TY - GEN
T1 - Schrödinger's RAT
T2 - 27th USENIX Security Symposium
AU - Rezaeirad, Mohammad
AU - Farinholt, Brown
AU - Dharmdasani, Hitesh
AU - Pearce, Paul
AU - Levchenko, Kirill
AU - McCoy, Damon
N1 - Funding Information:
Using our collected data, we then report on the population of victims and controllers, their geographic rela- tionship, and periods of activity. Our results show that the RATs we studied are used primarily by operators and victims located in the same country, with the bulk of the population in Russia, Brazil, and Turkey. We also found that victims remain vulnerable long after the controller abandons the campaign, presenting an opportunity for third-party intervention by sinkholing the domains. Acknowledgments This work was supported by the National Science Foundation through grants CNS-1237264, CNS-1619620, and CNS-1717062, and by gifts from Comcast, Farsight Security, and Google. We would also like to thank the following: VirusTotal, for the invaluable Intelligence account from which we sourced malware; Richard Harper of DuckDNS, for generous access to a Duck Max account; Matthew Jonkman of EmergingThreats, for generous access to an unlimited Threat Intelligence account; and finally, our reviewers, for their invaluable feedback. References
Publisher Copyright:
© 2018 Proceedings of the 27th USENIX Security Symposium. All rights reserved.
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Remote Access Trojans (RATs) are a class of malware that give an attacker direct, interactive access to a victim's personal computer, allowing the attacker to steal private data from the computer, spy on the victim in realtime using the camera and microphone, and interact directly with the victim via a dialog box. RATs are used for surveillance, information theft, and extortion of victims. In this work, we report on the attackers and victims for two popular RATs, njRAT and DarkComet. Using the malware repository VirusTotal, we find all instances of these RATs and identify the domain names of their controllers. We then register those domains that have expired and direct them to our measurement infrastructure, allowing us to determine the victims of these campaigns. We investigate several techniques for excluding network scanners and sandbox executions of malware samples in order to filter apparent infections that are not real victims of the campaign. Our results show that over 99% of the 828,137 IP addresses that connected to our sinkhole are likely not real victims. We report on the number of victims, how long RAT campaigns remain active, and the geographic relationship between victims and attackers.
AB - Remote Access Trojans (RATs) are a class of malware that give an attacker direct, interactive access to a victim's personal computer, allowing the attacker to steal private data from the computer, spy on the victim in realtime using the camera and microphone, and interact directly with the victim via a dialog box. RATs are used for surveillance, information theft, and extortion of victims. In this work, we report on the attackers and victims for two popular RATs, njRAT and DarkComet. Using the malware repository VirusTotal, we find all instances of these RATs and identify the domain names of their controllers. We then register those domains that have expired and direct them to our measurement infrastructure, allowing us to determine the victims of these campaigns. We investigate several techniques for excluding network scanners and sandbox executions of malware samples in order to filter apparent infections that are not real victims of the campaign. Our results show that over 99% of the 828,137 IP addresses that connected to our sinkhole are likely not real victims. We report on the number of victims, how long RAT campaigns remain active, and the geographic relationship between victims and attackers.
UR - http://www.scopus.com/inward/record.url?scp=85076321839&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85076321839&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 27th USENIX Security Symposium
SP - 1043
EP - 1060
BT - Proceedings of the 27th USENIX Security Symposium
PB - USENIX Association
Y2 - 15 August 2018 through 17 August 2018
ER -