pick them/or at least some of them up eventually so you'd know you were infected. Or can they just hack in and do what they want without ever leaving a trace?

 

2. Crypters - my thin research on crypters and tools to make malware FUD has given me a mixed bag of results. Some places say public crypters (what most people use) are useless and usually are detected within a few days of release meaning they have a very short shelf life and ability to go untraced, whilst some talk about how they stay FUD for ages and victims never know they're infected. Which of these is more or less correct? (I'm learning that there's no exact science when it comes to malware, so of course this will be subjective but even so, insight would be appreciated).

For example, say I was infected a while ago, months or even years back, but AV and anti-malware never, and still doesn't detect anything, could it be because the malware was crypted? The crypted part maybe being updated online or something? If so, how come all malware isn't employed like this? It seems like a good idea (for malware creators and users, not us of course) as a way to keep their attacks hidden for long periods of time.

 

And one last quick one: do you know if any of these webcam hack/Ratting cases used AV products or anti-malware? When I read up articles on it the writers seem to be more interested in scare mongering (it's working on me) than talk about the more nuanced facts like how the victims machines were secured prior to and during the attacks, which would definitely be useful information for those worried about the security of their own machines. If the victims had no security at all, then it would make sense that they had been unaware but if they did, I don't understand how it went undetected for such long periods of time, especially with real time and heuristic detection and such, unless the malware was seriously FUD. But seeing as script kiddies tend to carry out these attacks, i doubt they have the skills to create anything truly FUD (otherwise everyone would be doing it). I figured that would be NSA level or something. Am I wrong in assuming this?

 

I'm talking more generally about general attacks like getting malware through dodgy downloads or clicking bad links, rather than more targeted or physical attacks as naturally those would be more tailored to the victim and less prevalent and so their levels of espionage will probably be higher.

 

Oh gosh, this ended up being much longer than anticipated. I hope you will be able to answer some of these to help me better understand this crazy malware world. I'm ashamed to say I'd been so pitifully uninformed before. 

 

(Also, a big thanks to all the good work you guys do here. You really are doing a great job keeping PC's clean and users informed. I wish I'd discovered you guys much earlier. I'd be a hell of a lot less confused and paranoid right now!) :)


Edited by user3895, 26 June 2015 - 06:06 AM.


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:28 AM

Posted 26 June 2015 - 07:16 AM

Hi user3895 :)

What exactly do you mean by 'compromised'?


It means that other malware could have been downloaded remotely on the system when the backdoor was present. So not only you would have to get rid of the backdoor trojan, but also of everything malicious it downloaded on the system while it was on it.

Does this mean that attackers can inject more malware into your system and attack you that way?


If you removed the backdoor trojan, no the attacker cannot inject more malware on the system. Except if he dropped another backdoor/downloader trojan.

For example, if they put more trojans/worms/viruses in your computer, logic suggests that your AV or whatever would pick them/or at least some of them up eventually so you'd know you were infected. Or can they just hack in and do what they want without ever leaving a trace?


If the malicious payloads dropped on the system aren't known from Antivirus and Antimalware vendors yet, they won't be detected by their products, no.

my thin research on crypters and tools to make malware FUD has given me a mixed bag of results. Some places say public crypters (what most people use) are useless and usually are detected within a few days of release meaning they have a very short shelf life and ability to go untraced, whilst some talk about how they stay FUD for ages and victims never know they're infected. Which of these is more or less correct?


I know where you are getting that information from. On "that" forum, public crypters lose their FUDness quickly the users that uses it upload their crypted samples to online virus scanners that redistribute the samples (like VirusTotal). When you use a private or paid crypter, you cannot do that otherwise the crypter's seller will terminate your licence for the product.

And one last quick one: do you know if any of these webcam hack/Ratting cases used AV products or anti-malware?


You can get infected even if you have an up-to-date Antivirus, Antimalware or security setup. The perfect security doesn't exist and since the user is the weakest link in that setup, if he commits a mistake, there's nothing his software can do to prevent it.

But seeing as script kiddies tend to carry out these attacks, i doubt they have the skills to create anything truly FUD (otherwise everyone would be doing it).


Script kiddies are a real joke. The mainly rely on social engineering and poor attack vectors to infect users, hence why they are called "skids".

I figured that would be NSA level or something. Am I wrong in assuming this?


There's governement-grade malware that exists in the wild, but it's mainly used against high-level targets, not casual users.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 27 June 2015 - 12:38 PM

There is a lot of information in this topic...Glossary of Malware Related Terms

You also might find this topic of interest...There are no guarantees or shortcuts when it comes to malware removal - When should I reformat?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 29 June 2015 - 08:07 AM

This has all been very interesting (and scary!). Thanks for your help in clarifying. A few more questions for extra clarity if you don't mind:

 

So is a trojan the .exe that is downloaded and run? In ratting, is that the same as the 'server'? (I don't quite understand what a server is). For example, if you deleted the infected .exe (the trojan) does that mean that, if they haven't downloaded more malware/backdoors, that they can no longer connect to your computer? Or is the trojan rendered irrelevant once the infection has taken hold? Meaning you can delete it and it doesn't matter because they can still access your computer and do what they like with it?

 

Also, from what you're saying I'm guessing crypters can be FUD for years and pretty much indefinitely then, basically until the hacker/skid, gets bored and stops updating it. In this case, I can't believe that more malware isn't delivered and maintained crypted. It seems that its easy enough to do...

 

This leads me to this question: when people ask for help on these malware forums and you run all the programs like FRST etc, do they have the ability to detect fud malware? Is malware fud just for AV scanners or can they hide from these scans too?

 

It seems that from this really the only way to be sure you're rat free is to frequently reformat your hard drive, which is really not a desirable method for anyone. And I guess in between reformats, cover your webcam, disable your microphone and save nothing of value on your computer if you plan on connecting it to the internet.

 

I know script kiddies are considered a joke but they do seem to be doing some serious damage and for all their lack of knowledge, they do seem to be doing it quite well!


Edited by user3895, 29 June 2015 - 08:10 AM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:28 AM

Posted 29 June 2015 - 09:33 AM

So is a trojan the .exe that is downloaded and run?


A backdoor trojan doesn't have to be an .exe file. It come be a .src, .jar, .com, .bat, etc. file as well.

In ratting, is that the same as the 'server'? (I don't quite understand what a server is). For example, if you deleted the infected .exe (the trojan) does that mean that, if they haven't downloaded more malware/backdoors, that they can no longer connect to your computer? Or is the trojan rendered irrelevant once the infection has taken hold? Meaning you can delete it and it doesn't matter because they can still access your computer and do what they like with it?


There's a confusion when it comes to the RAT world, a client is the backdoor trojan present on a system that connects to the C&C server (the server). However, some people refer to the client as a server as well for whatever reason there is (mainly because you can remotely access the infected computer, in which it would make the person who dropped the RAT a "client"). If you delete the backdoor trojan, assuming no other backdoors were dropped or no attempt to keep the connection alive was made, you just cut the communication with the C&C server so the person who dropped it on your system cannot access it anymore.

Also, from what you're saying I'm guessing crypters can be FUD for years and pretty much indefinitely then, basically until the hacker/skid, gets bored and stops updating it. In this case, I can't believe that more malware isn't delivered and maintained crypted. It seems that its easy enough to do...


It doesn't work like that. If a crypter stays FUD, it's because no security company managed to detect samples crypted with it. If they never do, the crypter's author doesn't need to update it at all. He only needs to update it if a company manages to detect samples crypted with it (in which case, the crypter would become UD and not FUD).

This leads me to this question: when people ask for help on these malware forums and you run all the programs like FRST etc, do they have the ability to detect fud malware? Is malware fud just for AV scanners or can they hide from these scans too?


Yes. Mainly because OTL, FRST, ZOEK, etc. doesn't work at all like Antivirus scanners. They do not scan for malicious entries or files, they rather list predefined entries and locations, including everything in them so you can detect FUD malware using these tools.

It seems that from this really the only way to be sure you're rat free is to frequently reformat your hard drive, which is really not a desirable method for anyone. And I guess in between reformats, cover your webcam, disable your microphone and save nothing of value on your computer if you plan on connecting it to the internet.


Sadly, there's no only way. As soon as your system have been compromised, only a clean wipe and reinstall will make it 100% sure that you are clean. When a helper declares you clean here, it's because he didn't detect any traces of infection on your system.

I know script kiddies are considered a joke but they do seem to be doing some serious damage and for all their lack of knowledge, they do seem to be doing it quite well!


Skids are skids and will stay skids. Their attack vectors are really obvious and easy to avoid too.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 29 June 2015 - 09:53 AM

Awesome, thanks so much for your help. Seeing as it's so impossible to determine, I can only hope I was never ratted when I used the windows OS and there are no webcam snaps / personal data floating round the net of me. (What a horrifying thought!) I was a pretty cautious user but it guess really it only takes one daft mistake to mess up.

 

I'm glad I've now switched to Mac OSX and convinced my family to as well. I know OSX isn't foolproof but seems far less easy to compromise, there are less threats and hasn't yet got its own skid rat culture like windows does.

 

Once again, thanks.


Edited by user3895, 29 June 2015 - 09:53 AM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:28 AM

Posted 29 June 2015 - 10:08 AM

there are less threats and hasn't yet got its own skid rat culture like windows does.


There's a few RATs that exists for OS X. Java RATs are quite popular like jRAT and njRAT. OS X needs as much protection as Windows when it comes to virus and malware.

And no problem, you're welcome :)

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 29 June 2015 - 11:27 AM

This is true, there are but so far as much as i can glean, these rats have lesser functionality and also rely on java. If you don't have java, they can't work. Also, for a lot of OSX malware, the user has to consciously install and in most cases use their admin passwords to enable to malware. So clicking dodgy links or opening a bad pdf etc, won't do anything to the system. And these are the kinds of things that catch a lot of people out. Obviously, these things can change and in time they likely will but as of yet, I feel much safer behind a mac. 

 

But yes, i agree, being cautious regardless of what OS you use is paramount at the end of the day. We  never know what's lurking just around the corner. 


Edited by user3895, 29 June 2015 - 11:28 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 29 June 2015 - 05:22 PM

The user is the first and last line of defense. Unfortunately, it as been proven ...

It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users