Symantec & GhostNet

Symantec has put out a nice video demonstrating how gh0stRAT works. We gave the name “GhostNet” to the network of infected computers we uncovered because of the attackers’ use of the gh0stRAT tool but it is important to bear in mind how the whole operation works as gh0stRAT is just one part of it.

One of infection vectors that we can confirm that the attacker uses is sending contextually relevant emails with malware packed attachments (.doc’s and .pdf’s) to potential targets. (If you are interested check out Maarten Van Horenbeeck’s work here here and definitely here — it really is the best research on this stuff out there).

When the the attachment is opened a trojan is dropped on the system. This trojan “checks in” with a control server. In this case, it was an HTTP connection to a webserver. The infected computer retrieves various files from the control server some of which contain “commands” — one of the commands the attacker issues instructs the infected computer to download and install gh0stRAT. While gh0stRAT allows the attacker to take “real time” control of a compromised computer — the attacker is online and the victim is online at the same time. — the initial infection allows the attacker to maintain control when either party is offline.

Once infected with gh0stRAT the compromised computer connects out to a URL (a file on the control server) in order to retrieve the IP address of the attacker’s gh0stRAT client. When the attacker is offline, the IP will often be and will be replaced by another IP when the attacker is online and ready to receive connections from the compromised computers running gh0stRAT.

This Symantec video shows how gh0stRAT works.

Also, check out this post at F-Secure.

One comment.

  1. […] Popularity: 1% [?] PandaPassport uses and recommends ICDSoft Host your China Blog in Hong Kong […]

Post a comment.