Malware authors have always been coming up with new and improved ways to control compromised machines. Remote-access Trojans have been in use for a long time. One of the most infamous is Back Orifice.

With the prevalence of DIY kits, every kid on the block has the ability to invade other people’s computers at whim. But what has changed over the course of time is the ease of use of these kits along with the advancement in stealth technologies. SharK is one such remote-access Trojan kit that allows the attacker to customize the Trojan with loads of features available within the toolkit.

Fig 1: SharK2 Server configuration options.

In a nutshell, the server created using the kit can be typically configured to do the following:

• Load the Trojan at every startup using ActiveX keys specified in the registry.
• Social-engineer the victim to believe he has opened a genuine executable, like notepad.
• Ability to bind with other genuine files.
• Capable of acting like a retrovirus disabling antivirus softwares. The kit also gives users the option to blacklist and cripple various security and analysis tools on the victim machine.
• Also have stealth options like melting the server on execution, modifying file attributes, modifying file creation time of the server, or opening the ports only when there is an Internet connection.
• Encrypts the header and uses its own stub.

One of the unique characteristics of this kit is its ability to identify sandboxes. Even though anti-sandboxing techniques were discussed widely, this kit would probably be one of the few to implement this feature. Clubbed with this are anti-debugging and VMware detection techniques that could make the process of analyzing this Trojan a little difficult.

Fig 2: Web Downloader Component

Once infected, the victim would connect back to the specified address and port.

• Like many Trojans, SharK uses the RC4 cipher to encrypt the traffic.
• Keylogger works with WH_KEYBOARD_LL hooks.
• Interactive DOS-Shell
• Manipulate running processes, windows, and services from the remote console.
• Interactive Process blacklisting, which alerts the attacker if the blacklisted process is found on the victim machine and prompts the attacker to take action (see Fig 3).
• Code injection into a hidden Internet Explorer window in an attempt to bypass firewalls.
• Uses Web Downloader to download and execute files on the victim machine (see Fig 2).
• Attacker could redirect victims to various phishing Web sites.

Fig 3: Interactive process blacklist

The kit is also constantly updated to introduce new features. With the alleged leaked source code up for sale in various forums, more versions are likely to emerge. Having a look at our samples collection was enough to establish that malicious people have already started capitalizing on this toolkit.

We at McAfee Avert Labs are on the lookout for new threats as always and we detect the configurator as BackDoor-DKG.cfg and the server is detected as BackDoor-DKG with the current DATS.