Detection of Remote Access Trojans (RATs hereafter) is a particular challenge, since legally mimic commercial remote administration tools, open doors and networks lawfully make thin "surgeries" that in nothing reminiscent techniques routinely used by malicious software.
All these features were an important tool for attackers who used the Carbanak (malware RAT) and managed to infect banks around the world to remove funds and cause of over $ 1 billion damage, according to what is stated in the Kaspersky report Iab " Carbanak APT: The Great Bank Robbery ".
If someone wants to deal successfully with this kind of malicious software you must first understand how it works and its potential and secondly to learn how to block and the "misleading" before complete removal.
That infected a system?
The RATs usually manage to penetrate the corporate network via phishing attacks, using links or attachments eg PDF. In a PDF file can be embedded code or macros and Javascript, so once someone opens, then the system possible be downloaded and installed additional elements - which together will form the "package" of malware. It is, of course, equally possible malware reaches the computer through an infected isotope a user visits.
The famous RATs
Widespread RATs are considered: Sakula, KjW0rm, Havex, Agent.BTZ / ComRat, Dark Comet, AlienSpy, Heseber BOT, the "family" Animal Farm and Carbanak.
- The Sakula, considered responsible for recent data leakage of American service Office of Personnel Managment, stealing passwords network operators using Mimikatz software.
- The KjW0rm, who contributed to the data leakage from a French television station, is written inVBS, which does not help in detection.
- The Havex targets industrial control systems (industrial control systems - ICS), while using variations and taking advantage of HTTP and HTTPS communications can be intercepted on its activities.
- The Agent.BTZ / ComRat is another ICS RAT, which experts consider to have originated from Russian government sources.
- The Dark Comet in turn uses crypters not detected by antivirus software.
- It is worth noting that Apple products are not invulnerable in the case of RATs, since AlienSpyattacks the Apple OS X. In this case, because the Apple OS X uses only the "traditional" firewalls, theAlienSpy succeeds not done perceived by the "common" antivirus and thus free access to - target systems.
- The Heseber BOT uses VNC to avoid the "hunters" of.
- The Animal Farm was based on RATs, including Dino, Bunny, Casper and Babar. These RATsseems to be related to government sources and used to steal data from government and military organizations.
- The Carbanak, finally gave attackers the ability to watch live image within the activities of credit institutions in order to know how they are trading and how they could be better "raise" money from them.
How to block and to mislead the RATs;
To block the RATs should, first of all, to apply the patches to operating systems and software(Browsers, PDF readers, Flash, Java, MS Office , etc.) circulating the disposal of companies in order to reduce the risk of "contamination" through an existing vulnerability. Use then the whitelisting to prevent any activity from suspicious type. Exe files. Dll. In this way, users will not be able to perform uncontrollably unknown origin programs - also - unknown consequences.
Leave RATs n a "tired looking" using on your network IDS and IPS devices that detect known network-based U pografes activity many RATs. These include signatures protocols C2, RAT user agents andnon-encrypted communication over port 443 . Using IPS devices can achieve the blocking of trafficto RAT leave the enterprise network. Exploit activity detection indicators (Indicators of Compromise - IOC) to determine the location of RATs and proceed to scan endpoints, to find what exactly is the problem. In particular, check IOCs network and any traffic from the devices and the company's machines to known C2 domains, IPs addresses and URLs.
Experts, in fact, point out that the "segmentation" of the network generally helps. So RATs will set about trying to search for information that may be available through access to other networks - onsite.Consequently, their action will slow down, which will allow you, using behavior detection techniques or signatures to detect. Block ports that are not used, and apply filters and web proxies to detect RATs that send data outside the organization.
Finally, mislead the RATs using honeypots that will keep them occupied - until you locate. In this way access to your data or you would not have understand that the "mock", until it may be too late.
Due to the complexity of the most recent RATs, the signature detection tools are not likely to be effective. It is preferable to activate the behavior detection methods. And to "heal" any "wounds", you should apply rehabilitation techniques - a solution is that backup technologies using snapshot.
Watch out!
The RATs is a powerful "weapon" attacks at the hands of cybercriminals. The tools and intrusion detection techniques based on observation of behavior RATs are increasing both in number and effectiveness. While evolving and other security technologies. Combining them can lead to early detection of the slightest movement of RATs, so you should not leave your systems "unattended" even for a moment! The slightest "relaxation" of surveillance can lead to uncontrollable situations.
Aucun commentaire:
Enregistrer un commentaire