Bandook Rat (short for Bandook Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003, Vista, 7). It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the internet.
in another Term :
Bandook RAT is a remote access trojan or a Trojan that enables remote access to another computer. The client contains features that can be used maliciously, most notably a file manager, screen capture utility, keystroke logger, and process manager. .
The server component (28,200 bytes) is dropped under Windows, System32 or Program Files, Applications folders, the default name is ali.exe. Once the server component is run, it establishes a connection to the attacking client, that listen for incoming connections on a configurable port to allow the attacker to execute arbitrary code from his computer.
The server editor component has the following capabilities:
- Create the server component
- Change the server component's port number and/or IP address / DNS, Persistence, Rootkit, SDT Restore and more
- Change the server component's executable name, installation folder, target process hijacking
- Change the name of the Windows registry startup entry or ActiveX key
- Enable Offline Keylogger, Offline Instant Messengers Spy
Features list of the Program
- Firewall bypass method: FWB#++ (Code Injection, API Unhook, Kernel Patch)
- reverse connection, all traffic through one port
- Safe Thread Based Client
- Persistence (this feature causes the server to become irremovable)
- Rootkit (obscures infection of another computer)
- Plugins-based Server (30 KB Packed)
- Different Installation Pathes
- PNG / JPEG Compressions for screencapture and webcam
Managing Features
- Filemanager with multiple functions, including Folder Mirror, RAR Folder/Files, File Search, Infect Files, Multiple Files Download / Upload, Download / Upload manager
- Registry Editor with multiple functions
- Process manager (Shows Full path, and Modules Manager)
- Windows Manager (including a Send Key Function)
- Services Manager
Connection Features
- SOCKS 4 proxy
- HTTP / HTTPS proxy
- Port Redirection
- TCP TUNNEL
- HTTP WEB Server
- FTP Server
- Remote Shell
- Flooding ( Mailbomb, DDOS attacks)
Spying Features
- Screen manager with Screen Clicks
- Cam manager that Supports system with Multiple Cams
- Mic Manager (records audio from microphone)
- Ims Spy (MSN,YAHOO,AIM)
- Live keylogger
- Offline keylogger (Colored HTML), Live Passwords, IMS Spy with Automatic Delivery to FTP
- Cached PWS Fetcher
- VNC (Remote Desktop Live Control)
- Site Detection : Check all VICs and know which one visits a specific site
- Clipboard manager
- Information about the infected machine
- Cache Reader
- Screen Recorder ( Record the user activities on the Screen into AVI Movies)
Others
- Shutdown Menu
- Nuclear Fun Agent (nuisance)
- Download from WEB / Mass Download / Selection Download
- Browser launcher with site selection
Older versions of this malware had ability to change their look using skinnable windows.