RATs
The world of malicious software is often divided into two types: viral and nonviral. Viruses are little bits of code that are buried in other codes. When the “host” codes are executed, the viruses replicate themselves and may attempt to do something destructive. In this, they behave much like biological viruses.
Worms are a kind of computer parasite considered to be part of the viral camp because they replicate and spread from computer to computer.
As with viruses, a worm’s malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can’t handle.
Worms differ from viruses, though, in that they aren’t just bits of code that exist in other files. They could be whole files——an entire Excel spreadsheet, for example. They replicate without the need for another program to be run.
Remote administration types are an example of another kind of nonviral malicious software, the Trojan horse, or more simply Trojan. The purpose of these programs isn’t replication, but to penetrate and control. That masquerade as one thing when in fact they are something else, usually something destructive.
There are a number of kinds of Trojans, including spybots, which report on the Web sites a computer user visits, and keybots or keyloggers, which record and report the user''s keystrokes in order to discover passwords and other confidential information.
RATs attempt to give a remote intruder administrative control of an infected computer. They work as client/server pairs. The server resides on the infected machine, while the client resides elsewhere, across the network, where it''s available to a remote intruder.
Using standard TCP/IP or UDP protocols, the client sends instructions to the server. The server does what it’s told to do on the infected computer.
Trojans, including RATs, are usually downloaded inadvertently by even the most savvy users. Visiting the wrong Web site or clicking on the wrong hyperlink invites the unwanted Trojan in. RATs install themselves by exploiting weaknesses in standard programs and browsers.
Once they reside on a computer, RATs are hard to detect and remove. For Windows users, simply pressing Ctrl-Alt-Delete won’t expose RATs, because they operate in the background and don''tappear in the task list.
Some especially nefarious RATs have been designed to install themselves in such a way that they’re very difficult to remove even after they’re discovered.
For example, a variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it’s active and locked and controls the registry keys.
The active Kernel32.exe can’t be removed, and a reboot won''t clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked.
Some RAT servers listen on known or standard ports. Others listen on random ports, telling their clients which port and which IP address to connect to by e-mail.
Even computers that connect to the Internet through Internet service providers, which are often thought to offer better security than static broadband connections, can be susceptible to control from such RAT servers.
The ability of RAT servers to initiate connections can also allow some of them to evade firewalls. An outgoing connection is usually permitted. Once a server contacts a client, the client and server can communicate, and the server begins following the instructions of the client.
Legitimate tools are used by systems administrators to manage networks for a variety of reasons, such as logging employee usage and downloading program upgrades——functions that are remarkably similar to those of some remote administration Trojans. The distinction between the two can be quite narrow. A remote administration tool used by an intruder becomes a RAT.
In April 2001, an unemployed British systems administrator named Gary McKinnon used a legitimate remote administration tool known as RemotelyAnywhere to gain control of computers on a U.S. Navy network.
By hacking a few unguarded passwords on the target computers and using illegal copies of Remotely Anywhere, McKinnon was able to break into the Navy’s network and use the remote administration tool to steal information and delete files and logs. The fact that McKinnon launched the attack from his girlfriend’s e-mail account left him vulnerable to detection.
Some of the famous RATs are variants of Back Orifice; they include Netbus, SubSeven, Bionet and Hack''a''tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities.
The world of malicious software is often divided into two types: viral and nonviral. Viruses are little bits of code that are buried in other codes. When the “host” codes are executed, the viruses replicate themselves and may attempt to do something destructive. In this, they behave much like biological viruses.
Worms are a kind of computer parasite considered to be part of the viral camp because they replicate and spread from computer to computer.
As with viruses, a worm’s malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can’t handle.
Worms differ from viruses, though, in that they aren’t just bits of code that exist in other files. They could be whole files——an entire Excel spreadsheet, for example. They replicate without the need for another program to be run.
Remote administration types are an example of another kind of nonviral malicious software, the Trojan horse, or more simply Trojan. The purpose of these programs isn’t replication, but to penetrate and control. That masquerade as one thing when in fact they are something else, usually something destructive.
There are a number of kinds of Trojans, including spybots, which report on the Web sites a computer user visits, and keybots or keyloggers, which record and report the user''s keystrokes in order to discover passwords and other confidential information.
RATs attempt to give a remote intruder administrative control of an infected computer. They work as client/server pairs. The server resides on the infected machine, while the client resides elsewhere, across the network, where it''s available to a remote intruder.
Using standard TCP/IP or UDP protocols, the client sends instructions to the server. The server does what it’s told to do on the infected computer.
Trojans, including RATs, are usually downloaded inadvertently by even the most savvy users. Visiting the wrong Web site or clicking on the wrong hyperlink invites the unwanted Trojan in. RATs install themselves by exploiting weaknesses in standard programs and browsers.
Once they reside on a computer, RATs are hard to detect and remove. For Windows users, simply pressing Ctrl-Alt-Delete won’t expose RATs, because they operate in the background and don''tappear in the task list.
Some especially nefarious RATs have been designed to install themselves in such a way that they’re very difficult to remove even after they’re discovered.
For example, a variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it’s active and locked and controls the registry keys.
The active Kernel32.exe can’t be removed, and a reboot won''t clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked.
Some RAT servers listen on known or standard ports. Others listen on random ports, telling their clients which port and which IP address to connect to by e-mail.
Even computers that connect to the Internet through Internet service providers, which are often thought to offer better security than static broadband connections, can be susceptible to control from such RAT servers.
The ability of RAT servers to initiate connections can also allow some of them to evade firewalls. An outgoing connection is usually permitted. Once a server contacts a client, the client and server can communicate, and the server begins following the instructions of the client.
Legitimate tools are used by systems administrators to manage networks for a variety of reasons, such as logging employee usage and downloading program upgrades——functions that are remarkably similar to those of some remote administration Trojans. The distinction between the two can be quite narrow. A remote administration tool used by an intruder becomes a RAT.
In April 2001, an unemployed British systems administrator named Gary McKinnon used a legitimate remote administration tool known as RemotelyAnywhere to gain control of computers on a U.S. Navy network.
By hacking a few unguarded passwords on the target computers and using illegal copies of Remotely Anywhere, McKinnon was able to break into the Navy’s network and use the remote administration tool to steal information and delete files and logs. The fact that McKinnon launched the attack from his girlfriend’s e-mail account left him vulnerable to detection.
Some of the famous RATs are variants of Back Orifice; they include Netbus, SubSeven, Bionet and Hack''a''tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities.