The document discusses the use of Remote Admin Tools (RATs) in cyber security, highlighting their legitimate applications as well as potential misuse in illegal activities. It emphasizes the importance of understanding these tools for penetration testing and malware response, while warning against their malicious use by various actors, including script kiddies. Additionally, it outlines various features of RATs and the associated risks, including evasion tactics against security measures.

1. Hacking with Remote Admin
Tools (RATs)
Zoltan Balazs
CTO @MRG Effitas
Budapest IT Security Meetup
January 2014

2. Remote admin tools
Could be legitimate
Usually it is not
All the features for remote administration
Upload/download files
Registry editor
Shell commands
Remote desktop
Using RAT might be illegal, and might be
considered as a crime!
Don’t try this at home!

3. Why are these skiddie toolz
important?
Only pentesters use meterpreter
Script kiddies use RATs
Not just "1337 |-|4x0r5” use RATs!
Know your enemy!
Malware incident response
Forensic investigation

4. Typical RAT scenario

5. 1998

6. DEF CON 6 on August 1, 1998

8. Dictionary to skiddie language
Skiddie world
server
client
FUD
cryptor
private/elite/gold version
Average world
client malware on victim
server code @skiddie
Fully UnDetectable
some lame packer
full version (not demo)

9. Tutorialz for script bunniez
How to fail at OPSEC?
https://www.youtube.com/results?
search_query=setup+rat+tutorial
http://www.youtube.com/watch?v
=NkkqPLVscC4

10. #opsecfail

11. #opsecfail

12. #opsecfail

13. #opsecfail

14. #opsecfail

16. The skiddie’s youtube list on Cyber Threat Task Force (google cache only)

19. But a script kitty’s life is not just about
work
But FUN as well!

20. Fun manager - Fun menu

21. Extra fun

22. Fun feature 3

23. Fun feature 4 – Matrix chat

24. Fun feature 5

25. Ultimate fun …

26. Ultimate fun feature 6 - Piano

27. Hacking Internet Explorer

28. Scary features

29. Scary feature 1
DLL inject into iexplore.exe
Proxy aware
Transparent proxy authentication
Local software firewall bypass
No new process running

30. Scary feature 2 – Melt/uninstall
Melt server deletes the
dropper
No wipe
Forensics restoration
possible
Uninstall server deletes
the persistence file
No wipe
Forensics restoration
possible

31. Scary feature - Alternate data stream

32. Scary feature 3 - Anti AV

33. Scary feature 4 – Anti VM, Anti
sandbox

34. Private/elite version
Downloading and running binaries from people
like this is a bad idea!
hxxp://www.theatregelap.com/2012/06/xtreme
rat-v-36-private.html

35. JRAT
Multiplatform
Evade some software firewalls
(java.exe allowed)
Easier to obfuscate
Screenshots ©Symantec

36. AndroRAT
© VRT Snort blog

37. Cryptor

38. High profile attacks

39. High profile
attacks