Remote Access Trojans (RATs) have always proven to be a huge risk to this world when it comes to hijacking a computer or just playing a prank on a friend. A RAT is malicious software that allows an operator to attack a computer and gain unauthorized remote access to it. RATs have been around for years, and they persist because finding some RATs is a difficult task even for modern Antivirus software out there.
In this post, we will take a look at what a Remote Access Trojan is and discuss the available detection and removal techniques. It also explains, in brief, some of the common RATs like CyberGate, DarkComet, Optix, Shark, Havex, ComRat, VorteX Rat, Sakula, and KjW0rm.
Remote Access Trojans
Most Remote Access Trojans are downloaded in malicious emails, rogue programs, and web links that lead nowhere. RATs are not simple like Keylogger programs: they provide the attacker with many capabilities, such as:
- Keylogging: Your keystrokes could be monitored, and usernames, passwords and other sensitive information could be recovered.
- Screenshot: Screenshots can be taken to see what is happening on your computer.
- Hardware Media Capture: RATs can access your webcam and microphone to record you and your surroundings in complete violation of privacy.
- Administration rights: The attacker can change any settings, modify registry values and do much more on your computer without your permission. RAT can provide administrator level privileges to the attacker.
- Overclocking: The attacker can increase processor speeds, overclocking the system can damage hardware components and eventually burn them to ashes.
- Another system-specific capability: the attacker can access anything on your computer, your files, passwords, chats, and whatever.
How do remote access trojans work?
Remote Access Trojans come in a server-client configuration where the server is covertly installed on the victim PC, and the client can be used to access the victim PC via a GUI or command interface. A link is opened between the server and the client on a specific port, and encrypted or plain communication can occur between the server and the client. If the network and the sent/received packets are properly monitored, RATs can be identified and removed.
RAT Attack Prevention
RATs reach computers from spam emails, malicious software, or are packaged as part of some other software or application. You should always have a good antivirus program installed on your computer that can detect and remove RATs. Detection of RATs is quite a difficult task as they get installed under random name which may look like any other common application so you need to have a good antivirus program for that.
Monitoring your network can also be a good way to detect any Trojans sending your personal data over the Internet.
If you don’t use remote administration tools, disable Remote Assistance connections to your computer. You will get the setting in System Properties > Remote tab > Uncheck Allow Remote Assistance connections to this computer.
Keep your operating system, installed software, and particularly security programs up-to-date at all times. Also, try not to click on emails you don’t trust and that come from an unknown source. Do not download any software from sources other than its official website or mirror.
After the RAT attack
Once you know you’ve been attacked, the first step is to disconnect your system from the Internet and the network if you’re connected. Change all your passwords and other sensitive information and check if any of your accounts have been compromised with another clean computer. Check your bank accounts for any fraudulent transactions and immediately inform your bank about the Trojan on your computer. Then scan the computer for problems and seek professional help to remove the RAT. Consider closing Port 80. Use a Firewall Port Scanner to check all your ports.
You can even try to go back and find out who was behind the attack, but you will need professional help for that. RATs can usually be removed once they’re detected, or you can have a fresh installation of Windows to finish removing it.
Common Remote Access Trojans
Many Remote Access Trojans are currently active, infecting millions of devices. The most notorious ones are discussed here in this article:
- Sub7: ‘Sub7’ derived by spelling NetBus (an old RAT) backwards is a free remote administration tool. That allows you to have control over the host PC. The tool has been categorized under Trojans by security experts. And it can be potentially risky to have it on your computer.
- Back Orifice: Back Orifice and its successor Back Orifice 2000 is a free tool that was originally designed for remote administration. But it took no time to turn the tool into a Remote Access Trojan. There has been a controversy that this tool is a Trojan. But the developers rely on the fact that it is a legitimate tool. That provides remote management access. The program is now identified as malware by most antivirus programs.
- DarkComet: It is a very extensible remote administration tool with many features that could potentially be used for spying. The tool also has links to the Syrian Civil War, where the government reportedly used this tool to spy on civilians. The tool has already been misused a lot, and the developers have stopped its further development.
- shark: It is an advanced remote administration tool. Not intended for beginners and hobby hackers. It is said to be a tool for security professionals and advanced users.
- Havex: This Trojan that has been widely used against the industrial sector. It collects information including the presence of any industrial control system and then transmits the same information to remote websites.
- Sakula: A remote access trojan that comes in an installer of your choice. It will show that it is installing some tool on your computer. But it will install the malware along with it.
- KjW0rm: This Trojan comes packed with many capabilities, but it is already marked as a threat by many antivirus tools.