back to article Cisco smells a RAT in Breaking Security's Remcos PC wrangler

Cisco Talos says criminals are using one research company's testing tools to set up and run botnets. A report released Wednesday by Talos researchers found that Breaking Security's Remcos remote control tool and Octopus Protector encryption utility, along with other Breaking Security tools, are being used in the wild to set up …

  1. GnuTzu Bronze badge

    Every Tool is a Weapon

    And since pen testing tools are designed to prove what kinds of attacks can be mounted against a target, and since pen testing tools are competitive, the one with the most features wins.

    Yet, these things are supposed to find weaknesses. Why are they whining about the tool? What are they doing about the weaknesses?

    1. GnuTzu Bronze badge

      Re: Every Tool is a Weapon -- Revocation Lists

      One might think that it would be nice if they had a way to revoke a license when misuse was detected and shutdown the product; but even if there was a way to encode a revocable license into the delivered product, the product would still need to be able to access the revocation lists--which a savvy hacker would be able to thwart at least partially. People are just going to have to get used to the idea that security tools can be used as weapons. Sorry.

      1. My other car WAS an IAV Stryker
        Unhappy

        Re: Every Tool is a Weapon -- Revocation Lists

        If I ever made a tool that could be misused, I'd put in its own backdoor that it wouldn't report to the user. A tool used for malware could also BE malware to the naughty, and I would spell out in the EULA that if you are suspected of doing naughty things, I will f--- your machine up(!), irreversibly.

        Of course, any good criminal would then just kill and restore their virtual machine, so I guess that's not going to work.

      2. fm+theregister

        Re: Every Tool is a Weapon -- Revocation Lists

        >One might think that it would be nice if they had a way to revoke a license

        They can revoke the license denying future updates, disclose a watermark in that specific build of the software, send the IP address + email of the buyer to the authorities. But surely this move will hurt their business model.

        1. Robert Carnegie Silver badge

          Re: Every Tool is a Weapon -- Revocation Lists

          It depends if the software is being sold to hackers, or being pirated by them...

          It could for instance be made to check the date and time on an Internet time server, and if that's too late then this copy won't run. You need the update.

  2. FlamingDeath Bronze badge
    IT Angle

    House / Order / Much?

    Cisco should have a sniff around their own firmware binaries, it seems someone in their organisation keeps adding in back doors to their router firmwares

  3. Anonymous Coward
    Anonymous Coward

    Talos says Remcos is a Remote Access Trojan (RAT)

    Is the the same Cisco that impliments SSL decryption on its switches, through the use of fake PKI certs. Basically implimenting a man-in-the-middle attack.The client browser has to be configered to accept such fake certs and not just the Cisco ones.

    Cisco “Talos says that it is classifying Remcos as a Remote Access Trojan (RAT) software

    There are any number of remote desktop solutions that do the exact same thing, why aren't these also deemed RAT software. How does Remcos get installed on the target system in the first place, without root access and the end-user not noticing? Lets consult the Remcos Manual: “Deploy the agent file on your system to be controlled and execute it”.

    1. J. Cook Silver badge
      Boffin

      Re: Talos says Remcos is a Remote Access Trojan (RAT)

      Is the the same Cisco that impliments SSL decryption on its switches, through the use of fake PKI certs. Basically implimenting a man-in-the-middle attack.The client browser has to be configered to accept such fake certs and not just the Cisco ones.

      Your links points to the Firepower module, which is nominally installed at the edge of a network (think firewall, or IDS/IPS). It's not something that they throw in on every single switch they sell- you have to ask for it. (and pay extra for it!)

      Cisco also has such functionality on their Web Security Appliance (aka Ironport); the intention for installing these devices is that you generate a CA class certificate (subordinate issuer) from your enterprise's private CA, install *that* certificate into the WSA or Firepower, and configure a group policy or some other method to have your clients automatically trust that certificate (which they should if they already trust the issuing CA), and you should be almost fine. You'll certainly run into exceptions, like Java applets and scripting that don't leverage the OS's trusted certificate store, for starters, but by and large the end user won't notice or care, because It Just Works.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019