Malware analysis

Gh0st RAT: Complete malware analysis – Part 1

Security Ninja
February 11, 2015 by
Security Ninja

In this article series, we will learn about one of the most predominant malware, named Gh0st RAT, whose source code is dated back to 2001 but it is still relevant today and how to do malware analysis. In this article series, we will learn what exactly is Gh0st RAT, all its variants, how it works, its characteristics, etc.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is Gh0st RAT?

Gh0st RAT (Remote Access Terminal) is a trojan "Remote Access Tool" used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.

Gh0st RAT capabilities

I think that before I delve into more technical details of Gh0st RAT, let us take a brief look at the capabilities or reach of Gh0st RAT. Below is a list of Gh0st RAT capabilities. Gh0st RAT can:

  • Take full control of the remote screen on the infected bot.
  • Provide real time as well as offline keystroke logging.
  • Provide live feed of webcam, microphone of infected host.
  • Download remote binaries on the infected remote host.
  • Take control of remote shutdown and reboot of host.
  • Disable infected computer remote pointer and keyboard input.
  • Enter into shell of remote infected host with full control.
  • Provide a list of all the active processes.
  • Clear all existing SSDT of all existing hooks.

Gh0st RAT components

This section will throw light on both at user and kernel level binaries of the Gh0st RAT toolset. Gh0st RAT has two main components: client and server.

Controller Application: This is known as client, which is typically a Windows application that is used to track and manage Gh0st servers on remote compromised hosts. The two main functions this module serves is the management and control of Gh0st servers and the ability to create customized server install programs.

Windows DLL (user level binary): The DLL is named SVCHOST.DLL. It is the Windows DLL that gets installed on a compromised host as a Windows service. This service is the server component of the Gh0st toolkit. It checks in to the Gh0st client on startup and awaits instructions. The setup and installation of this DLL as a service is done by the install program (Dropper) SERVER.EXE which we will discuss in a short while.

INSTALL.EXE Dropper application is used to install SVCHOST.DLL. This is a stand-alone Windows application that contains all required code to prepare a compromised host for the installation of the Gh0st RAT server service and the launching of that service.

Kernel Level Binary: This is present in the toolset with the .SYS filename RESSDT.SYS. This is a very small device driver that performs a single task: resetting the Windows System Service Dispatch Table (SSDT). This is the only kernel level binary in the toolset. It runs at system startup on the compromised host and removes all hooks in the SSDT.

Install Program: This is commonly called "the dropper." It contains the two above described binaries and performs all of the work necessary to install the Gh0st server on a host and startup the Gh0st service.

Gh0st RAT variants

Since Gh0st Rat source code is available for everyone, Gh0st Rat has many versions available, as people have generally used and even modified the code to fit their purpose. Gh0st, because of its number of variants and encrypted capabilities, is hard to recognize. Most antivirus detections today are automatically generated, resulting in names thought out by machines. Quick, but containing information only machines find interesting. The most stable indicator of being faced with a Gh0stRat is its network communication. It is well documented and quite distinctive, as it always begins with a "magic word" which in its default configuration is "Gh0st" – thus Gh0st Rat.

As one can imagine, the detection of the "Gh0st" keyword in the network stream is pretty easy, as tools like Network Intrusion Prevention System (NIPS) or even Wireshark magic words are easily available in the fixed length of 5 bytes. So the below key words are from the investigations guide that contains all the magic words from a Gh0st Network stream:

"7hero, Adobe, B1X6Z, BEiLa, BeiJi, ByShe, FKJP3, FLYNN, FWAPR, FWKJG,GWRAT, Gh0st, GOLDt, HEART, HTTPS, HXWAN, Heart, IM007, ITore, KOBBX, KrisR, LUCKK, LURK0, LYRAT, Level, Lover, Lyyyy, MYFYB, MoZhe, MyRat, OXXMM, PCRat, QWPOT, Spidern, Tyjhu, URATU, W0LFKO, Wangz, Winds, World, X6RAT, XDAPR, Xjjhj, ag0ft, attac, cb1st, https, whmhl, xhjyk, 00000, ABCDE, apach, Assas, Blues, chevr, CHINA, cyl22, DrAgOn EXXMM,Eyes1, Gi0st, GM110, Hello, httpx, kaGni, light, LkxCq, lvxYT, Naver, NIGHT, NoNul, Origi, QQ_124971919, Snown, SocKt, Super, Sw@rd, v2010, VGTLS, wcker, Wh0vt, wings, X6M9K, xqwf7, YANGZ"

The above is not an exhaustive list, and even magic keywords like "Spidern" and "W0LFKO" come with non-standard length of 5 bytes. Other irregular magic keywords like "DrAgOn" and "QQ_124971919" do not even compress their network traffic like most other Gh0st do.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

In the next article of this series, we will learn about Gh0st network connections, why it is difficult to control this type of attack, and what are the possible solutions for its control that can be put in place.


Security Ninja
Security Ninja