Popular Remote Administrative Tools Turn Out to Be Easily Hacked

The concept of “hacking back” has drawn attention—and generated controversy—lately as geopolitics focuses increasingly on the threat of cyberwar. The idea that cyberattack victims should be legally allowed to hack their alleged assailants has even motivated a bill, the Active Cyber Defense Certainty Act, that representative Tom Graves of Georgia has shared for possible introduction this fall. And though many oppose hacking back as a dangerous and morally ambiguous slippery slope, research shows that, for better or worse, in many cases it wouldn’t be all that hard.

It turns out that many popular hacking tools are themselves riddled with vulnerabilities. That doesn’t necessarily make returning fire on incoming hacks a good idea, but it does show that attackers often don’t pay all that much attention to security. As the idea of hacking back gains support it could eventually cost them.

RAT Pack

Hackers often rely on a few common “remote administration tools” to control victim systems from afar, as if they were sitting in front of them. Naturally, not all RATs work for all attacks. But hackers turn to some tools more often than others, before moving on to more niche or resource-intensive options if necessary. This ubiquity got Symantec senior threat researcher Waylon Grange thinking: RATs with security vulnerabilities of their own could give victims easy access back into a hacker’s own system.

Grange analyzed three common RATs with no known vulnerabilities—Gh0st Rat, PlugX, and XtremeRat—and quickly discovered easily exploitable flaws in all of them. He will present his findings on Saturday at the DefCon security conference in Las Vegas.

Continue reading…