[Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

Context IS - Disclosure disclosure at ...3619...
Thu Nov 3 10:22:19 EDT 2011

Context Information Security has released a blog post on the Dark Comet RAT.  The article covers the reverse engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic on the wire.

Link: http://www.contextis.com/research/blog/darkcometrat/

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; reference:url,www.contextis.com/research/blog/darkcometrat/;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; reference:url,www.contextis.com/research/blog/darkcometrat/;)

"A Remote Administration Tool (otherwise known as a RAT) is a piece of software designed to provide full access to remote clients. Capabilities often include keystroke logging, file system access and remote control; including control of devices such as microphones and webcams. RATs are designed as legitimate administrative tools, yet due to their extensive capabilities are often seen used with malicious intent.

When a RAT is identified as the payload in a malicious infection, typical malware analysis will resolve all the capabilities being provided to the attacker. However, the attacker may not be using all the capabilities provided; they may only be using the keylogging facility, or using the backdoor to install further tools onto the infected host. To make a full impact assessment, this detail is necessary and may only be available through analysis of the commands sent to the host by the attacker. However, access to the command and control traffic is limited as most RATs implement encryption or obfuscation to hide data sent over the network.

In this blog post I will take a look at a RAT called Dark Comet. I will run through the capabilities provided by the tool, examine the associated network traffic, identify the encryption algorithm and show how the key can be identified with a little analysis of an infected host."

About Context Information Security
Context Information Security is an independent security consultancy specialising in both technical security and information assurance services.
The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants.
The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. 
The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.
Web:        www.contextis.com
Email:      disclosure at ...3620...

More information about the Snort-sigs mailing list