Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

[Context IS - Disclosure <disclosure () contextis co uk>]

Context Information Security has released a blog post on the Dark Comet RAT.  The article covers the reverse 
engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic on 
the wire.

Link: http://www.contextis.com/research/blog/darkcometrat/

Signatures:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; 
flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; 
reference:url,www.contextis.com/research/blog/darkcometrat/;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; 
flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; 
reference:url,www.contextis.com/research/blog/darkcometrat/;)


Synopsis:
"A Remote Administration Tool (otherwise known as a RAT) is a piece of software designed to provide full access to 
remote clients. Capabilities often include keystroke logging, file system access and remote control; including control 
of devices such as microphones and webcams. RATs are designed as legitimate administrative tools, yet due to their 
extensive capabilities are often seen used with malicious intent.

When a RAT is identified as the payload in a malicious infection, typical malware analysis will resolve all the 
capabilities being provided to the attacker. However, the attacker may not be using all the capabilities provided; they 
may only be using the keylogging facility, or using the backdoor to install further tools onto the infected host. To 
make a full impact assessment, this detail is necessary and may only be available through analysis of the commands sent 
to the host by the attacker. However, access to the command and control traffic is limited as most RATs implement 
encryption or obfuscation to hide data sent over the network.

In this blog post I will take a look at a RAT called Dark Comet. I will run through the capabilities provided by the 
tool, examine the associated network traffic, identify the encryption algorithm and show how the key can be identified 
with a little analysis of an infected host."

About Context Information Security
------------------------------------
 
Context Information Security is an independent security consultancy specialising in both technical security and 
information assurance services.
 
The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal 
recommendations from existing clients who value us as business partners. We believe our success is based on the value 
our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored 
service; and to the independence, integrity and technical skills of our consultants.
 
The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as 
government organisations. 
 
The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit 
staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical 
solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in 
plain terms at a business level as well as in the form of an in-depth technical report.
 
Web:        www.contextis.com
Email:      disclosure () contextis com
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!