Search This Blog

Wednesday, November 7, 2012

Guide to RAT


Remote Administration Tools

RATs stand for Remote Administration Tools. It is a program used to control an Remote PC. Hence, the name “Remote Administration Tool”. They can be used both for White Hat or Fun or personal purposes and also Black Hat or Malicious purposes. The user may take complete or partial control of a Remote Computer with or without his acknowledgement.

Functioning of a RAT

The RAT program is referred to as Client. The RAT client builds an program called server/virus. The server is often referred to as Trojan Horses. The RAT Client needs to use a specific port for the program to communicate with the host. For more about it just scroll down. So, when the server is ran on a remote PC, the infected PC starts communicating with the client. Many RAT used for Black Hat purposes make their functioning hidden from the Host. Thus, when a connection is established the Client can take full or partial control of his computer. When a RAT server is installed without the acknowledgement of the Host then the Host is often referred to as Bot, slave, slave, install, etc. 

Types of RATs and its features

Non-Malicious RATs
They're mostly used for Personal or White Hat purposes. These require the Host’s permission and the host can cut off the connection any time if wanted. So it’s useful to fix a Remote Computer just sitting at your PC.

Malicious RATs
The name suggests it. It is used for blackhat purposes. Like stealing their information, spying on them,etc. Especially without their knowledge.

TCP RATs
They communicate directly from the host to the client. They require portforwarding. They have many feature than Php/Http bots.
So more features = More fun. They are always the first priority. Get to the Php/Http RAT if you have serious problems in portforwarding. 


Free RATs
  • Dark-comet
  • Cyber Gate
  • Poison Ivy
  • Bi-frost
  • Spy-Net
  • Xtreme RAT

Paid RATs
  • Blackshades NET
  • Paradox RAT
  • Client mesh
  • Anguish RAT

PHP/HTTP RATs
They work without the need to port forward. Its more stable than TCP RATs but will have relatively less features though.

List of common Php/Http RATs
  • Vertex NET
  • Loki RAT
  • BlackShades Fusion
  • Lynx RAT

Some general features of a RAT
  • Block mouse and keyboard
  • Change your desktop wallpaper
  • Download, upload, delete, and rename files
  • Drop viruses and worms
  • Edit Registry
  • Format drives
  • Grab passwords, credit card numbers
  • Hijack homepage
  • Hide desktop icons, taskbar and files
  • Log keystrokes, keystroke capture software
  • Open CD-ROM tray
  • Overload the RAM/ROM drive
  • Print text
  • Play sounds
  • Randomly move and click mouse
  • Record sound with a connected microphone
  • Record video with a connected webcam
  • Shutdown, restart, log-off, shutdown monitor
  • Steal passwords
  • View screen
  • View, kill, and start tasks in task manager


Port
A port is needed for any Remote Connection to communicate with your Computer. For Example, Port 80 used for Web services , Port 25 is used for SMTP. So, a port is needed for every specific program to communicate with a Remote device. Obviously, a RAT too needs a port to communicate with the Remote PC(Host).

Port Forwarding
Port forwarding is the method of opening a specific port on the router to allow out bounding connections. For forwarding a port you must need access to your router. Sometimes UPnP is used in case you don’t have access to your router and your router supports UPnP. UPnP means Universal Plug and Play. If your router supports UPnP then the port may be opened using a third party software such as Utorrent.

VPN
VPN or Virtual Private Network. I need not explain it much here. Its used to hide your IP and stay anonymous. Its like if your under a VPN when you request a web resource it first goes into the VPN server and gets the web resource. Some VPNs may allow you to open some certain ports. So, it can solve your port-forwarding issues.

DNS
DNS known as Domain Name System. If you have an dynamic IP your IP changes often. So, its practically not possible for the bots to stay connected to you. So, a DNS provides you an domain which will redirect to whatever IP you have.

There many DNS providers the most widely used are:
  • NO-IP
  • dyndns

Cryptography
It’s the method of hiding your server from Anti-Viruses. It’s because most of the RAT server are detected by many Anti-Viruses. So when your Victims open your server their Anti-Virus may block it. So in this case a crypter is used. It’s the software that protects your server from Anti-Viruses. So, every crypter has a stub either inbuilt or separate from the crypter. A stub is a code when added to your server makes it FUD or UD.

FUDFully Un-Detected
It means that the stub is un-detectable by all Anti viruses.
UDUn-detected
It means that the stub is un-detected by few anti-viruses and few detect it.


Virus scanning sites
They are often used to check a binary for threats/viruses. These sites use multiple Antivirus engines to test the binary uploaded. Most of them are co-operated by Antivirus companies and they send the binary samples to the Antivirus companies for analyzing them. So if your FUD server is uploaded to sites like this your server will get detected by Antivirus companies. So, obviously your FUD server will become UD. But, some sites do not give out the binary samples to Antivirus companies. They are often used to check the FUD or UD status of the server/stub.
Some sites that give out samples
Some sites that don't give out samples:

Dependencies
Some crypters coded in VB.NET or C# needs .NET framework for the stub to run. So, they are often described as “.NET dependent crypter”. .NET framework usually comes pre-installed on Windows Vista or above.
Some crypters coded in C++, ASM, VB6 or any other language that does not involve .NET can be run on systems even without .NET framework. They are pretty much stable and have high execution rates. But, they are relatively costlier than the .NET dependent ones.


Java Driveby
It’s a java applet its uploaded to an webhost. Its often covered by an legit looking site clone. So, when the slave opens up the website. An java message pops up. With two options Run or cancel. 90% of people will click Run. So, when Run is clicked your server is executed inside their computer without their knowledge.

Botkilling
Botkilling also known a Ruskilling. The name describes it killing your bot/server. So, it means killing other bots/servers inside the slave’s computer. Some crypters and RATs have this function. Though it may be useful sometimes it will frustrating when you buy some bots and they botkill your server.

Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

0 comments:

Post a Comment