Nuclear RAT
From Wikipedia, the free encyclopedia
| Common name | Nuclear RAT |
|---|---|
| Technical name | Nuclear Remote Administration Tool |
| Aliases | Backdoor.Delf.jl, Backdoor.Delf.jw, Backdoor.Win32.Nuclear.b, Win-Trojan/NucRAT, Win-Trojan:NucRAT, Win32/Nuclear.AG, Backdoor.Win32.Nuclear.ak |
| Family | Nuclear RAT |
| Classification | Trojan |
| Type | Windows NT, Windows 2000, Windows XP, Windows Server 2003 |
| Subtype | Backdoor |
| Isolation | 2003 - present (new variants being released) |
| Point of Isolation | Unknown |
| Point of Origin | Brazil |
| Author(s) | caesar2k |
Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infect Windows NT family systems (Windows 2000, XP, 2003). It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking to fool the firewall, and allow the server component to hijack processes and gain rights for accessing the internet.
The server component (217,600 bytes) is dropped under Windows, System32 or Program Files folders, under a custom named folder, the default is NR. Once the server component is run, it tries to connect to its client, that listen for incoming connections on a configurable port, to allow the attacker to execute arbitrary code from his computer.
The server editor component has the following capabilities:
- Create the server component
- Change the server component's port number and/or IP address / DNS, connection retry interval, direct or reverse connection mode.
- Change the server component's executable name, installation folder, target process hijacking
- Change the name of the Windows registry startup entry
- Change the PHP notify location
- Include any plugins to be executed once ran
- Include a fake error message that will be showed upon execution
The client component has the following capabilities:
- Take screenshots
- View webcam shots
- Capturing key strokes from the keyboard (keystroke logging)
- General information about computer (Username, Timezone, Version installed, Language, Available drives, etc)
- Mouse control
- Remote BAT/VBS script execution
- Monitor resolution
- SOCKS 5
- HTTP Webserver
- Shell console
- File Manager (Download files and folders, Delete, Upload, Execute, Rename, Copy, Set Attributes, Create Folder, etc)
- Window Manager (Hide, show, close, minimize/maximize, disable/enable X, rename caption, send keys, etc)
- Process Manager (kill, unload DLL, list DLLs)
- Registry Manager (Create key, edit values REG_DWORD, REG_BINARY, REG_MULTI_SZ, REG_SZ, create values, rename values)
- Clipboard manager
- Plugins manager (to add extra funcionality to the malware)
- Shutdown computer
- Message Box
- Chat with infected machine
- Web downloader
- IP Scanner
- Port redirect
- TCP tunnel
- Cam caplute
- See Eden/Jimbolance
Older versions of this malware had ability to change their look through using skinnable windows.
[edit] External links
- Win32/Nuclear.AG, by PestPatrol
- Nuclear RAT All Versions, by MegaSecurity security database
- Nuclear Winter Crew, Nuclear RAT creator's page
 |
This malware-related article is a stub. You can help Wikipedia by expanding it. |
