Tool Talk: Cracking the Code on XtremeRAT

Late last week, reports began to surface that the Israeli police (along with other regional law enforcement) were targeted by a malware attack.  The entry vector was described as a phishing campaign sent from Benny Gantz (head of the Israeli Defense Forces).  Initially, details and indicators around the malware were beyond sparse. Aside from the FROM: address, little was known that could assist in any sort of investigation. After nearly 24 hours from the first reports, both details and samples of the malware started to flow. As soon as we could confirm details of the phish email and the malicious attachments, we were able to cross-reference sample data already in our malware database and connect the dots.

Generic Dropper.p (Xtrat)

Generic Dropper.p (XtremeRAT)
























This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

Sample Data





The result sets are organized as a specific directory structure.

Analysis Report sample

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data

Sample Data

Sample Data 2

Sample Data 2

Sample Data 3

Sample Data 3

Sample Data 4

Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.


Memory dumps



All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped Files

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.


Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:


























Latest Yahoo Data Breach Restates Need for Basic Security

News broke today of a large data breach against Yahoo Voices, resulting in more than 400,000 username/password combinations being posted in clear text. The compromise involved a basic SQL-injection attack against an exposed Yahoo server (  Similar to other recent events, the account data was reportedly stored in an unencrypted state.

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.”

D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:


Yahoo! Breech top 20 domains

Yahoo breach Top 20 domains

I’ll leave you with several McAfee resources for understanding SQL injection:


RDP+RCE=Bad News (MS12-020)

See March 15 and 16 updates at the end of this blog.



The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:

port scan

It's Open!














This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !

It's Alive!  RDP test

It Actually Works!!!!!












So, what can you do to protect your environment?

McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.

Other steps:

  • RDP is typically disabled by default. If there is any doubt, investigate and confirm in your environment whether and where it running.
  • In Windows Vista or later, enable Network Level Authentication (NLM)
  • Even if you have NLM enabled, the flaw can be exploited if the attacker can gain authentication. This means you should verify strong (nondefault, sufficiently complex) user/password combinations.


McAfee Coverage Data

Coverage exists in:

  • McAfee Vulnerability Manager (FSL release): 3/13
  • McAfee Network Security Platform (Sig release): 3/13
  • McAfee Remediation Manager (V-Flash): 3/13
  • McAfee DATs (partial coverage, for known PoC code, is provided as “Exploit-CVE2012-0002″ in the 6652 DATs): 3/17



——————- UPDATES ———————————


March 15: McAfee Labs has observed in-the-wild proof-of-concept code targeting this vulnerability. There are a few varied samples that we are both monitoring and analyzing. At this time the coverage/mitigation data already in this post is still valid.

We are continuing to monitor this situation and will provide updates as needed. An updated MTIS Security Advisory has been sent to subscribers.

To stay up to date on these and other critical security events, please subscribe to our McAfee Threat Intelligence Alerts.


March 16: The last 24 hours have been a virtual flood of proof of concept (PoC) and exploit details. Some of these are reliable; some are not.

  • This flaw was actually discovered by Luigi Auriemma in May 2011
  • There are numerous fake code examples and scripts on Pastebin and similar sites. As is typical, links to these fakes are advertised all over Twitter, etc.
  • The code examples/PoCs that are valid can successfully crash the RDP service, but do not move beyond that (to code execution or to allow for the possibility of code execution)


Blue-Light Special on Zeus

With much fanfare and much to the chagrin of ne’er-do-wells far and wide, the Zeus Toolkit source code has been released to the public.

This is notable because normally it would cost quite a bit to purchase the kit and associated services (in excess of of US$10,000). With a release of this sort, the most immediate concern is what will be done with this code, in the wrong hands. Also, how quickly will we start to see examples of those efforts in botnets.

From a vendor point of view, when this sort of thing occurs, we must be ready to respond to customer and public queries about any countermeasures and safeguards that we can offer. Having said that, Zeus is not “new,” and we constantly (and have for years) been dealing with compiled binaries and output from this kit. The current technologies in our tool belt (AV, NIPS, HIPS, app control/whitelisting, firewall, etc.) all provide protection against the output, traffic, and noise from the Zeus toolkit.

ZeuS For Free

Zeus Crimeware Toolkit

We are researching the source packages internally. If any updates are needed, we’ll make those ASAP, and will augment and improve the existing protections that are, and have been for some time, available.

Stay tuned during the next 72 hours for more updates on this one. It should be interesting as the saga unfolds.