If you run certain network monitoring and security appliances, you may have had a few small heart attacks today. Organizations all around the world are receiving alerts that they may have a system that is infected with the Gh0st remote access trojan (RAT). Making things worse is that it will likely appear that it is a server that is infected. The good news is there is a very strong chance the alerting is a false positive. There is likely nothing malicious going on and all your need to do is tune your signatures. It turns out that Shodan is doing scans across the Internet in what appears to be an attempt to identify Gh0st RAT command and control (C2) servers. If you are not familiar with Gh0st, it’s a full featured RAT that sends a packet flag that is typically shared by the command and control server. The default packet […]
