Monday, August 20, 2007

RATs or Malware?

After the Shark 2 DIY Malware got the publicity it deserved as perhaps the most recent and publicly obtainable DIY malware, another DIY RAT has been gaining popularity amoung the script kiddies crowd for a while. Shark 2's features and capabilities for "killing" anti virus software and tricking sandboxes are far more advanced than this RAT's one, no doubt about it. However, what makes an impression in this one is the built-in capability to check the latest server against the most popular anti virus software engines.

Detection rate for the latest builder : Result: 15/32 (46.88%)
File size: 2981888 bytes
MD5: 5683024dbfd73d92c103d2ecc4f98258
SHA1: 34d341df36582906eb5d18e12139478b8772ea64

Detection rate for a previous version of the builder : Result: 9/32 (28.13%)
File size: 2426880 bytes
MD5: 4343eb64b3d4836b5ef49643b3320112
SHA1: beb6bd04d587f4253e5b26e4ba1827c8b200a214

Detection rate for another version of the builder : Result: 23/32 (71.88%)
File size: 4860416 bytes
MD5: 0fef106915b40cf1c0a411a4f5aee4bb
SHA1: a7a1c1bdd388c20964cf54db4607bf650d890562

Detection rate for the first version of the builder : Result: 24/32 (75%)
File size: 2466304 bytes
MD5: 1ee90062bebfe3dd9bbdd9d3c9fc1f6c
SHA1: 2c02b76497dd3bfa00c313e9e4a0bd0d8b2893a6

Another issue that deserves more attention is VT's opt-out feature for not distributing the sample to AV vendors "If checked, in case the file is suspicious of being malware we will not distribute it to antivirus companies." Any malware authors or script kiddies out there, wanting to measure the detecting rates for their release without providing the AVs not currently detecting it with a sample of it? Perhaps thousands of them.

The line between RATs and malware is definitely getting thinner these days.