In the world of computing, RATs aren’t the flea infested rodents that caused the plague, but they can be just as nasty. Also known as Remote Administration Tools, RATs allow an operator to access another computer remotely, gaining control of the machine typically for malicious purposes. While there are a number of legitimate and helpful reasons for remote administration and desktop sharing, RATs usually refer to software that is being installed without the knowledge of the intended victim. Moreover, RAT software is typically designed to be installed as part of a Trojan horse, actively avoiding detection by the victim or the victim’s security software and in some cases even disabling firewalls and other security measures.
What Are Remote Administration Tools?
Remote Administration Tools allow the operator to gain control of another machine remotely with the intention of using it maliciously, often without the knowledge or intervention of the targeted computer’s user. Among other capabilities, RAT operators may use the program to:
- Control the webcam, microphone, speakers, and screen capture function
- Control key computer functions: power on/off; log on/off
- Download, execute, and upload files
- Run shell commands
- Modify the registry
- Overclocking, which can destroy hardware
RAT Trojan Horses
Remote Administration Tools are typically installed via a Trojan horse attack, with the malicious software often being disguised as a legitimate program or bound to an otherwise innocuous program. The victim may download the legitimate looking program online or via email or some other person to person file sharing option. In some cases, a false error message may appear, giving the impression the file did not download properly and possibly leading to a false sense of security for the victim of the Trojan attack. Other RAT programs immediately disable security software, like firewalls and antivirus programs, in order to operate undetected.
Once installed, the RAT Trojan horse will allow the remote operator to:
- Alter the desktop background wallpaper, and move, alter, and delete icons and files on the desktop;
- Control the mouse and/or keyboard, as well as peripheries like the CD-ROM drive, which can be opened remotely via a RAT Trojan;
- Display fake error messages and reformat drives;
- Install software, viruses, and other malicious software;
- Modify, delete, and transfer files;
- Phish for passwords, credit card numbers, and other sensitive information through keystroke logging or by installing keystroke capture software;
- Record video and sound by controlling the webcam or microphone;
- Take on the task manager by viewing, canceling, and starting tasks; and
- View the screen, print text, and play sounds.
Examples of RATs
If all of that isn’t enough to convince you of the seriousness of RATs, consider some famous RAT software:
- Back Orifice: First released in 1998, BO was specifically designed for Windows computers. The program can be installed without user interaction, allowing remote access to the infected computer.
- Beast Trojan: Discontinued in 2004, Beast Trojan was one of the first to use a reverse connection, which allowed the remote operator complete control of the infected machine.
- Blackshades: In 2014, nearly 100 people were arrested as part of a sting operation to put an end to this malicious software that has taken over more than 500,000 computers in over 100 countries.
- Bifrost: Active since 2004, Bifrost attacks Windows 95 to Windows 7 operating systems, providing remote access to manage processes, files, and windows; control of screen and webcam capture functions; and password extraction, among other capabilities.
- NetBus: Released months ahead of the Back Orifice program in 1998, NetBus was used to remotely download child pornography to the computer of a Lund University Fulbright law scholar, who consequently lost his research funding.
- ProRat: It is nearly impossible to remove ProRat without the latest antivirus software. This RAT is typically installed along with another file it is “bound” to, so when the user opens an image file, for example, the malicious software is surreptitiously installed in the background.
- Optix Pro: More lethal than previous releases because it was able to get past most available firewalls and antivirus programs, Optix Pro terrorized computer users worldwide before being terminated by its creator in mid-2005.
- SubSeven: Still active today, the SubSeven RAT permits undetected installation and remote keystroke logging. Some argue the program is the predecessor of botnets.
Considering how lethal RATs can be and how difficult it can be to fully remove them once installed, the best defense is to be a well-informed computer user. For the most comprehensive information on Remote Administration Tools, consult our most recent RAT white paper for the latest tips on how to combat RATs.