This post is the eighth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network.

Today we’ll look at a particular class of software tools used by attackers called Administration Toolkits. Oftentimes these toolkits enable remote system administration, and are called Remote Admin Toolkits. Sometimes, however, they are used more locally by attackers, so we’ll generally refer to these tools as Suspicious Admin Toolkits, or just admin toolkits.

What’s the purpose of an admin toolkit? An admin toolkit is used by attackers to streamline and automate malicious actions. They provide a malicious operator, whether remote or local, the ability to perform the following types of actions and much more:

• Log keystrokes entered by the local user
• Grab content from the clipboard
• Record mouse movements performed by the local user
• Take control of the keyboard and mouse
• Take screenshots and record video of what’s being displayed
• Turn on/off a connected webcam
• Turn on/off connected microphones and speakers
• Download/upload/execute files
• Scan local files for passwords, credit card numbers, and important-looking files
• Connect to network shares and other resources
• Execute commands from a terminal prompt
• Perform Denial of Service (DoS) attacks on a remote target

Essentially, an admin toolkit enables an operator to do anything on the infected machine that they could do if they were sitting physically in front of it. It makes the machine easier to administer so that the operator can concentrate on their end goal, whether that be performing a distributed DoS attack on a target, standing up a large-scale botnet, or stealing information from the infected host.

A few popular types of admin toolkits are the following:

• Poison Ivy
• Bifrost
• Radmin
• Back Orifice
• DarkComet

There are many others, but these are prevalent because they are widely available online (often for free), are well-designed and easy to use, and provide a large number of helpful features when controlling a victim machine.

Is it possible to automatically detect and block admin toolkits? Well, detecting the presence of an admin toolkit can be tricky, because they’re usually designed to avoid detection and hide within network noise. Attackers also make software variants (a.k.a. strains) to avoid signature-based detection, so the attacker-defender relationship turns into a big game of Whac-A-Mole™. Communications by admin toolkits are almost always encrypted, use custom command protocols, and use either standard network ports or ephemeral ports to avoid detection. This means that a signature-based detection approach will be moderately successful, because it will identify the presence of older admin toolkit strains, but it will miss the newer variants.

So then if signature-based approaches are only partially successful, are there non-signature-based approaches that could be used? Absolutely – using a non-signature-based approach helps fill that detection gap to spot the latest strains of admin toolkit malware. The technique is generally to look at broader traffic characteristics or patterns rather than looking for specific byte strings within traffic payloads.

Let’s look at an example of how this works for the popular Poison Ivy toolkit —

Poison Ivy has a known communication protocol documented here that it uses to establish an encrypted connection between a remote server and a compromised host. After an initial TCP/IP session connection has been established, the remote server sends 256 random bytes to the client, which serves as an authentication challenge. This ensures the server and client can speak the same language and are authorized to exchange data with each other. The client takes these 256 bytes, performs an arithmetic calculation on them using a pre-shared password, and responds with the resulting 256 byte response value. If the client’s response matches the response calculated independently by the server, then the client is authenticated and they can start exchanging encrypted commands and data.

Notice in the above that the only real signature we can latch onto is the random 256-byte challenge and response strings. So our analytic search will be for traffic where the client and server send 256-byte payloads to each other in rapid succession and then start exchanging variable byte-length payloads of unknown protocol. This is really the only way to search for it.

Assuming you could automatically break the cryptography, it will still be difficult to create useful IDS signatures for Poison Ivy because it uses a re-seeding technique in its cryptographic functions for every transmission, so the traffic content will not contain any static indicators on which an IDS could trigger. A defender has to take a non-signature-based, more behavioral- and pattern-based approach to detecting this traffic.

Using this method, Novetta’s advanced network traffic analysis solution Novetta Cyber Analytics detects toolkits such as Poison Ivy, Bifrost, Radmin, and Gh0st RAT, and is continually adding additional logic and filters to detect other admin toolkits. Not all admin toolkits use the same techniques, and the authors like to keep defenders guessing, so we have to maintain our non-signature-based approaches to adapt.

That was a quick peek into the world of Suspicious Admin Toolkits. It’s a powerful way to scan for malicious behaviors that are happening on a network after an attacker has managed to attain an initial foothold and establish persistence. Stay tuned for more powerful searches that can reveal malicious behavior as we move through this entire advanced analytics series.

Read the next post in this series: Two Degrees of Separation.