Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003). It uses a server creator, a client and a server to take control over a remote computer. It uses process hijacking to fool the firewall, and allows the server component to hijack processes and gain rights for accessing the internet.
The server component (217,600 bytes) is dropped under Windows, System32, or Program Files folders, under a custom named folder; the default is NR. Once the server component is run, it tries to connect to its client, that listens for incoming connections on a configurable port, to allow the attacker to execute arbitrary code from his or her computer.
The server editor component has the following capabilities:
- Create the server component
- Change the server component's port number and/or IP address / DNS, connection retry interval, direct or reverse connection mode.
- Change the server component's executable name, installation folder, target process hijacking
- Change the name of the Windows registry startup entry
- Change the PHP notify location
- Include any plugins to be executed once ran
- Include a fake error message that will be showed upon execution
The client component has the following capabilities:
- Take screenshots
- View webcam shots
- Capturing key strokes from the keyboard (keystroke logging)
- General information about computer (Username, Timezone, Version installed, Language, Available drives, etc)
- Mouse control
- Remote BAT/VBS script execution
- Monitor resolution
- SOCKS 5
- HTTP Webserver
- Shell console
- File Manager (Download files and folders, Delete, Upload, Execute, Rename, Copy, Set Attributes, Create Folder, etc)
- Window Manager (Hide, show, close, minimize/maximize, disable/enable X, rename caption, send keys, etc)
- Process Manager (kill, unload DLL, list DLLs)
- Registry Manager (Create key, edit values REG_DWORD, REG_BINARY, REG_MULTI_SZ, REG_SZ, create values, rename values)
- Clipboard manager
- Plugins manager (to add extra funcionality to the malware)
- Shutdown computer
- Message Box
- Chat with infected machine
- Web downloader
- IP Scanner
- Port redirect
- TCP tunnel
- Cam caplute
- See Eden/Jimbolance
Older versions of this malware had ability to change their look through using skinnable windows.
- ↑ "Spyware Detail Nuclear RAT 1.0b1". Computer Associates. August 16, 2004. http://www.ca.com/securityadvisor/pest/pest.aspx?id=453078396. Retrieved on 2009-03-01.
- Nuclear RAT All Versions, by MegaSecurity security database