Common Remote Access Trojan (RAT) tools — which allow hackers to remotely control hijacked computers, from the cameras and mics to the hard-drive and keyboard — are very badly written and it’s easy to hijack computers running the “command and control” components that malicious hackers use to control RATted systems.
This weekend, Symantec senior threat researcher Waylon Grange will present a paper at the Blackhat conference in Las Vegas documenting his work exploring exploitable vulnerabilities in Gh0st Rat, PlugX, and XtremeRat.
The research raises thorny questions. For one, there’s the ethical issue of whether and when it’s OK to “hack back” against an adversary. Another is that these tools form the basis for many “lawful interception” tools sold by cyber-arms dealers to police and governments, and present a risk to their operators as well as their targets (recall that the Bavarian government’s illegal “Bundestrojaner” spying tool could easily be hacked by third parties).
In many of the vulnerabilities Grange uncovered, a victim looking to hack back could exploit setup flaws in the attacker’s RAT to access its command and control server (the computer the attacker uses to direct the RAT), download files from that attacker system, deposit code on it, or even create a persistent backdoor to sit on the attacker’s system long-term. Hacking back has some standard possible objectives—retaliation perhaps, but also information-gathering as part of an attempt to discover an attacker’s motives or identity. The exploits Grange developed could theoretically facilitate counterattacks that would allow victims to achieve these goals.
“If you got back on one of those machines and you sat there and listened you might be able to see who else they’re targeting or what type of groups they’re after or what type of information they’re after, which is very vital information when it comes to attribution,” Grange says.