Gh0st RAT Part 2: Packet Structure and Defense Measures

February 19, 2015 by

Security Ninja

We have seen in Part 1 of this series how sophisticated Gh0st RAT is and how difficult it is to identify this attack because of the variants it comes in.

In this article we will learn how communication between Gh0st components actually takes place. At the end of the article we will see some of the measures that, if adopted, can provide some good defensive measures against a Gh0st attack.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Gh0st RAT – Data Packet Structure

Below is the packet information that is exchanged between a Ghost RAT client and a compromised host.

• Packet Header: 5 byte length and it contains the Gh0st magic keywords. Magic keywords are indicated in Part 1 of this series.
• Packet Size: 4 byte integer to determine the total size of the packet.
• 4 byte integer that contains the size of packet when uncompressed.
• Variable size payload data that contain commands exchanged between client and host.

It is important to note that the Ghost header is sent in clear text and the packet payload is compressed using the open zlib compression library. The encrypted payload can be easily decrypted using the zlib module unencrypt() function. The payload contains operation codes like commands, tokens and modes, which are exchanged between the Gh0st RAT c2 client and compromised host.

Some of the important operation codes are as shown below.

Commands

Token Codes

Modes

Defensive Measures

The below section will list out some of the defensive and proactive measures that can be put in place to detect Gh0st Malware.

• Monitoring traffic with inline network devices: Security solutions which provide deep packet monitoring such as Intrusion Detection/Prevention Systems (IDS/IPS) can help a great deal in looking for Gh0st malware. But today the Gh0st Malware is so sophisticated that a simple signature in the IDS/IPS is not enough to detect Gh0st malware.
• Internal port scans: As we have learned that there is a persistent connection between the Gh0st RAT c2 client and compromised host, running an internal port scan at regular intervals will reveal out the malicious ports.
• Monitoring services on hosts: Since malware is usually installed as root kits and operates closer to the kernel layer, and mostly malware installed as services, an internal scan must be carried on all the running services on hosts at regular intervals.
• Event logs for hosts: End point host event logs must be monitored for both successful and failed logins. Specifically monitor for logon type 3 and 10, because these are most possible ways in which an intruder can connect to the internal hosts.
• Last but not least, security awareness is a must to prevent against most malwares, and Gh0st RAT is no exception. Users should be aware of these malwares to protect against attacks such as URL redirection.

References

• http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf