[Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

Bad Horse b4dh0rs3 at ...2420...
Thu Nov 3 11:24:19 EDT 2011

Thanks for this.

What you propose works but can I humbly suggest some performance
improvements?  How about adding respective 'content:"KeepAlive|"' and,
'content:"KEEPALIVE"' keywords?  That way you don't have to always
invoke the PCRE engine.

-Bad Horse
 The Thoroughbred of SYN

On 11/3/11, Context IS - Disclosure <disclosure at ...3619...> wrote:
> Context Information Security has released a blog post on the Dark Comet RAT.
>  The article covers the reverse engineering and analysis of its
> functionality, how to decrypt its traffic and snort signatures to detect its
> traffic on the wire.
> Link: http://www.contextis.com/research/blog/darkcometrat/
> Signatures:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature:
> DarkComet-RAT Incoming Keepalive"; flow:from_server,established;
> pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2;
> reference:url,www.contextis.com/research/blog/darkcometrat/;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature:
> DarkComet-RAT Outgoing Keepalive"; flow:to_server,established;
> pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1;
> reference:url,www.contextis.com/research/blog/darkcometrat/;)
> Synopsis:
> "A Remote Administration Tool (otherwise known as a RAT) is a piece of
> software designed to provide full access to remote clients. Capabilities
> often include keystroke logging, file system access and remote control;
> including control of devices such as microphones and webcams. RATs are
> designed as legitimate administrative tools, yet due to their extensive
> capabilities are often seen used with malicious intent.
> When a RAT is identified as the payload in a malicious infection, typical
> malware analysis will resolve all the capabilities being provided to the
> attacker. However, the attacker may not be using all the capabilities
> provided; they may only be using the keylogging facility, or using the
> backdoor to install further tools onto the infected host. To make a full
> impact assessment, this detail is necessary and may only be available
> through analysis of the commands sent to the host by the attacker. However,
> access to the command and control traffic is limited as most RATs implement
> encryption or obfuscation to hide data sent over the network.
> In this blog post I will take a look at a RAT called Dark Comet. I will run
> through the capabilities provided by the tool, examine the associated
> network traffic, identify the encryption algorithm and show how the key can
> be identified with a little analysis of an infected host."
> About Context Information Security
> ------------------------------------
> Context Information Security is an independent security consultancy
> specialising in both technical security and information assurance services.
> The company was founded in 1998. Its client base has grown steadily over the
> years, thanks in large part to personal recommendations from existing
> clients who value us as business partners. We believe our success is based
> on the value our clients place on our product-agnostic, holistic approach;
> the way we work closely with them to develop a tailored service; and to the
> independence, integrity and technical skills of our consultants.
> The company’s client base now includes some of the most prestigious blue
> chip companies in the world, as well as government organisations.
> The best security experts need to bring a broad portfolio of skills to the
> job, so Context has always sought to recruit staff with extensive business
> experience as well as technical expertise. Our aim is to provide effective
> and practical solutions, advice and support: when we report back to clients
> we always communicate our findings and recommendations in plain terms at a
> business level as well as in the form of an in-depth technical report.
> Web:        www.contextis.com
> Email:      disclosure at ...3620...
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-sigs mailing list