Insult to injury: Researcher remote pwns RAT of cuffed FireEye VXer

Derbycon: PhishMe researcher Paul Burbage has added insult to injury for a former FireEye intern cum arrested VXer by showcasing how to thoroughly pwn his remote access trojan.

The Dendroid RAT sold for $300 on defunct hacker forum Darkode, which was scuppered in international federal police raids in which author Morgan Culbertson was arrested.

The malware targeted Android handsets to record calls; intercept SMS; upload files; steal credentials, and bypass Google's Play Store security checks.

Culbertson worked for a time as an anti- mobile malware white hat and pled guilty last month for his role in Dendroid. He awaits sentencing in December.

Burbage, a command and control infrastructure nerd (@hexlax), demonstrated how to gain remote code execution on the PHP malware.

"It is definitely one of the more feature-rich mobile malware that I've seen, and is certainly geared towards your more noobish actor," Burbage told the DerbyCon conference in Kentucky Friday.

"It is one of the most prevalent of the three (RAT) families and still highly utilised in the world today.

"The amount of time spent on the front end flashy GUI -- they didn't work on the back end PHP code."

Burbage "immediately" found a remote code execution vulnerability when he downloaded a copy of Dendroid leaked to GitHub and also permanent cross-site scripting and SQL injection.

The problem exists in applysettings.php file which writes all code to config.php. An attacker's specially-crafted POST request to apply settings.php is then written to config.php. "It completely zeros config.php so it's noisy but renders the RAT inoperable."

He gave delegates (and viewers of the talk video) details of the proof-of-concept to slap down Dendroid users.

He demonstrated how to launch SYN flood denial of service attacks "crushing" the popular SMS and spamming DriodJack RAT. It had been linked to an India-based developer who sells it $220.

Burbage also ripped apart the pricey and popular iBanking RAT used by the famous VawTrak or NeverQuest crime group that made the eponomous trojan which clocked in as 2014's most dangerous threat.

iBanking sold for up to $5000 and could capture SMS and call lists allowing transaction verification phone calls to be routed to attackers. It sported anti-forensics, could wipe device data, and record calls.

But it too could be ripped apart. French black hat hater Xylitol found a file upload vulnerability that thanks to an absence of file verification allowed Burbage to upload a PHP shell.

Burbage says Dendroid and mobile RATs like it are making bank thanks to the lack of security integrity of many devices.

Part of the success is thanks to binders that wrap malware with legitimate apps.

He says command and control types are divided into Java and PHP panels. The latter often suffer from a lack of input validation leading to holes including remote code execution, shell uploading, and permanent cross-site scripting. ®