log in  |  register  |  feedback?  |  help  |  web accessibility
Logo
To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild
Mohammad Rezaeirad - George Mason University
3460 A.V. Williams Building (AVW)
Wednesday, May 10, 2017, 1:00-2:00 pm Calendar
  • You are subscribed to this talk through .
  • You are watching this talk through .
  • You are subscribed to this talk. (unsubscribe, watch)
  • You are watching this talk. (unwatch, subscribe)
  • You are not subscribed to this talk. (watch, subscribe)
Abstract
Remote Access Trojans (RATs) give remote attackers interactive control over a compromised machine. Unlike large- scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they’ve been used for espionage, information theft, voyeurism and extortion. Despite their increasing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective.

In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample’s behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use. 

link: https://people.eecs.berkeley.edu/~pearce/papers/rats_oakland_2017.pdf

Bio

Mohammad Rezaeirad is a Ph.D. student with interests in Cyber-Physical System security, measurement studies and cryptography. Mohammad works under supervision of Dr. Damon McCoy. Prior to join George Mason, he obtained his master’s degree in Computer Science from University of Louisiana and a BS in Security Technologies, from the Multimedia university.

This talk is organized by Daniel Votipka