Wednesday, January 14, 2015

Indicators - Houdini RAT

Threat Name: Houdini

Variants or Other Possible Names: njRAT, Iniduoh.

This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.

Remote Host Connections:

The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:
  • introworld.zapto.org
  • j2w2d.no-ip.biz (31.186.179.230)
  • qwqhack.no-ip.biz (37.239.116.223)
  • paltalk.servequake.com
  • terminator9.zapto.org
  • basss.no-ip.info
  • bg1337.zapto.org
  • ronaldo-123.no-ip.biz

HTTP URI Indicators:
  • /is-ready
HTTP Request Methods:
  • POST
User-agent String Values:

This is an easy catch. The below value is used as a separator in the user-agent string field:
  • <|>
Associated Snort Rule:
  • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)
Regex:

Search in the user-agent string field.
  • <\|>
Conclusion:

I was never able to find much information for this RAT and I hope it helps you out in your searches.

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.