As many of you who read this blog will know i have a fondness for researching RATS. In this post im going to stay on the same topic but im going to change the perspective. To date i have concentrated on understanding how the ‘Server’ was holding the configs and how to extract them.
Now im going to look at the data that is extracted by theses tools.
DarkComet, a free ‘semi publicly’ available RAT. The client and the server for Dark Comet are well understood at this point and there are hundreds of blog posts by researchers far better then myself so im not going to dwell too much on these points except to say its easy to get hold of, its easy to use and its fairly powerful if it gets installed on your system.
If your unfortunate enough to become infected and even worse your infected machine connects to the attackers client it opens up a whole world of possibilities to the attacker.
Immediately upon connection he gets the following information:
Internal IP, External IP, ComputerName, UserName, Operating System, Language, Camera and the currently active window. He also has the choice to automatically execute commands as soon as you connect.
It only gets worse from here, as i said there are plenty of write ups like the one by malware bytes so ill just list the available functions.
So it looks nasty, but its been around for years, surely this cant work any more Antivirus should be all over this. Well this relies on you having installed AV in the first place and secondly, there is a fairly large cyber crime marker for making malware FUD or Fully UnDetectable to AV scanners.
Dark Comet stores some basic connection information and all of its keylogger content in to a SQLite Database. as part of my research i came across a large Dark Comet Database file and im going to share some of the results with you.
This particular Dark Comet install was hosted on a zapto.org Domain, this is one of the Dynamic DNS names provided by no-ip who have made it in to the news recently for its hosting of malware products. The IP address associated with this domain is located in California USA, its sat on hosted space, so its most likely a VPS or VPN endpoint.
Examining the Database file reveals a lot of information.
At the time of analysis there were 1813 individual infected machines that had connected to this client. The first connection was established on the 29th September 2013. The latest connection in the list was dated as 22nd July 2014.
As the External IP address are listed in the database i Geo Located each and plotted them on to a heatmap. As you can see this infection is spread through most of the world. Cyber Crime really doesn’t have international boundaries.
The infection across Operating Systems is equally revealing.
- Windows 7 Service Pack 1 = 989
- Windows XP Service Pack 3 = 388
- Windows 7 = 141
- Unknow = 105 - These are Windows 8
- Windows XP Service Pack 2 = 87
- Windows Vista Service Pack 2 = 76
- Windows Vista Service Pack 1 = 15
- Windows XP Service Pack 3 = 7
- Windows Server 2003 Service Pack 2 = 2
- Windows Vista = 2
The Computer name / User name also yields plenty of interesting information to the attacker. Ill highlight a few that immediately jumped out at me:
- HR-ADMIN-PC /
- ACCOUNTING /
- COMPUTERROOM /
If this information hasn’t shown you how pervasive and powerful this tool is then maybe the next section will.
The Key logger
Dark Comet comes with a fully functional Online and Offline key logger, this means that even of your not connected to the attacker, if your typing the next time a connection is established, this information is pushed up.
The Key logger records a lot of information. It records the Name and Title of the open window and then any text that is entered in to this window. As you can see from the excerpt below there is a lot of information you really don’t want the attacker to get hold of.
This is exactly how it appears to the attacker, the only thing i have changed is to to replace any usernames and passwords. This is all from one user.
:: Amazon.com Sign In - MSN Explorer (7:33:02 PM) firstname.lastname@example.org password :: CHASE Bank - Credit Cards, Mortgage, Personal & Commercial Banking - MSN Explorer (4:26:57 PM) password :: Chase Online - Transfer Money - Enter Info - MSN Explorer (4:46:29 PM) 78.00 :: Manage Credit Card Accounts | Capital One Online Banking - MSN Explorer (4:52:17 PM) username [<-] username[<-]password :: Campaign Balance - Excel (4:55:01 PM) :: Welcome - MSN Explorer (4:55:11 PM) username password :: User Authentication - MSN Explorer (4:56:01 PM) user[<-][<-][<-][<-]username :: Log In - MSN Explorer (4:56:13 PM) username password :: Security Verification - MSN Explorer (4:57:31 PM) password :: Bank of America | Online Banking | SiteKey | Confirm SiteKey - MSN Explorer (7:22:16 PM) password
This Dark Comet instance has been running for almost a year and in that time it has accumulated a lot of logs, there are over 19000 entries. I haven’t gone through all the logs, i have no doubt there is some fairly sensitive information in there. What i did do is run some searches to get a general idea of the content.
- Key Log Size - 108 Mb
- Word Count = 9,757,457
- Email Addresses = 46839 - imagine how many of these will be logon usernames with passwords
- Bank = 2625
- paypal = 57
- amazon = 138
- payment = 1778
Among all the expected background noise of typing in a current day, there are confidential emails, HR reports, private messages and a lot more in there as well.
This was just one Dark Comet instance, i have a small data-set that contains about 1500 Individual samples, and i see an average of 10 new samples uploaded to Virus Total each day. This only accounts for the samples we see and doesnt include the ones we dont. But If each of theses is only a quarter of the size of this campaign that still leaves tens of thousands if not hundreds of thousands of infected machines leaking a lot of personal and possible corporate information.
So what does the bad guy do with all this information, Well that depends on his morals. but some of the things we see a lot of are Harassment and blackmail, Identity theft or just selling access to your information or infected computer to the highest bidder.
Its not all doom and gloom, there are ways you can protect yourself. First install an Antivirus, and dont download a cracked copy or keygen, its going to have a rat inside! When you see that little pop up saying update, windows, java, adobe or your browser, dont you dare click ignore, take the 2 minutes and install the patch.
finally be cautious of the attachments you open, and the links you click. Sophos has plenty of information for you in this respect.
As always questions, queries, comments below.