Saturday, July 28, 2007

Shark2 - RAT or Malware?

The latest release (26 July 2007) of the Shark2 RAT (Remote Administration Tool) once again demonstrates how thin is in fact the line between RATs and malware. Moreover, the reality on how malware is often pitched as a RAT for educational purposes only, whereas it includes typical malware-like features such as virtual machine detection and anti virus detection, ones not so common for RAT's such as PC Anywhere for instance. So, it's not a RAT but malware. More on Shark2 :

"sharK is an advanced remote administration tool written in VB6. With sharK you will be able to administrate every PC in the world (using Windows OS) remotely. Here are some facts:
* sharK uses RC4 to encrypt the traffic with a random cypher generated every new startup.
* sharK is able to resume downloads and uploads when the server disconnects on the next connect
* sharK is completly Plugin based! So you have a very small server and never need to update it (except on core changes)
* Compressed Transfers
* Thumbnail Previews of Pictures
* Screen Capture with VNC-Technology (Only the parts of the pic that are changed since the last shot will be transfered)
* Keylogger works with Keyboard hooking
* You have a real DOS-Shell instead of dos-output like in the most Remote Administration Tools
* Interactive Process Blacklist
* Virtual-Machine detection"

Vendors detecting the latest builder already, despite the logical crypter obfuscations to come :

AntiVir 2007.07.28 TR/Sniffer.VB.C.2
CAT-QuickHeal 9.00 2007.07.28 Backdoor.VB.bax
Fortinet 2007.07.28 W32/VB.BAX!tr.bdr
Ikarus T3.1.1.8 2007.07.28 Backdoor.Win32.VB.bax
Kaspersky 2007.07.28 Backdoor.Win32.VB.bax

MD5: d5eca6c6a1956cb2f4261da1b8f25ee2
SHA1: b603d0d6e3dff0f5f01e86eb82eb80a0e0455445