Friday, 31 October 2014

remote-administration-tool
RAT Uses Component Object Model To Be Undetectable

GData Software's Security Labs has discovered a new Remote Administration Tool (RAT) that makes a better way not to be detected by the System.

COMpFun the FUD RAT:


The rat is dubbed as "COMpFun". Though it has the capability of being undetected the features of it are similar to the other RATs available out there. It can simply perform some special tasks like keylogging, screenshot taking, uploading or download files,popping up messages,control windows management, webcam control etc.

According to the Report, the RAT supports both architecture of Windows (both 32 and 64 Bit) up to windows 8. It works with HTTPS and RSA encryption to connect to its C&C server.

COM allows developers to manipulate and control the objects of other application. Objects are identified by unique numbers called CLSID. By hijacking Component Object Model it hides itself into the processes running on the infected computer. So user can't point out which process, the RAT actually is.

How the RAT works:

After being installed into the victims computer it makes two files in the directory:
%APPDATA%\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\  

After that it creates a registry key associating to the two previously made files.

  • HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32
  • HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E }\InprocServer32
The purpose of the keys is to define a COM object with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. But these CLSIDs are already occupied by Microsoft Processes. After being created, the newly created CLSIDs get replaced by the old ones.These two CLSIDs are processed by many Windows Applications such as Web Browser.

Once the replacing is done, the corresponding libraries get into action instead of the legitimate Microsoft libraries. This makes the RAT not only persistent but also hard to find it out.

G Data said,

As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns.
 
 AV Program generally RATs by validating DLL Injections. As COMpFun does not use DLL injection, so AV can't detect it, more precisely it becomes FUD RAT. G Data said that this type of attack is not limited to RAT only, attacker can use this method to any other malware too.






 

0 comments:

Post a Comment