RAT: Detecting and Fighting Modern-Day Voyeurism

Protecting against Remote Access Trojans
Share Button

A picture featuring Facebook founder Mark Zuckerberg appears to show tape covering the camera lens on his laptop. The move was presumably taken as a precaution against RAT, which stands for Remote Access Trojans. Cybercriminals gain access to victims’ laptop cameras and microphones through malware and have even been known to extort victims with the recordings. This was the unfortunate case for the 2013 Miss USA Teen pageant winner, who was secretly recorded through her laptop camera by a cybercriminal.

These Trojans involve capabilities similar to such malware samples as Zeus or Tinba, but the main difference lies in the level of control and legitimacy a RAT attack can provide. Big phishing campaigns using aforementioned RAT samples may be effective, but using well-elaborated samples such as AlienSpy or Dark Comet magnifies the attack into a terrible issue.

What Constitutes a “RAT”

RAT malware samples can also share additional features with other malware siblings, such as key-logging or sandboxing detection, but it’s important to understand RAT is not only related to performing remote connections, but how those connections are actually performed. The main difference in RAT relies on the level of control and legitimacy of its attacks:

  • A RAT should be able to keep a continuous channel of communication in order to either send captured information or receive specific command controls about how to perform its attack or a specific task.
  • The infected machine should be controllable through the previously defined channel or an alternative one.
  • The level of control it provides over the infected machine normally ranks in the “full control” end of the spectrum in regard to how much the malware controls a computer. This control includes the option of using the machine through a hidden VNC session (VNC is a software that allows the creation of remote connections and the takeover of a computer). The criminal is then able to run and stop processes, steal credentials or simply watch and record the victim’s activity.
  • The legitimacy aspect of a RAT is the part that makes it a hard deal to bargain, primarily because legitimacy could be an implicit element in the attack. Red flags are not raised when an end-user visits a banking website with anti-fraud controls because the attackers use a hidden VNC session to control the browser.

Alternative Malicious RAT Activities

There are other possible scenarios for an attack. Criminals, for example, are able to use a RAT to introduce a fake banking website to the victim while simultaneously opening an authentic background banking session using the credentials entered by the end user in the fake website. In this scenario, so long as the request looks authentic, the attacker can gain increasing amounts of information from the victim, translating into increasing amounts of control for the attacker. This type of scenario makes detecting fraudulent connections from RAT-controlled machines a difficult task and puts the burden of fraud detection on the end-user.

Recommendations for Combatting RAT Samples

Traditional detection tools such as device identification are not entirely effective in detecting RAT-controlled machines since the activity comes from a legitimate user device, effectively neutralizing device and location analysis. Malware detection may catch some samples but would not protect against newborn RAT samples, for example.

One of the best approaches to combat RAT samples is to implement a solution that examines user behavior–such as keyboard or mouse movement–to discern between users who directly control their device and users who remotely control the device over the Internet. Once remote access is detected, an organization will need to determine if remote access is malicious by reaching out to the end-user or further examining additional context information.

But even with those new techniques, it’s always recommended to deploy a layered-defense approach that consists of myriad different techniques such as device identification, malware detection, keyboard and action analysis. This is critical as history has shown that for every action or new defense there is a fraudster reaction.

Leave a Reply

Your email address will not be published. Required fields are marked *