Having a good antivirus solution gives a warm, fuzzy feeling of safety: you know that your assets are virus free and that your network is secure. However, most antivirus solutions cannot detect Remote Administration Tools (aka Remote Access Trojans or just RATs), because their structure does not generally fit the virus/worm profile. They are simple programs that run in the background and do nothing else than open a connection to a predefined host managed by the attacker, and wait for instructions. The damage they can cause, however, may be much more important than the damage caused by normal worms. Let’s have a look at the main features of remote access Trojans and explore ways to defend against them.
Client – server architecture and modus operandi
Remote Access Trojans (RATs) are usually designed as client-server components with the aim of providing the attacker with convenient ways of interacting in real-time with the compromised assets. The client part runs on the compromised machine and sends information to the attacker via email or by establishing a direct connection to the server component, which runs on the attacker’s machine. The attacker would be running the RAT server component, which allows him to manage multiple infected machines at the same time. He will be able to see in real-time the machines that are currently available, the services and applications that they are running, the currently logged on users, security configurations, etc. Further on, the attacker can send commands to be executed by the client component on the compromised machines and receives the results in real time, using the RAT as a fully-fledged remote control.
This architecture also has advantages when it comes to spreading the malicious code to other machines on the network, because it gives the attacker control over the entire process. Instead of having code that automatically proliferates and attacks other machines, like a Worm has (detected by antivirus heuristics), the RATs spread at a click of a button or key stroke on the server side. Like that, the attacker chooses the next target and the time of attack, rather than allowing the malicious code to randomly spread whenever possible, or constantly.
The key differentiator between a Worm and a RAT is stealth. Worms are designed for constant and quick mass proliferation, execution of hardcoded malicious activity, and possibly calling back home. Their strength is in numbers. RATs, on the other hand, are designed for stealthy deployment and their main purpose is to infect critical assets for as long as possible, and allow the attackers to manipulate them. The main attributes of the RATS that grants them stealth are: no virus signature, ability to bind on legitimate processes, mimicking behavior of legitimate remote access applications and no code to automatically infect other assets.
Not having a virus signature avoids detection through antivirus scans that rely on virus signature databases. The ability to bind to legitimate processes and run in the background enables RATs to avoid detection when the victims analyze the list of running processes. Mimicking the behavior of legitimate remote access application, and not having code that automatically and randomly tries to spread, enables RATs to avoid detection by antivirus engines that run heuristic or sandbox analysis that looks for behavior patterns that are unusual.
Another difference between RATs and Worms is the damage they cause. Worms deliver a series of predefined, hardcoded payloads. They will execute the tasks they were designed for, and try to spread. The attacker cannot interact with the compromised machines. On the other hand, RATs open a door into the network, or into a compromised machine. Through the door, attackers can take over the asset, steal data, gain access to other assets in the network, cause performance degradation or deliver other malicious payloads. The RATs enable execution of custom payloads with real time feedback, while keeping everything stealthy and allowing the attacker to be flexible when selecting targets, or the actions to execute. The payloads to execute may be sent from the attacker’s server in encrypted format, so that antivirus engines that scan network traffic in real time cannot detect virus signatures.
Defending against RATs
Depending on the complexity of their implementation, the amount of stealth features and outside communication methods, some remote access Trojans may be detected by the normal antivirus solutions. However, a better way to detect them, is to look for the backdoor they open. This door is essential for the functionality of the RAT, so using it as the primary mean of detection grants adequate accuracy, better than the one offered by antivirus engines. In essence, running port scans against internet facing machines, or even machines inside the DMZ would yield the best results. Since some RATs may not keep the ports open persistently, running such scans often, based on a schedule, would increase the chances of detection. For best results, you would need a tool capable of scanning for open ports regularly, detect the applications / services that are listening on the open ports, and point out the ports used by unsafe applications, or unknown services. Once suspicious ports are identified, they can be closed from the firewall, the executable opening the ports can be quarantined, and a new port scan can be triggered, to confirm that the backdoor is gone. Read more to find out the importance of port scanning.
RATs escape signature scanning, heuristics, sandbox technology and pretty much everything antivirus software throws at them. They are your silent, well-oiled backdoors - unknown to you or your security applications. They are more devastating than viruses. Only way to accurately detect them, is port scanning! SANS maintain a list of ports which are known to be used by RATS and Trojans. Scan your Open Ports with Acunetix Online Vulnerability Scanner.