RAT Hides as Windows® and Yahoo!® Messenger
January 17, 2013
Attackers often use remote access Trojans (RATs), which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, and the ability to take screenshots and activate the microphone and web camera of a compromised computer. Attackers often use publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX. However, the network traffic these RATs produce is easily detectable although attackers still successfully use them.
Attackers always look for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that make their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like HTML. While the disguises the RATs use are simple and distinguishable from legitimate traffic, they may be just good enough to avoid further scrutiny.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.