RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose.

The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen which simply rename a payload file, but not as sophisticated as payloads that are embedded within an actual image.

Developers could make attacks like these much more difficult by including more sophisticated file type checks with upload functionality. In the case of this GIF, performing a sanity check of the Logical Screen Descriptor block (must be two pair of two bytes, each 16 bit positive integers) in addition to the Header Block would have caught this as phony. Even more obviously, checking for common open tags for scripts would have caught this and similar garbage-ware (e.g. <?, <?php, etc).