What is a Remote Administration Trojan?

Remote Access TrojanRemote Administration Trojans (RATs), sometimes called a remote administration tool, uses a Trojan as the delivery mechanism for a malicious  tool, which is used to remotely connect and manage a single or multiple computers.

Many RATs mimic the functionality of legitimate remote control programs but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games, screensavers, and other seemingly useful programs that unsuspecting users then run on their computers. Typically, exploited users either download and execute the malicious programs or are tricked into clicking email attachments.

In many cases, hackers can customize their RAT program.  They can:

  • Set IP port numbers to use
  • Decide how it hides
  • Decide whether it uses encryption
  • Determine when and how the program communicates

After setting up the RAT’s behavior, the intruder generates the program and then tricks the victim into running it.

Once an attacker has control of a system they can do anything a full administrator can do, including sending spam or  using multiple machines to launch coordinated distributed denial of service attacks.  If your PC has a microphone or Webcam many RATs can turn them on and capture your conversations and video. Everything you say and do around the PC can be recorded!

Enterprising intruders are known to collect thousands of compromised machine IP addresses to sell or trade to other criminals.

Popular tools for remote administration include SubSeven and the now infamous Back Orifice, which allowed a user to control a computer across a TCP/IP connection, on a local LAN or across the Internet.  Once installed on the victim’s computer it concealed itself and did not show up in the task list or close program list.

Back Orifice ran every time the computer started.  Its’ developers claimed that, “it gave its’ user more control of the remote Windows machine than the person at the keyboard of the remote machine.”

Another more recent remote administration tool is Bandook.  It is a backdoor Trojan horse that infects Windows 2000, XP, 2003, and Vista.  Not only does the Bandook RAT allow remote access to another computer but it also includes features that can be used maliciously, such as a screen capture utility, keystroke logger, and process and file manager.

If a virus or email worm has ever infected your computer, it is a prime candidate for a RAT. Typical antivirus scanners are less likely to detect RATs than worms or viruses, even though the best anti-malware weapon is an up-to-date, proven antivirus scanner.

A clear sign of a RAT infection is an unexpected open IP port on the suspect machine.  When you think that a PC has been infected, disconnect the PC from the Internet so that the remote intruder can’t do more damage and investigate any suspicious ports using a good port enumerator.

If your work is mission critical with little tolerance for risk it is advisable to completely reformat any compromised machines.

Bookmark and Share

This entry was posted on Thursday, June 10th, 2010 at 11:41 am and is filed under Attacks, Computer Security, Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply