First Remote-Access Trojan That Can Target Android, Linux, Mac and Windows

An anonymous reader writes: Hackers have put on sale OmniRAT, a remote access trojan that can target Androids, Linux, Mac, and Windows PCs. The tool costs $25-$50, which is only a fraction of $200-$300,the price of DroidJack, another Android RAT. Avast is currently reporting that the RAT was used this summer in Germany, spread to victims via SMS messages. The Softpedia article about OmniRAT includes a video, but declined to post the tool's homepage. You can easily find it via a Google search.

Re:Wikipedia is communism

[MagickalMyst]

Thanks for sharing. Now get back in your cell.

Oh, I see ...

[gstoddart]

The author of the post received an SMS stating an MMS from someone was sent to him (in the example, a German phone number is listed and the SMS was written in German). The SMS goes on to say âoeThis MMS cannot be directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]âoe. Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number.

So, basically if you click on random links in text messages you can get this malware.

Well then, this is a decades old problem and is as much a human issue as it is a technology one.

This is precisely why I will never click on ANY link behind an URL shortener; because you have no bloody idea what it is.

Re:Oh, I see ...

[JustAnotherOldGuy]

This is precisely why I will never click on ANY link behind an URL shortener; because you have no bloody idea what it is.

Same here...I think URL shorteners are like tap-dancing across a field full of landmines...you might avoid most of them but it only takes one to completely ruin your day.

The only place they're useful at all is on something like twitter where space is limited, but that doesn't change the fact that clicking on one is like rolling the dice. Of course, that's true for almost any URL these days- you never know what site has been compromised and is trying to infect you.

It's one of the main reasons I use NoScript and AdBlock; those two plugins have probably saved my ass more times than I can count.

Re:Oh, I see ...

Nope, it exploits only one thing: Android's brain dead permission system of all/nothing. User gets text, then told that due to bug, they can't see the real SMS. User goes and downloads .apk file (turning on sideloading, ignoring warnings about downloading from unofficial sources, and ignoring the permissions that the app wants), and then is nailed.

I have legit apps on Android that remote desktop and communicate with the device, so the RAT isn't using anything nefarious... just the fact that Android's all-or-nothing install model causes users to wind up clicking "install" regardless.

Were Android using an ask-on-first-use model like iOS, this wouldn't be an issue. Yes, Android has something like that in the latest release, but the app has to support it. Otherwise it defaults to its traditional model.

How do you protect yourself? Simple. If on Android 4.0, use xPrivacy. That is the best in the business, since an app can ask for every permission under the sun... but it will get fake data coming back, and controls will be ignored. Android 5.x and newer? Wait for CyanogenMod, or some utility that can do what xPrivacy does.

It also doesn't hurt to have a fiewall app in place (frontend for ipteables, technically) to ball-gag stuff that shouldn't be phoning home.

Re:Oh, I see ...

[cfalcon]

I use tinyurl, because anyone who is familiar with it will do preview.tinyurl and then be able to see the link. If the place seems paranoid, I'll use the preview directly, letting you see the link and you click on it if you want.

The vast majority of url shorteners, beyond the few name brand ones, exist to ruin you somehow. But the good ones are still good.

Re:Oh, I see ...

[SQLGuru]

One would think that all of the shorteners would make it a lot easier to see the full URL for this very reason.

Re:Oh, I see ...

[gstoddart]

How? By running scripts when you hover?

Sorry, but if I don't trust the URL shortener, I don't trust it to tell me what the URL is.

I've pretty much marked the entire .ly domain as untrusted.

Re: Oh, I see ...

[fyngyrz]

he only place they're useful at all is on something like twitter where space is limited

...and that is (one of) the reason(s) why Twitter is pretty sorry. It could have easily been designed so that links were stored separate from the message, which would be a lot safer for its users. Lame design.

Re:Oh, I see ...

This is precisely why I will never click on ANY link behind an URL shortener; because you have no bloody idea what it is.

You have no idea what is behind any URL you click. Malware kits have to a large degree been distributed on "trusted" sites, through compromising the site or their ad network. And, compromised network, routers, dns might send you somewhere else also when you see the full URL.

The default state should be to expect anything from any URL, short or not. That mean live malware protection, script protection, adblock, sandboxed browser, etc.

Re: Oh, I see ...

[fustakrakich]

It could have easily been designed so that links were stored separate from the message, which would be a lot safer for its users.

That shit costs money. Why should Twitter care? This is a client problem.

Re:Oh, I see ...

[fred911]

The user still has to navigate to a website then install the app granting android permission to execute. The statement "spread to victims via SMS messages." is fear mongering.
Here's a pretty interesting video.

http://www.youtube.com/watch?v...

Re:Oh, I see ...

Twitter's built-in shortener actually addresses that problem pretty well by exposing what the target is before you go.

Re:Oh, I see ...

[phil42]

you have very little idea what any link is. just because it's from google doesn't mean it's harmless.

Re:Oh, I see ...

You can easily see the URL a bit.ly points to though. Just add a plus to the end. For example, if the bit.ly URL is http://bit.ly/1bdDlXc just change that to http://bit.ly/1bdDlXc+.

Re: Oh, I see ...

[fyngyrz]

Twitter should care because its customers will spend more time tweeting and enjoying the service, which is what Twitter monetizes. Pretty straight up. Same reason your car doors lock and your front end crumples instead of landing directly in your lap when you have an accident (also a "client problem.") Safety is a significant consumer motivator. Smart design sees to it that best practices are followed.

When you learn that car X has a crumple zone and locks, but car Y is an accordion waiting to happen and has no locks, but they cost you the same (even if that is nothing, as with Twitter), which car will you prefer to use every day?

Re: Oh, I see ...

[fustakrakich]

Twitter has no need for a crumple zone until it becomes a marketing necessity. Without any competition, Twitter has little to worry about customer safety.

Re:Oh, I see ...

Doesn't work for me. How does it work? (without clicking, I mean)

Also, I've gotten some pretty good emails and was about to click on the links when my paranoia said "Wait, are you going to click on a shortened address? Where will it take you?" I then recoiled my hand, thinking how close I had been to get caught... "but people always use such links since forever!". "Well,", the voice said, "did you think forever would really last forever?"

Maybe I should see a doctor...

Re:Oh, I see ...

[LMariachi]

There are a couple of extensions that will preview the real URL behind a shortened link. For instance, Firefox has Interclue, Safari has Ultimate Status Bar, couldn't find one for Chrome or Opera but there's probably something.

Of course that doesn't help with SMS or mobile browsers that don't support extensions, but it makes desktop browsing a little more secure.

Re:Oh, I see ...

[triffid_98]

Nope, it exploits only one thing: Android's brain dead permission system of all/nothing. User gets text, then told that due to bug, they can't see the real SMS. User goes and downloads .apk file (turning on sideloading, ignoring warnings about downloading from unofficial sources, and ignoring the permissions that the app wants), and then is nailed.

You're half right. What it exploits are brain dead users.

Re: Oh, I see ...

[fyngyrz]

I disagree. I disagree by virtue of spending very little time posting on Twitter and almost no time at all reading other Tweets. Instead, I share my between places where images can be posted in line and without censorship, comments can be longer than 140 characters, and actual intelligent conversations and interactions can be had. Twitter offers me almost nothing; and in the process, what they do offer, the offer badly. It's not compelling. Consequently they don't have me as any kind of enthusiastic customer. They don't get my eye-time and they don't get my content.

For keeping in touch with actual people of worth, I have yet to find anything better than slack. Inline media, good interaction, the same (except WAY better) ability to post status, images, animations, whatever media you like, additional ability to keep track of anything you care to code up, custom rooms, custom bots, post editing, apps for everything from the web to android and iOS... I keep slack open on my computer all the time. The app keeps me up to date when I'm roaming. Twitter is, indeed, no competition at all for slack. :)

But then again... I really don't give a flying fig what the Kardassians are doing today, so there's that...

Re: Oh, I see ...

[fustakrakich]

We are kinda talking about two different things. You and I are invisible to Twitter. They don't need to care. Business is good. They have all the cost/benefit ratios figured out. If it all goes south, they just move their money somewhere else into another market. Try to see it from the few of the stock market or a hedge fund manager looking for a place to launder his money. The simple idea is maximal return with minimal effort. Leave the details to somebody else.

Re: Oh, I see ...

[fyngyrz]

All true, but still not the same as "they have no competition" and "they don't need to care." If they care, they preserve and protect their business model, because it is a better business model. A better business model is also a stronger argument for the hedge fund manager or stockbroker.

What we're looking at here is simple incompetence with its basis in the trope "good enough, ship it."

Wrong RAT

RAT == Remote Access Tool(kit)

Re:Tesla coil from China

[MagickalMyst]

That can't possibly be true. Anonymous Coward's are dickless idiots.

Damn

[JustAnotherOldGuy]

"... can target Androids, Linux, Mac, and Windows PCs."

Well, isn't that nice. Finally a true cross-platform service that doesn't discriminate.

I'm generally a very peaceful, easy-going guy, but I would be all in favor of hunter-killer teams finding the people that write this shit and lopping their heads off.

Re:Damn

[angel'o'sphere]

No no, you are doing it all wrong!
You chop their hands of! And then you leave with the words: happy wanking!

Re:Damn

[guruevi]

Why? It's a trojan, not a virus. It doesn't auto-install on all of the platforms, it requires user intervention to install. It's like saying that VNC (also available for all the above platforms) developers should be hunted down. This is basically a VNC package that hides itself, nothing too bad.

Re:Damn

[KGIII]

My sentiments exactly. Just grab the VNC SDK and hide it behind a wrapper that makes a simple game and *tada.wav* you're doing the same thing.

Mac ?

[Spaham]

In which part of the linked articles do they talk about Macs ??
Didn't find it.

Re:Mac ?

[Guy+Harris]

In which part of the linked articles do they talk about Macs ?? Didn't find it.

Or about Windows or Linux, for that matter. I suspect they mean that the server that controls the infected phone can run on Windows, OS X, or Linux, not that the infecting client runs on Windows, OS X, or Linux.

Re:Mac ?

In which part of the linked articles do they talk about Macs ??
Didn't find it.

In the second paragraph of the first linked article.

Re:Mac ?

[amicusNYCL]

This knowledge - and more - can be yours by visiting omnirat.eu (while supplies last).

Re:Mac ?

[amicusNYCL]

It appears that both the server and client are multi-platform, possibly as Java packages.

https://www.linkedin.com/pulse...

Re:Mac ?

[Guy+Harris]

It appears that both the server and client are multi-platform, possibly as Java packages.

https://www.linkedin.com/pulse...

As that page says, "The Client was coded in Java to support as many OS as possible. It requires the Java Version 7 and is extremely persistent.", although it "supports less features" on OS X, Linux, and other "Unix machines".

Presumably it runs as root if it "You can view, create, delete, rename, download, copy and move all files & folders on your clients machine.", unless the ability to do that to all files and folders is one of those features not supported on UN*Xes. (Can you turn off rootless mode on OS X 10.11 with this tool?)

Re:Mac ?

[U2xhc2hkb3QgU3Vja3M]

Macs don't even ship with either Flash or Java these days and Java 7 is too recent compared to the last version that was included. I think it's a non-issue for the majority of Mac users.

Fight for your bitcoins!

Re:Mac ?

[angel'o'sphere]

"Can you turn off rootless mode on OS X 10.11 with this tool?)"
What is "rootless mode" supposed to be?

Re:Mac ?

[amicusNYCL]

I think it's a non-issue for the majority of users, period. The news seems to be that if you can trick your target into installing something then you can control that device from any other device.

Re:Mac ?

[Guy+Harris]

"Can you turn off rootless mode on OS X 10.11 with this tool?)" What is "rootless mode" supposed to be?

Another name used for the mode where System Integrity Protection is enabled.

Re:Mac ?

[angel'o'sphere]

The link has nothing to do with what the parent implied or did not imply ... did he mean "user root" or root less as in X-Windows integration into the Mac OS X GUI?
Both actually has nothing to do with the topic ... so my bet is the parent only was shuffling words ;

Re:Mac ?

[AHuxley]

There’s more than one RAT (November 5th, 2015)
https://blog.avast.com/2015/11...
" OmniRat can also give you remote control of any Windows, Linux or Mac device."

Re:Mac ?

[Guy+Harris]

The link has nothing to do with what the parent implied or did not imply ... did he mean "user root" or root less as in X-Windows integration into the Mac OS X GUI? Both actually has nothing to do with the topic ... so my bet is the parent only was shuffling words ;

If by "the parent" you mean the comment where I asked "Can you turn off rootless mode on OS X 10.11 with this tool?", then I can assure you with 100% certainty that he meant "the System Integrity Protection feature of OS X El Capitan, often referred to as "rootless mode", as he is me. The "root" in there refers to the user root; "rootless" mode disables even the root account from making some changes.

The question was asked because the only way a trojan will be able to modify the files protected by System Integrity Protection would be if it could 1) turn System Integrity Protection off or otherwise disable it or 2) somehow evade its protections.

Re:Mac ?

[angel'o'sphere]

First: the name "rootless" is misleading, since there's still a root account, and you can still access it (the official name, "System Integrity Protection", is more accurate). What it really does is limit the power of the root account, so that even if you become root, you don't have full control over the system.
Would have been surprising if there was no "root account".
I missed that you specifically asked for OS X 10.11. As I'm only running older Systems, I believe my newest is 10.9 ... the rest are 10.6 ... a the Mac mini has 10.8 ... forgot about that.

The accepted answer here: http://apple.stackexchange.com...
gives a much better explanation than the apple link.

Re:Mac ?

[MrKaos]

Apologies for the OT. The fanbois are howling with their ad hom orgy in the other thread and the mod trolls are out in force.

It will be interesting to see how this thread will be moderated as a gauge of the relative hypocracy going on. I thought you might be interested in the actual governance surrounding plants.

BSD and Solaris

[aquabats]

BSD and Solaris for the WIN!

Re:BSD and Solaris

Don't forget Haiku,
and many other O S
don't run this program...

Re:BSD and Solaris

[FudRucker]

FreeDOS!!!

Re:BSD and Solaris

[Bing+Tsher+E]

BeOS!

Misleading title - *controller* runs on PCs?

[Guy+Harris]

Perhaps "OmniRAT Lets Hackers Control Android Phones, Windows, Mac, and Linux PCs" really means "OmniRAT Lets Hackers Control Android Phones *from* Windows, Mac, and Linux PCs". A screen grab in the Avast blog post speaks of a "Multi-OS Server - Android Client", which may mean that the server that controls the remote phone can run on Windows, OS X, and Linux.

Re:Misleading title - *controller* runs on PCs?

Perhaps "OmniRAT Lets Hackers Control Android Phones, Windows, Mac, and Linux PCs" really means "OmniRAT Lets Hackers Control Android Phones *from* Windows, Mac, and Linux PCs". A screen grab in the Avast blog post speaks of a "Multi-OS Server - Android Client", which may mean that the server that controls the remote phone can run on Windows, OS X, and Linux.

now offering Multi-OS Server / Multi-OS Client

Re:Misleading title - *controller* runs on PCs?

[amicusNYCL]

The video here shows remote control of a Windows machine from an Android device:

https://www.linkedin.com/pulse...

Re:Misleading title - *controller* runs on PCs?

[Cthefuture]

Just STOP it! we can't get more views with rational thought! Stop posting this shit! MOAR VIEWS!!!!!!!!!!!!!!!!!!

Windows is Android?

[raymorris]

>Nope, it exploits only one thing: Android's ...

Windows is Android now? When did that happen? Let me quote the friggin HEADLINE for you:
Trojan That Can Target Android, Linux, Mac and Windows

All it exploits (on Windows, Mac, and Linux) is something you don't like about Android? I didn't know know Windows, Mac, and Linux are all Android distributions now.

Re:Windows is Android?

[amicusNYCL]

Even better: it appears that both the client and server are multi-platform. They claim you can control your victims from an Android device as well. The say that it works on all Unix variants, but that those offer fewer features (unspecified). It seems like they are pointing toward a Java package as the multi-platform malware.

Someone posted an "article" to Linkedin with several of the claimed features:

https://www.linkedin.com/pulse...

Video says "control Windows from Windows"

[raymorris]

The video says you can control Windows From Windows, Windows from Android, etc.

Damn!

Fully cross platform but illegitimate remote access/control application, $50.

Legitimate remote access/control platform like ScreenConnect or TeamViewer, doesn't support as many devices, costs hundreds or thousands.

Let me compare to TeamViewer(tm)

[behrooz0az]

Let me compare to TeamViewer(tm)
Both have a website.
Both accept paypal. OmniRAT accepts bitcoin too.
Both applications are visible in android settings, nothing is hidden.
TeamViewer license needs renewal, They Offer LifeTime license
You can't delete OmniRAT the same way you can't delete the sasmsung RAT or the google location thingy.
TeamViewer supports iOS and windows phone, they don't
TeamViewer has 24/7 phone support. OmniRAT only have an skype.
\ OmniRAT prices are $25 and $50, TeamViewer starts at 30 Euro/month and 145 Euro/month for corporate customers. (+$50 for each connection more than 3)
TeamViewer has non-commercial version available for free.(It disconnects if it detects you're using it too much)
OmniRAT offer upgrades at a lower price just like TeamViewer
Both are made in germany.
Nothing wrong with it. I'll buy it.

Re:Tesla coil from China

You probably meant to write "Anonymous Cowards", you illiterate idiot.

Re:Tesla coil from China

You probably meant to write "Anonymous Cowards", you illiterate idiot.

You probably meant to write "Anonymous Cowards", you illiterate, dickless idiot.

FTFY

Re:Tesla coil from China

[MagickalMyst]

Yes.

AdBlock+ = inferior & 'souled-out' vs. hosts

Can adblock+ do 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dynamic dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (4 reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam
9.) Protect vs. phish
10.) Protect vs. caps
11.) Get you past dns blocks
12.) Keep you off dns request logs
13.) Speed up surfing (adblocks & hardcoded fav. sites)
14.) Work on anything webbound multiplatform.
15.) Easy data control
16.) Do all that & block ads better vs. addons more efficiently in cpu cycles + memory usage

* ANSWER ="NO" on ab+ doing it as well or @ ALL + hosts = on devices natively.

APK

P.S.=> Ab+ does less vs. hosts less efficiently - hosts do MORE w/ less + Hosts start w/ IP stack before REDUNDANT inefficient addons BEGIN operation (as 1st resolver).

---

Ab+'s a 128-151mb memory hog http://cdn.ghacks.net/wp-conte... (hosts use 3-11mb w/ my program initially). Even FireFox 41 adblock eats 65++mb http://www.ghacks.net/2015/06/...

---

ClarityRay defeats it seeing addons used via native browser methods!

---

Ab+'s bribed not to work by default http://www.businessinsider.com... & ABP bought out adblock http://www.theregister.co.uk/2...

---

Ab+ adds complexity in slower usermode (w/ more messagepassing overhead + context switch vs. hosts in kernelmode).

---

AdBlock's SLOWER vs. hosts: http://superuser.com/questions...

---

What's best?

APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

&

It's safe per 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

a 32-bit model too https://www.virustotal.com/en/...

... apk