UNIVERSITY of CALIFORNIA SAN DIEGO Understanding the Remote
Total Page:16
File Type:pdf, Size:1020Kb
UNIVERSITY OF CALIFORNIA SAN DIEGO Understanding the Remote Access Trojan malware ecosystem through the lens of the infamous DarkComet RAT A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science (Computer Engineering) by Brown Rhodes Farinholt Committee in charge: Professor Kirill Levchenko, Chair Professor Farinaz Koushanfar Professor Stefan Savage Professor Alex Snoeren Professor Geoff Voelker 2019 Copyright Brown Rhodes Farinholt, 2019 All rights reserved. The Dissertation of Brown Rhodes Farinholt is approved and it is acceptable in quality and form for publication on microfilm and electronically: Chair University of California San Diego 2019 iii DEDICATION To my parents, for raising me to chase my dreams. I owe this all to you. iv EPIGRAPH The first principle is that you must not fool yourself, and you are the easiest person to fool. Richard Feynman In writing, you must kill all your darlings. William Faulkner The truth may be puzzling. It may take some work to grapple with. It may be counterintuitive. It may contradict deeply held prejudices. It may not be consonant with what we desperately want to be true. But our preferences do not determine what’s true. We have a method, and that method helps us to reach not absolute truth, only asymptotic approaches to the truth never there, just closer and closer, always finding vast new oceans of undiscovered possibilities. Cleverly designed experiments are the key. Carl Sagan v TABLE OF CONTENTS Signature Page . iii Dedication . iv Epigraph . v Table of Contents . vi List of Figures . x List of Tables . xiv Acknowledgements . xvii Vita........................................................................ xx Abstract of the Dissertation . xxi Chapter 1 Introduction . 1 Chapter 2 Remote Access Trojans . 5 2.1 A Brief History . 5 2.2 DarkComet RAT: A Technical Overview . 8 2.2.1 Components . 9 2.2.2 Stub Configuration . 10 2.2.3 Infection . 11 2.2.4 Victim-Controller Handshake . 14 2.2.5 Functionality . 15 2.2.6 Related Work . 15 Chapter 3 HAMELIN: A System for Tracking Remote Access Trojan Controllers . 17 3.1 Introduction . 17 3.2 Background & Related Work . 18 3.2.1 RAT Configuration Extraction . 18 3.2.2 Internet-wide Scanning . 18 3.2.3 RAT Scanning . 19 3.3 RAT-HUNTER: Collection of RAT Binaries . 19 3.3.1 Initial DarkComet Binary Collection . 19 3.3.2 Secondary DarkComet & njRAT Binary Collection . 21 3.4 RAT-HUNTER: Collection of RAT Configurations . 22 3.5 RAT-SCAN: Active Detection & Monitoring of RAT Controllers . 24 3.5.1 RAT-SCAN Design . 24 3.5.2 Scanning Windows: Overview . 25 3.5.3 Scanning Window: Honeypot Deployment . 25 vi 3.5.4 Scanning Window: Sinkholing . 29 3.5.5 Scanning Window: Database Downloading . 31 3.6 Limitations . 35 3.6.1 ZMap Coverage . 35 3.6.2 Sample Unpacking & Configuration Extraction . 35 3.6.3 Validating Scanning Results . 36 3.6.4 Scanning Result Confidence . 36 3.7 Discussion . 36 3.7.1 Comparing RAT-SCAN to Shodan & Insikt Group (Recorded Future) . 36 3.8 Acknowledgements . 37 Chapter 4 Understanding Attacker Motivations . 39 4.1 Introduction . 39 4.2 Background & Related Work . 42 4.2.1 Sandboxed Malware Execution. 42 4.2.2 Low-Volume Malware Attacks . 42 4.3 Methodology . 42 4.3.1 Live Operator Monitoring . 43 4.3.2 Behavioral Reconstruction . 47 4.4 Analysis . 48 4.4.1 Operator Behavior Analysis: Overview . 48 4.4.2 Sample Execution Schedule . 51 4.4.3 Common Actions . 52 4.4.4 Data Collection . 53 4.4.5 Dropped Files . 54 4.4.6 Visiting URLs . 55 4.4.7 Command Line Activity . 55 4.4.8 Operator Interaction with the User . 56 4.4.9 Remote Desktop Sessions . 59 4.4.10 Dynamic Language Analysis . 61 4.4.11 Operator Time Engagement . 63 4.4.12 Operator Final Action . 65 4.4.13 Operator Motives . 68 4.5 Discussion . 69 4.5.1 Honeypot as Tarpit Defense . 70 4.5.2 Honeypot as Threat Intelligence Sensor . 70 4.5.3 High-Interaction Honeypots: Lessons Learned . 71 4.6 Ethical Considerations . 72 4.7 Limitations and Biases . 74 4.8 Conclusion . 77 4.9 Acknowledgements . ..