Malicious Codes Concealed in Digital Images: Shady RAT Attacks
Symantec researchers explored a massive cyber attack designed behind the "Operation Shady RAT", where hackers concealed harmful viruses behind digital images and HTML files, reported InformationWeek on August 12, 2011.
Operation Shady RAT can be defined as a massive advanced persistent threat (APT), a name it inhibited from a 5-year-long hack of 49 entities. During early August 2011, shady RAT competed with IT security provider McAfee.
Several government employers and businessmen throughout the world were enticed by operation Shady RAT and permitted this Trojan to connect to a remote IP address in spite of the earlier attacks due to their ignorance. The implementation of this operation paved the way for attackers to deploy harmful breaches into a number of organizations.
Initially, the ploy went unnoticed by the researchers as they could only see the URLs indicating an image and HTML files, which were sufficient to conceal the commands.
A lot of firewalls do not obstruct image and HTML files from passing through the HTTP traffic. Without in-depth inspection, these images and HTML files looks completely legit and do not pose any risks.
Attackers deployed steganography, which is a technique used for concealing malicious code or hidden data in the image files. While investigating on the Operation Shady RAT, Symantec researchers explored rigged images ranging from an image of a pastoral waterside scene to an image of a woman in a hat concealing commands indicating the infected machines to contact the command-and-control server.
By the versions of the Trojans downloading the HTML files, the commands are concealed in the HTML comments that though looks redundant are in reality encrypted commands that can be further converted into base-64 encoding.
However, Hon Lau, a Researcher at Symantec disagreed towards considering Shady RAT as an APT due to the errors committed during the configuration of the servers and the non-sophisticated malware and techniques used in this case, as per the news published in the GOV INFO SECURITY on August 12, 2011.
Thus, security experts though did not confirm Shady RAT as an APT, rightly reminded steganography hackers while describing Shady RAT as this technique often duped ignorant people into using them unconsciously and ending up in harming their systems.
Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected
» SPAMfighter News - 25-08-2011