The Commoditization of Anti Debugging Features in RATs

Is it a Remote Administration Tool (RAT) or is it malware? That’s the rhetorical question, since RATs are not supposed to have built-in Virustotal submission for the newly generated server, antivirus software “killing” and firewall bypassing capabilities.

Taking a peek into some of commodity features aiming to make it harder to analyze the malware found in pretty much all the average DIY malware builders available at the disposal at the average script kiddies, one of the latest releases pitched as RAT while it’s malware clearly indicates the commoditization and availability of such modules :

– FWB (DLL Injection, The DLL is Never Written to Disk)
 – Decent Strong Traffic Encryption
 – Try to Unhook UserMode APIs
 – No Plugins/3rd Party Applications
 – 4 Startup Methods (Shell, Policies, ActiveX, UserInIt)
 – Set Maximum Connections
 – Built In File Binder
 – Multi Threaded Transfers
 – Anti Debugging (Anti VMware, Anti Sandboxie, Anti Norman Sandbox, Anti VirtualPC, Anti Anubis Sandbox, Anti CW Sandbox)

Malware coders or “malware modulators”? With the currently emerging malware as a web service toolkits porting common malware tools to the web, drag and drop web interfaces for malware building are definitely in the works.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *