In this article we will learn how communication between Gh0st components actually takes place. At the end of the article we will see some of the measures that, if adopted, can provide some good defensive measures against a Gh0st attack.

Gh0st RAT – Data Packet Structure

Below is the packet information that is exchanged between a Ghost RAT client and a compromised host.

Packet Header: 5 byte length and it contains the Gh0st magic keywords. Magic keywords are indicated in Part 1 of this series. Packet Size: 4 byte integer to determine the total size of the packet. 4 byte integer that contains the size of packet when uncompressed. Variable size payload data that contain commands exchanged between client and host.

It is important to note that the Ghost header is sent in clear text and the packet payload is compressed using the open zlib compression library. The encrypted payload can be easily decrypted using the zlib module unencrypt() function. The payload contains operation codes like commands, tokens and modes, which are exchanged between the Gh0st RAT c2 client and compromised host. Some of the important operation codes are as shown below. Commands

COMMAND_KILLPROCESS COMMAND_SESSION COMMAND_DELETE_FILE COMMAND_DELETE_DIRECTORY COMMAND_SYSTEM COMMAND_AUDIO COMMAND_WEBCAM COMMAND_OPEN_URL_HIDE COMMAND_REPLAY_HEARTBEAT COMMAND_UPDATE_SERVER COMMAND_ACTIVED

Token Codes

TOKEN_AUTH TOKEN_HEARTBEAT TOKEN_LOGIN TOKEN_FILE_SIZE TOKEN_DRIVE_LIST TOKEN_TRANSFER_FINISH TOKEN_DATA_CONTINUE

Modes

TRANSFER_MODE_NORMAL TRANSFER_MODE_JUMP TRANSFER_MODE_CANCEL TRANSFER_MODE_OVERWRITE TRANSFER_MODE_CANCEL

Defensive Measures

The below section will list out some of the defensive and proactive measures that can be put in place to detect Gh0st Malware.

Monitoring traffic with inline network devices: Security solutions which provide deep packet monitoring such as Intrusion Detection/Prevention Systems (IDS/IPS) can help a great deal in looking for Gh0st malware. But today the Gh0st Malware is so sophisticated that a simple signature in the IDS/IPS is not enough to detect Gh0st malware.

Internal port scans: As we have learned that there is a persistent connection between the Gh0st RAT c2 client and compromised host, running an internal port scan at regular intervals will reveal out the malicious ports.

Monitoring services on hosts: Since malware is usually installed as root kits and operates closer to the kernel layer, and mostly malware installed as services, an internal scan must be carried on all the running services on hosts at regular intervals.

Event logs for hosts: End point host event logs must be monitored for both successful and failed logins. Specifically monitor for logon type 3 and 10, because these are most possible ways in which an intruder can connect to the internal hosts.

Last but not least, security awareness is a must to prevent against most malwares, and Gh0st RAT is no exception. Users should be aware of these malwares to protect against attacks such as URL redirection.

References

http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf