Name: Amitis Category: RAT Alias: Backdoor.Amitis.11, Backdoor.Amitis.12, Backdoor.Amitis.13, Backdoor.Amitis.143b Advice: Remove Risk: Severe Risk Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Description: Amitis is a Backdoor Trojan that allows unauthorized access to an infected computer. By default, the Trojan opens a number of TCP ports waiting for remote commands. The Amitis Server can pass the Zone alarm and norton firewalls. This Trojan automatically updates itself via the main console of the client module. This Trojan also uses a simulated server module as a decoy, although it has very limited functionality. Amitis also provides a Weekly Tips option that an intruder can use to garner a weekly helpful tip on how to use the server and client modules. Like variants of the popular SubSeven Trojan, the Amitis client provides an intruder with a very user friendly and highly functional Graphical User Interface (GUI). Another feature of Amitis includes an editor module, which allows an intruder to remotely change the server module file properties. The editor module can also manipulate the server module port it uses to listen for client module connections. This module also allows an intruder to send a series of false error messages. With the RAT being able to change the server module port it uses to listen for client module connections, it adds an additional concern for systems administrators who are trying to secure their systems. It becomes extremely important for SAs to read log files to note any unusual activity on various ports instead of relying on routine port usage normally connected with malicious activity. In addition, the use of false messages could possibly convince the legitimate user of the system to take actions they would not have to take. Responding to a false error message could lead to a decision to reboot the system, attempt unnecessary repairs, or stop using the system altogether. Rebooting the system or making unnecessary repairs may be the actual intention of the Trojan, so that through the process of rebooting or repairing, the Trojan is actually installed on the system. In addition, the purpose of the Trojan may be to stop work that would be accomplished if everyone received and heeded an error message indicating the system should be shutdown. On the server module side, the author of Amitis claims that Zone Labs Zone Alarm application firewall cannot detect the Trojan. In addition, the author claims the server module of Amitis has the capability to shutdown Norton AntiVirus without being detected as a Trojan or a virus. The server module also reportedly has the same Live Update feature found in the client module part of the Amitis Trojan application. The author states that the Live Update to the server side module will be available on a weekly basis. As a survival mechanism, the Amitis server module makes several copies of itself in the Windows directory structure so that if the primary server module is corrupted or deleted, the system will remain compromised. The server module also disables the CTRL ALT DEL key combination. Once deployed, Amitis is configured to have the server automatically send information requested by an intruder when the compromised system is connected to the Internet.' This threat is written in Borland Delphi and is compressed with UPX. The unpacked size is approximately 808 KB. Signatures: process: amitis.exe: MD5 Hash: e34f2a4dcdcef559f34... process: edit server.exe: MD5 Hash: 66d955721357494e9da... process: server.exe: MD5 Hash: 0103d9c61336d652e37... process: amitis 1.2.exe: MD5 Hash: d7479cf7c845bdd2e46... process: bind shop.exe: MD5 Hash: e22679939583280c87b... process: edit server.exe: MD5 Hash: a322b39b916e0705960... process: server.exe: MD5 Hash: 77ac161d14a3e9f99c8... process: server.exe: MD5 Hash: f4bbeefd7fd0835ba0d... process: simulated server.exe: MD5 Hash: 6c6372518292065737f... process: amitis1.3.exe: MD5 Hash: c509677647383a307a2... process: compressor decompressor.exe: MD5 Hash: 10d0469e3dc4adfc7a7... process: edit server.exe: MD5 Hash: ebb1da392373e6846aa... process: server.exe: MD5 Hash: 498efe2b15e8d49819c... process: server.exe: MD5 Hash: 49c40f6a69af400f2e1... process: simulated server.exe: MD5 Hash: dcc373619c82a2e69f0.. Type: RAT - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy.