Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Wp Know Your Digital Enemy

Wp Know Your Digital Enemy

Ratings: (0)|Views: 2|Likes:
Published by Stuparu IG

More info:

Published by: Stuparu IG on Feb 10, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





White Paper
By Michael G. SpohnPrincipal Consultant, Incident Response & Digital Forensic PracticeMcAfee
Professional Services
Know Your Digital Enemy
Anatomy o a Gh0st RAT
Know Your Digital Enemy
On March 29, 2009, the Inormation Warare Monitor
(IWM) published a document titled
. This document details the extensiveinvestigative research surrounding the attack and compromise o computer systems owned by thePrivate Oce o the Dalai Lama, the Tibetan Government-in-Exile, and several other Tibetan enterprises.Ater 10 months o exhaustive investigative work, this team o talented cyber investigators identied thetool used to compromise victim systems—a sophisticated piece o malware named Gh0st RAT (RemoteAccess Terminal).On May 25, 2011, cyber investigator, orensic tool writer, and author Harlan Carvey, published ablogpostlisting some o his avorite orensic tools. In this post, Harlan reerred to an interesting, yet dated,websitethat described, in detail, the capabilities o the Gh0st RAT malware. This site, “xpl0it Analysis,” even includes links to download a beta version (3.6) o the Gh0st RAT source code.As soon as I navigated to the stale “xpl0it Analysis” website and read the details o the Gh0st RATmalware, I became very interested in learning more about it. Even though the links to the Gh0stBeta source code on the xpl0it Analysis site were removed long ago, I was able to nd a copy o itsomewhere on the Internet and decided to analyze it.Examination o the Gh0st RAT source code revealed that it is a derivative o the same code used to createthe RAT binaries described in the IWM research paper and the xpl0it Analysis website. Unortunately, thecode base would not compile due to numerous coding bugs and missing dependencies.Ater many weeks o work, I was able to correct hundreds o bugs in the source code which allowed meto build a working version o Gh0st RAT Beta 3.6. Although I converted the resource text labels romChinese to English, the base source code was let intact.This document describes what I learned during my analysis o the Gh0st RAT source code. I describe ingreat detail how the multiple binaries work together, the extensive capabilities o the malware, and thestructure o the source code tree. I also explore how the malware compromises a host, its obuscationand encryption methods, and how it communicates. Finally, I provide some tips on how to identiy a hostcompromised by the RAT and how to deend against it.Even though this Gh0st RAT contains source code dating back to 2001, the lessons we can learn romit are very relevant today. In early 2011, McAee Foundstone and McAee researchers identied a Gh0stRAT, very similar to the one described in this paper, that was used to attack large corporations in the oiland gas industry. This investigation, known asNight Dragon,is described in a separate white paper. The use o RAT tools by cybercriminals continues because they are very ecient and powerul. They arelightweight and provide complete remote control access to a compromised host. The command andcontrol (C2) component can manage thousands o compromised hosts. Understanding how these toolswork is critical i we want to understand the threat and put in place countermeasures to deend againsttheir use.
Gh0st RAT Overview
I you are not amiliar with the technical capabilities o a Gh0st RAT, in this section I show the actualoperation o a RAT using screen shots. There are two main components o a Gh0st RAT system: theclient and the server.The server is a small Microsot Windows DLL that runs on a compromised host. It runs as a Windowsservice and starts up when the system starts. Upon startup, it connects and “checks in” to a C2 clientand awaits urther instructions.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->