The Remote Access Trojan, or RAT, is one of the nastiest types of malware one can think of. They can cause all sorts of damage and they can also be responsible for expensive data losses. They have to be actively fought because, in addition to being nasty, they are relatively common. Today, we’ll do our best to explain what they are and how they work plus we’ll let you know what can be done to protect against them.
We’ll start off our discussion today by explaining what a RAT is. We won’t go too deep in the technical details but do our best to explain how they work and how they get to you. Next, while trying not to sound too paranoid, we’ll see how RATs can almost be viewed as weapons. In fact, some have been used as such. After that, we’ll introduce a few of the best-know RATs. It will give you a better idea of what they are capable of. We will then see how one can use intrusion detection tools to protect from RATs and we’ll review some of the best of these tools.
So, What Is A RAT?
The Remote Access Trojan is a type of malware that lets a hacker remotely (hence the name) take control of a computer. Let’s analyze the name. The Trojan part is about the way the malware is distributed. It refers to the ancient Greek story of the Trojan horse that Ulysses built to take back the city of Troy which had been besieged for ten years. In the context of computer malware, a Trojan horse (or simply trojan) is a piece of malware which is distributed as something else. For instance, a game that you download and install on your computer could actually be a Trojan horse and it could contain some malware code.
As for the remote access part of the RAT’s name, it has to do with what the malware does. Simply put, it allows its author to have remote access to the infected computer. And when he does gain remote access, there are barely any limits to what he can do. It can vary from exploring your file system, watching your on-screen activities, harvesting your login credentials or encrypt your files to demand ransom. He could also steal your data or, even worse, your client’s. Once the RAT is installed, your computer can become a hub from where attacks are launched to other computers on the local network, thereby bypassing any perimeter security.
RATs In History
RATs have unfortunately been around for over a decade. It is believed that the technology has played a part in the extensive looting of US technology by Chinese hackers back in 2003. A Pentagon investigation discovered data theft from US defense contractors, with classified development and testing data being transferred to locations in China.
Perhaps you’ll recall the United States East Coast power grid shutdowns of 2003 and 2008. These were also traced back to China and appeared to have been facilitated by RATs. A hacker who can get a RAT onto a system can take advantage of any of the software that the users of the infected system have at their disposal, often without them even noticing it.
RATs As Weapons
A malicious RAT developer can take control of power stations, telephone networks, nuclear facilities, or gas pipelines. As such, RATs don’t only pose a risk to corporate security. They can also enable nations to attack an enemy country. As such, they can be seen as weapons. Hackers around the world use RATs to spy on companies and steal their data and money. Meanwhile, the RAT problem has now become an issue of national security for many countries, including the USA.
Originally used for industrial espionage and sabotage by Chinese hackers, Russia has come to appreciate the power of RATs and has integrated them into its military arsenal. They are now part of the Russian offense strategy that is known as “hybrid warfare.” When Russia seized part of Georgia in 2008, it employed DDoS attacks to block internet services and RATs to gather intelligence, control, and disrupt Georgian military hardware and essential utilities.
A Few (In)Famous RATs
Let’s have a look at a few of the best-known RATs. Our idea here is not to glorify them but instead to give you an idea of how varied they are.
Back Orifice is an American-made RAT that has been around since 1998. It sort of is the granddaddy of RATs. The original scheme exploited a weakness in Windows 98. Later versions that ran on newer Windows operating systems were called Back Orifice 2000 and Deep Back Orifice.
This RAT is able to hide itself within the operating system, which makes it particularly hard to detect. Today, though, most virus protection systems have the Back Orifice executable files and occlusion behaviour as signatures to look out for. A distinguishing feature of this software is that it has an easy-to-use console which the intruder can use to navigate and browse around the infected system. Once installed, this server program communicates with the client console using standard networking protocols. For instance, it is known to use port number 21337.
DarkComet was created back in 2008 by French hacker Jean-Pierre Lesueur but only came to the cybersecurity community’s attention in 2012 when it was discovered that an African hacker unit was using the system to target the US government and military.
DarkComet is characterized by an easy-to-use interface which enables users with little or no technical skills to perform hacker attacks. It permits spying through keylogging, screen capture and password harvesting. The controlling hacker can also operate the power functions of a remote computer, allowing a computer to be turned on or off remotely. The network functions of an infected computer can also be harnessed to use the computer as a proxy server and mask its user’s identity during raids on other computers. The DarkComet project was abandoned by its developer back in 2014 when it was discovered that it was in use by the Syrian government to spy on its citizens.
Mirage is a famous RAT used by a state-sponsored Chinese hacker group. After a very active spying campaign from 2009 to 2015, the group went quiet. Mirage was the group’s primary tool from 2012. The detection of a Mirage variant, called MirageFox in 2018 is a hint that the group could be back in action.
MirageFox was discovered in March 2018 when it was used to spy on UK government contractors. As for the original Mirage RAT, it was used for attacks on an oil company in the Philippines, the Taiwanese military, a Canadian energy company, and other targets in Brazil, Israel, Nigeria, and Egypt.
This RAT is delivered embedded in a PDF. Opening it causes scripts to execute which install the RAT. Once installed, its first action is to report back to the Command and Control system with an audit of the infected system’s capabilities. This information includes the CPU speed, memory capacity and utilization, system name and username.
Protecting From RATs – Intrusion Detection Tools
Virus protection software is sometimes useless at detecting and preventing RATs. This is due in part to their nature. They hide in plain sight as something else which is totally legit. For that reason, they are often best detected by systems that are analyzing computers for abnormal behaviour. Such systems are called intrusion detection systems.
We’ve searched the market for the best Intrusion Detection Systems. Our list contains a mix of bona fide Intrusion Detection Systems and other software which have an intrusion detection component or which can be used to detect intrusion attempts. They will typically do a better job of identifying Remote Access Trojans that other types of malware protection tools.
1. SolarWinds Threat Monitor – IT Ops Edition (FREE Demo)
SolarWinds is a common name in the field of network administration tools. Having been around for some 20 years it brought us some of the best network and system administration tools. Its flagship product, the Network Performance Monitor, consistently scores among the top network bandwidth monitoring tools. SolarWinds also makes excellent free tools, each addressing a specific need of network administrators. The Kiwi Syslog Server and the Advanced Subnet Calculator are two good examples of those.
- FREE Demo: SolarWinds Threat Monitor – IT Ops Edition
- Official Download Link: https://www.solarwinds.com/threat-monitor/registration
For network-based intrusion detection, SolarWinds offers the Threat Monitor – IT Ops Edition. Contrary to most other SolarWinds tools, this one is a cloud-based service rather than a locally installed software. You simply subscribe to it, configure it, and it starts watching your environment for intrusion attempts and a few more types of threats. The Threat Monitor – IT Ops Edition combines several tools. It has both network- and host-based Intrusion Detection as well as log centralization and correlation, and Security Information and Event Management (SIEM). It is a very thorough threat monitoring suite.
The Threat Monitor – IT Ops Edition is always up to date, constantly getting updated threat intelligence from multiple sources, including IP and Domain Reputation databases. It watches for both known and unknown threats. The tool features automated intelligent responses to quickly remediate security incidents giving it some intrusion prevention-like features.
The product’s alerting features are quite impressive. There are multi-conditional, cross-correlated alarms that work in conjunction with the tool’s Active Response engine and assist in identifying and summarizing important events. The reporting system is just as good as its alerting and can be used to demonstrate compliance by using existing pre-built report templates. Alternatively, you can create custom reports to precisely fit your business needs.
Prices for the SolarWinds Threat Monitor – IT Ops Edition start at $4 500 for up to 25 nodes with 10 days of index. You can contact SolarWinds for a detailed quote adapted to your specific needs. And if you prefer to see the product in action, you can request a free demo from SolarWinds.
2. SolarWinds Log & Event Manager (Free Trial)
Don’t let the SolarWinds Log & Event Manager’s name fool you. It is much more than just a log and event management system. Many of the advanced features of this product put it in the Security Information and Event Management (SIEM) range. Other features qualify it as an Intrusion Detection System and even, to a certain extent, as an Intrusion Prevention System. This tool features real-time event correlation and real-time remediation, for example.
- FREE Trial: SolarWinds Log & Event Manager
- Official Download Link: https://www.solarwinds.com/log-event-manager-software/registration
The SolarWinds Log & Event Manager features instantaneous detection of suspicious activity (an intrusion detection functionality) and automated responses (an intrusion prevention functionality). It can also perform security event investigation and forensics for both mitigation and compliance purposes. Thanks to its audit-proven reporting the tool can also be used to demonstrate compliance with HIPAA, PCI-DSS, and SOX, among others. The tool also has file integrity monitoring and USB device monitoring, making it much more of an integrated security platform than just a log and event management system.
Pricing for the SolarWinds Log & Event Manager starts at $4 585 for up to 30 monitored nodes. Licenses for up to 2 500 nodes can be purchased making the product highly scalable. If you want to take the product for a test run and see for yourself if it’s right for you, a free full-featured 30-day trial is available.
Open Source Security, or OSSEC, is by far the leading open-source host-based intrusion detection system. The product is owned by Trend Micro, one of the leading names in IT security and the maker of one of the best virus protection suites. When installed on Unix-like operating systems, the software primarily focuses on log and configuration files. It creates checksums of important files and periodically validates them, alerting you whenever something odd happens. It will also monitor and alert on any abnormal attempt at getting root access. On Windows hosts, the system also keeps an eye for unauthorized registry modifications which could be a tell-tale sign of malicious activity.
By virtue of being a host-based intrusion detection system, OSSEC needs to be installed on each computer you want to protect. However, a centralized console does consolidate information from each protected computer for easier management. While the OSSEC console only runs on Unix-Like operating systems, an agent is available to protect Windows hosts. Any detection will trigger an alert which will be displayed on the centralized console while notifications will also be sent by email.
Snort is probably the best-known open-source network-based Intrusion Detection System. But it is more than an intrusion detection tool. It’s also a packet sniffer and a packet logger and it packs a few other functions as well. Configuring the product is reminiscent of configuring a firewall. It is done using rules. You can download base rules from the Snort website and use them as-is or customize them to your specific needs. You can also subscribe to Snort rules to automatically get all the latest rules as they evolve or as new threats are discovered.
Sort is very thorough and even its basic rules can detect a wide variety of events such as stealth port scans, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. There’s virtually no limit to what you can detect with this tool and what it detects is solely dependent on the rule set you install. As for detection methods, some of the basic Snort rules are signature-based while others are anomaly-based. Snort can, therefore, give you the best of both worlds.
Samhain is another well-known free host intrusion detection system. Its main features, from an IDS standpoint, are file integrity checking and log file monitoring/analysis. It does way more than that, though. The product will perform rootkit detection, port monitoring, detection of rogue SUID executables, and of hidden processes.
The tool was designed to monitor multiple hosts running various operating systems while providing centralized logging and maintenance. However, Samhain can also be used as a stand-alone application on a single computer. The software primarily runs on POSIX systems like Unix, Linux or OS X. It can also run on Windows under Cygwin, a package that allows running POSIX applications on Windows, although only the monitoring agent has been tested in that configuration.
One of Samhain’s most unique feature is its stealth mode which allows it to run without being detected by potential attackers. Intruders have been known to quickly kill detection processes they recognize as soon as they enter a system before being detected, allowing them to go unnoticed. Samhain uses steganographic techniques to hide its processes from others. It also protects its central log files and configuration backups with a PGP key to prevent tampering.
Suricata is not only an Intrusion Detection System. It also has some Intrusion Prevention features. In fact, it is advertised as a complete network security monitoring ecosystem. One of the tool’s best asset is how it works all the way up to the application layer. This makes it a hybrid network- and host-based system which lets the tool detect threats that would likely go unnoticed by other tools.
Suricata is a true Network-based Intrusion Detection System which not only works at the application layer. It will monitor lower level networking protocols like TLS, ICMP, TCP, and UDP. The tool also understands and decodes higher-level protocols such as HTTP, FTP, or SMB and can detect intrusion attempts hidden in otherwise normal requests. The tool also features file extraction capabilities allowing administrators to examine any suspicious file.
Suricata’s application architecture is quite innovative. The tool will distribute its workload over several processor cores and threads for the best performance. If need be, it can even offload some of its processing to the graphics card. This is a great feature when using the tool on servers as their graphics card is typically underused.
7. Bro Network Security Monitor
The Bro Network Security Monitor, another free network intrusion detection system. The tool operates in two phases: traffic logging and traffic analysis. Just like Suricata, Bro Network Security Monitor operates at multiple layers up to the application layer. This allows for better detection of split intrusion attempts. The tool’s analysis module is made up of two elements. The first element is called the event engine and it tracks triggering events such as net TCP connections or HTTP requests. The events are then analyzed by policy scripts, the second element, which decide whether or not to trigger an alarm and/or launch an action. The possibility of launching an action gives the Bro Network Security Monitor some IPS-like functionality.
The Bro Network Security Monitor lets you track HTTP, DNS, and FTP activity and it also monitors SNMP traffic. This is a good thing because SNMP is often used for network monitoring yet it is not a secure protocol. And since it can also be used to modify configurations, it could be exploited by malicious users. The tool will also let you watch device configuration changes and SNMP Traps. It can be installed on Unix, Linux, and OS X but it is not available for Windows, which is perhaps its main drawback.