ghost, gh0st 관련 정보

오픈소스로 된 고스트 원격제어툴, 현재까지도 중국에서 엄청나게 악성코드로 뿌려지고 있다.
Darkshell, Redosdru 등 탐지 이름도 많다.

http://blogs.norman.com/2012/security-research/the-many-faces-of-gh0st-rat

------------------------

The many faces of Gh0st Rat

August 29, 2012 by Snorre Fagerland - 1 Comment

Gh0st Rat is an open source backdoor trojan (or “Remote Administration Tool” ) that has been used in a large number of incidents, of which many have been targeted attacks. It is famed for being used in the espionage operation called “GhostNet”.

It is originally Chinese which naturally means that it is popular to use by Chinese hackers.

In a study conducted here at Norman, we have attempted to unmask the links that exist between different known Gh0st Rat attack campaigns. We primarily used the network communication as recognizable characteristic, since Gh0st communication is quite distinctive – it uses a “magic tag” (usually 5 alphanumeric letters) to identify itself to the command & control server.

We clustered samples that used the same tags together, to make plots like this:

brown nodes = samples, purple nodes = IP addresses, yellow nodes = domains, blue nodes = identifier tag

Fig1 : Same Gh0st variant (called “cb1st” because of its communication tag) is seen using two main C&C hubs and many smaller. The hub www.wk1888.com is also used by a large cluster of trojans using the default “Gh0st” tag, branching out at the right.

In the above plot we see that samples of one type (“cb1st”) connect to the same Command&Control server as samples of another type – “Gh0st”, thus these samples can be said to be logically linked.

Other connections were discovered, surprisingly, by miscommunication between the malware and its C&C server. In quite a large number of cases, the server responded to the initial connection by using a different magic tag. In a way, the malware said “Are you there”, and the server said “Que?”.

Fig2 Gh0st Rat of the KOBBX variant attempts to talk to the server, but receives LUCKK back.

Obviously the KOBBX and LUCKK campaigns are connected.

Not only Gh0st Rats exhibited this odd behavior. We also saw other malware miscommunicating in this way, for example DarkShell DDOS bots.

Fig3 DarkShell initial connection receiving “whmhl”, a tag belonging to a particular Gh0st variation.

In our paper, we have examined and clustered 49 variations of Gh0st, divided over some 1200 samples from 2011-2012. We found that a great many Gh0st Rat clusters likely are produced and operated by the same persons or groups.

Fig4 Eight different Gh0st variations that are linked in a “supercluster”.

We have attempted to trace some of the attacks back to apparent perpetrators.

The full paper is 70 pages long, and is available by filling out a request here:
The many faces of Gh0st Rat
It’s free. We won’t try to sell you anything.