Snort mailing list archives

Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

From: Bad Horse <b4dh0rs3 () gmail com>
Date: Thu, 3 Nov 2011 10:24:19 -0500

Thanks for this.

What you propose works but can I humbly suggest some performance
improvements?  How about adding respective 'content:"KeepAlive|"' and,
'content:"KEEPALIVE"' keywords?  That way you don't have to always
invoke the PCRE engine.

-Bad Horse
 The Thoroughbred of SYN

On 11/3/11, Context IS - Disclosure <disclosure () contextis co uk> wrote:

Context Information Security has released a blog post on the Dark Comet RAT.
 The article covers the reverse engineering and analysis of its
functionality, how to decrypt its traffic and snort signatures to detect its
traffic on the wire.

Link: http://www.contextis.com/research/blog/darkcometrat/

Signatures:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature:
DarkComet-RAT Incoming Keepalive"; flow:from_server,established;
pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2;
reference:url,www.contextis.com/research/blog/darkcometrat/;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature:
DarkComet-RAT Outgoing Keepalive"; flow:to_server,established;
pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1;
reference:url,www.contextis.com/research/blog/darkcometrat/;)


Synopsis:
"A Remote Administration Tool (otherwise known as a RAT) is a piece of
software designed to provide full access to remote clients. Capabilities
often include keystroke logging, file system access and remote control;
including control of devices such as microphones and webcams. RATs are
designed as legitimate administrative tools, yet due to their extensive
capabilities are often seen used with malicious intent.

When a RAT is identified as the payload in a malicious infection, typical
malware analysis will resolve all the capabilities being provided to the
attacker. However, the attacker may not be using all the capabilities
provided; they may only be using the keylogging facility, or using the
backdoor to install further tools onto the infected host. To make a full
impact assessment, this detail is necessary and may only be available
through analysis of the commands sent to the host by the attacker. However,
access to the command and control traffic is limited as most RATs implement
encryption or obfuscation to hide data sent over the network.

In this blog post I will take a look at a RAT called Dark Comet. I will run
through the capabilities provided by the tool, examine the associated
network traffic, identify the encryption algorithm and show how the key can
be identified with a little analysis of an infected host."

About Context Information Security
------------------------------------

Context Information Security is an independent security consultancy
specialising in both technical security and information assurance services.

The company was founded in 1998. Its client base has grown steadily over the
years, thanks in large part to personal recommendations from existing
clients who value us as business partners. We believe our success is based
on the value our clients place on our product-agnostic, holistic approach;
the way we work closely with them to develop a tailored service; and to the
independence, integrity and technical skills of our consultants.

The company’s client base now includes some of the most prestigious blue
chip companies in the world, as well as government organisations.

The best security experts need to bring a broad portfolio of skills to the
job, so Context has always sought to recruit staff with extensive business
experience as well as technical expertise. Our aim is to provide effective
and practical solutions, advice and support: when we report back to clients
we always communicate our findings and recommendations in plain terms at a
business level as well as in the form of an in-depth technical report.

Web:        www.contextis.com
Email:      disclosure () contextis com
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Context IS - Disclosure (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Bad Horse (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Martin Holste (Nov 03)
  - Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures JJ Cummings (Nov 03)
  - Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Bad Horse (Nov 03)
    - Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Context IS - Disclosure (Nov 03)
    - Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Jamie Riden (Nov 03)
    - Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Martin Holste (Nov 03)