Remote Access Trozans
Remote Access Trozans
RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email attachments.
Most RATs come in client and server components. Intruders ultimately launch the server program on a victim's machine by binding the installing component to some other legitimate program. (Intruders can use a program called a binder to combine RATs with legitimate executables so that the RATs execute in the background while the legitimate applications run, leaving victims unaware of the scurrilous activities.) In many cases, intruders can customize the server program: set IP port numbers; define when the program starts, what it's called, how it hides, and whether it uses encryption; customize logon passwords; and determine when and how the program communicates. After defining the server executable's behavior, the intruder generates the program, then tricks the host machine's owner into running it.
The process can send the intruder (aka the originator) an email message announcing its latest takeover success or contact a hidden Internet chat channel with a broadcast of the exploited PC's IP address. (I've watched hundreds of victim PC addresses appear in an hour on these channels. I've also seen intruders collect thousands of compromised machine addresses and use them as online currency.) Alternatively, after the RAT server program is launched, it can communicate directly with an originating client program on the intruder's PC by using a predefined TCP port. No matter how the RAT parts establish connectivity, the intruder uses the client program to send commands to the server program.
RAT originators can explore a particular machine or send a broadcast command that instructs all the Trojans under their control to work in a symphonic effort to spread or do more damage. One predefined keyword can instruct all the exposed machines to format their hard disks or attack another host. Intruders often use RATs to take over as many machines as they can to coordinate a widespread distributed Denial of Service (DoS) attack (known as a zombie attack) against a popular host. When the traffic-flooded victim tries to track down the intruder, the trail stops at hundreds of innocent, compromised DSL and cable-modem users, and the intruder walks away undetected.
RAT As Unique Danger
After you remove most malware programs, the damage is done and the worst of the crisis is over. Not so with RATs. Like their virus and worm cousins, RATs can delete and modify files, format hard disks, upload and download files, harass users, and drop off other malware. I often find compromised PCs that intruders used to store games and other cracking tools, taking up nearly all the user's available hard disk space. But RATs have two unique features—content capturing and remote control—that make them a higher order of particularly dangerous malware.
First, the ability to capture every screen and keystroke means that intruders can gather users' passwords, directory paths, drive mappings, medical records, bank-account and credit card information, and personal communications. If your PC has a microphone, RATs can capture your conversations. If you have a WebCam, many RATs can turn it on and capture video—a privacy violation without par in the malicious-code world. Everything you say and do around the PC can be recorded. Some RATs include a packet sniffer that captures and analyzes every packet that crosses the PC's network card. An intruder then can use the information a RAT captures to create future back doors, cause privacy violations, perform identity theft, and create financial problems—problems that might not be readily identifiable for months. Whether you can ever trace these problems back to the RAT is debatable.
Second, an unauthorized user's ability to remotely control the host PC is a powerful tool when wielded in the wrong hands. Remote users not only can manipulate PC resources but can pose as the PC's legitimate user and send email on behalf of the user, mischievously modify documents, and use the PC to attack other computers. A home-based user hired me 2 years ago to prove to E*TRADE that he didn't commit an obviously money-losing stock trade. E*TRADE tied his PC's IP address to the trade, and I found direct evidence of the disputed trade in his browser's cache. I also found signs of the SubSeven (aka Backdoor_G) RAT. I wasn't able to tie the RAT to the bad stock trade, but I could tell that the RAT had been active during the trading period.
Different Types Of RATs
The most popular RATs, such as Back Orifice or SubSeven, are all-in-one intruder toolshops that do everything—capture screen, sound, and video content. These Trojans are key loggers, remote controllers, FTP servers, HTTP servers, Telnet servers, and password finders. Intruders can configure the IP port the RATs listen on, how the RATs execute, and whether the RATs contact the originator by using email, Internet Relay Chat (IRC), or another chat mechanism. The more malicious RATs contain rogue mechanisms that hide the Trojans from prying eyes, encrypt communications, and contain professional-looking APIs so that other intruder developers can insert additional functionality. These RATs' aggressive functionality makes them larger—often 100KB to 300KB—and somewhat riskier for the intruder to install without anyone noticing.
- Back Orifice. The Cult of the Dead Cow created Back Orifice in August 1998. The program raised the bar for RATs by adding a programming API and enough new features to make legitimate programmers jealous. Back Orifice 2000 (BO2K), released under the GNU General Public License (GPL), has attempted to gain a following with legitimate users and compete against programs such as pcAnywhere. But its default stealth mode and obviously harmful intent mean the corporate world probably won't embrace it anytime soon. Using the BO2K Server Configuration utility, which Figure 1 shows, an intruder can configure a host of server options, including TCP or UDP, port number, encryption type, stealth activities (which works better on Windows 9x machines than on Windows NT machines), passwords, and plugins. Back Orifice has an impressive array of features that include keystroke logging, HTTP file browsing, registry editing, audio and video capture, password dumping, TCP/IP port redirection, message sending, remote reboot, remote lockup, packet encryption, and file compression. The program comes with a software development kit (SDK) that extends its functionality through plugins. The default bo_peep.dll plugin lets intruders control the remote machine's keyboard and mouse. In practice, the Back Orifice Trojan is unforgiving of mistyped commands; it crashes frequently in the hands of new users but glides unseen in the hands of experienced operator.
- SubSeven. Even more popular than Back Orifice, the SubSeven RAT is always near the top of antivirus-vendor infection statistics. This Trojan functions as a key logger, packet sniffer, port redirector, registry modifier, and microphone and WebCam-content recorder. Figure 2 shows a few SubSeven client commands and server-configuration choices. SubSeven contains many features to aggravate the exploited user: An intruder can remotely swap mouse buttons; turn the Caps Lock, Num Lock, and Scroll Lock off and on; disable the Ctl+Alt+Del key combination; log off the user; open and close the CD-ROM drive; turn the monitor off and on; invert the display; and shut down or reboot the computer. SubSeven uses ICQ, Internet Relay Chat (IRC), email, and even Common Gateway Interface (CGI) scripting to contact the originating intruder. The program can randomly change its server port and notify the intruder of the change. SubSeven has specific routines that capture AOL Instant Messenger (AIM), ICQ, RAS, and screen-saver passwords.
Detecting And Removing RATs
If a computer virus or email worm has ever infected your company, the company is a prime candidate for a RAT. Typical antivirus scanners are less likely to detect RATs than worms or viruses because of binders and intruder encryption routines. Also, RATs have the potential to cause significantly more damage than a worm or virus can cause. Finding and eradicating RATs should be a systems administrator's top priority.
The best anti-malware weapon is an up-to-date, proven antivirus scanner. Scanners detect most RATs and automate the removal process as much as possible. Many security administrators rely on Trojan-specific tools to detect and remove RATs, but you can't trust some of these products any more than you trust the Trojans themselves. Agnitum's Tauscan, however, is a top Trojan scanner that has proved its efficiency over the years.
You May Also Like
Ads by Google
If you enjoyed reading this article then please leave a comment or subscribe to our newsletter to get all the future posts delivered to your feed reader or you email desk.