Remote Access Trojans (RATs)
Computer Trojans or Trojan Horses are named after the mythological Trojan Horse from the Trojan War. During the war Greeks gave a giant wooden horse to their Trojan enemies. As soon as Trojans dragged the horse inside their city walls, Greek soldiers sneaked out of the horse's hollow belly and opened the city gates, allowing their soldiers to capture Troy. 
Computer Trojan horses work in a similar way using the aforementioned old Greeks strategy. Trojan is a type of malicious software that masquerades itself as a non-malicious or even useful application but after installation it may actually cause serious damage to the host computer. Therefore remote access trojans (RATs) are special subtype of trojans that open backdoor on the targeted system providing the cybercriminal remote access to the system or even grant full control over the computer. 
In this paper the nature of RATs is more closely described and analysed from different aspects. Authors explain how RATs operate, what are their related security risks, what kind of damage they can cause and how to prevent them. Finally some of the interesting RATs cases are presented. The aim of this paper is to bring together different aspects of RATs and make the topic more easily understandable to the user and to rise the awareness about certain type of malware.
What are the Remote Access Trojans (RATs) and how they work?
Remote Access Trojans (RATs) also knowns as backdoor Trojans are type of malware that run invisibly on host computers and enable to the intruder remote access and control over the victims personal computer (PC). In general RATs have the nature of ordinary non-malicious remote control programs (i.e. Symantec pcAnywhere, TeamViewer etc. ) but they are designed for illegal installation and operation.  RATs grant criminals unlimited access to the infected endpoints and make stealing information easily possible. Some of the RATs are so advanced that the cybercriminal is able to operate from distance the victims PC equally to the physical access to the machine. RATs are generally created by organized malware authors and their aim is to make money out of their efforts. 
Usually RATs can get to the users computers through and executable file that person downloads somewhere ( i.e. file sharing environments) or through an e-mail attachment when the user clicks the infected attachment.  Hackers tend to hide these Trojan horses in games and other smaller programs that users find harmless and execute them on their PCs. Most of the RATs come in client and server components because the malware is hidden in the legitimate installer component. Hackers use a binding program to combine RATs with legitimate executables so that the user is not even aware that RAT is executed when the legitimate program/application is running.
Aforementioned activity gives to the cybercriminal an opportunity to set IP port numbers, define how and when the program acts, how it hides, customize logon passwords and determine when and how the program communicates.  In general it means that the cybercriminal can change the server executables behaviour in a necessary way and after generating the program it is only needed to trick the user to run it using already previously described ways.
After successful infection the cybercriminal can use the infected PC to distribute other remote access Trojans and use the infected computers to create a robot network, or botnet where these zombie computers are controlled by the botnet master/operator for many different purposes. For example it is possible to block the mouse and keyboard of the user, delete, download, rename, hide and upload files, log the user's keystrokes and get his/her passwords or install other malware onto user´s PC. In next chapter the risks and effects are more closely described and analysed.
There are different types of RATs - all-in-one intruder tool shops (RATs that enable to capture screen, sound, and video content) and more malicious RATs that contain hiding mechanisms, encryption and professional-looking APIs that make possible adding extra functionalities by other cybercriminals. Because of their more complicated nature they are bigger than other RATs (100KB to 300 KB). Usually the size of a RAT stays between 10KB to 30KB to ensure its invisibility.  The most popular RAT examples are Back Orifice and SubSeven.
It is clear that RATs can be considered because of their sophisticated nature already an advanced class of malware. They are multifunctional, flexible and hardly detectable which makes them a very dangerous and powerful weapon. In nexts chapters different aspects of the RATs (including security risks and prevention methods) are more closely analysed to rise the awareness of users.
RATs as serious Security Risk – What Harm They Can Do?
RATs impose equally significant security risks on devices, information, as well as users. There are many malware with the main aim of accessing information on devices that the operator of the malware would otherwise not be authorized to access. These malware can be used (with different levels of sophistication) to acquire copies of information from remote devices. The “A” (for “Access”) in “RAT”, however, means more than simply access to data, which is the aim of many of these malware that can not be categorized as RAT. RAT does not only give access to information stored on the device, but to the functionality of the device as well.
As described above, this enables the attacker (or using a better term: the controller of the malware) to use the target device in potentially any way the device’s authorized user would use it. Some of the security risks this implies are the following (categorized in a non-technical, “business” perspective):
- Access to unauthorized information, (spying, stealing). This includes not only access to information “stored”, but perishing information as well, for example VoIP conversations, on-screen user activity (e.g.: stealing financial information by watching users using their internet bank).
- Interference with information. Planting fabricated evidence (of either cyber crime or any other criminal activity, for example copying child pornography onto the device’s storage and then calling the police on the operator of the device), deleting critical information (file system level access).
- Interference on application level. Installing and running applications. These can be additional malware offering different, more targeted functionality than RATs (botnet software, ransomware, etc.), non-malware applications “leeching” on the device’s resources (e.g. blockchain mining software possibly generating profit for the attacker), or any other kind of software. Additionally, this can also mean interfering with existing, “legit” applications’ settings (lowering authentication levels or changing, disabling mission critical functionality).
- Interference on interface level. While more serious damage can be done by RATs by their capabilities of interfering with devices without the knowledge of users, they can also be used according to the typical functions of non-malicious remote access software: controlling the screen, mouse (cursor), keyboard and other interfaces that the user is aware of. Naïve users may be confused or frightened by this, helping the attacker commit impersonation, extortion or other non-tech cyber crimes and even criminal acts not related to ICT at all. However, interference with devices’ interfaces may tip off users that are more computer literate, basically letting them know about the malware infection, allowing them to easily mitigate the problem.
- Interference on hardware level. Interference with hardware drivers, firmwares or hardware functionality. This can include installing additional, BIOS or firmware level malware (that will persist on the device even if the storage is formatted, also possibly enabling of manipulating firmware level functionality, e.g.: the possibility of remotely switching devices on), turning on and capturing web cameras or microphones (invading the users’ privacy). RATs may also be able to change hardware settings in such way that will physically break the hardware (like CPU overclocking resulting in overheating-related failure) possibly resulting also in damages unrelated to ICT infrastructure (overheating hardware can cause a house fire!).
RATs themselves do not have to necessarily cause damage. They are, by strict definition, a general tool that enables attackers to cause further damage. Therefore RATs impose a multifaceted, great threat to devices, information and users. However, RATs also have limitations: they need the targets to be continuously connected to the Internet (or other networks), otherwise their functionality cannot be taken advantage of. Therefore, cutting off network access from a device that is suspicious of being infected is a good immediate way of containing the problem (as it was done by the Israeli police in such case). Also, chances are, the more periferias a RAT supports, the more complex it is, increasing the chance of getting caught by antivirus software. The risks of RATs shape the ways we can mitigate them greatly.
How to prevent RATs?
As stated previously RATs are malicious programs that give an intruder remote access and control to invisibly act on host PCs.  For typical antivirus scanners it is difficult to detect RATs because of binders and intruder encryption routines. Moreover, RATs tend to have the potential to cause significantly more damage than a worm or virus could cause. Finding and removing RATs should be a systems administrator's top priority.
However, the best anti-malware weapon is an up-to-date, proven antivirus scanner. Most RATs are detected by scanners and the removal process is automated as much as possible. Usually security administrators rely on Trojan-specific tools to detect and remove RATs, but it could be argued if these products should be trusted more than the Trojans themselves. Nevertheless, Agnitum's Tauscan is considered a top Trojan scanner that has proved its efficiency.
Controls should be implemented to prevent RAT malware from infecting managed and unmanaged devices. If a device is infected by RAT then the controls should to be detected and removed quickly from end users' machines. Future infections must be stopped by blocking malware installation processes and spear-phishing attacks. Special focus should be given to resource consumption and management overhead when balancing strength of the protection and risk reduction with end user and IT security impact. 
One clear clue to RAT infection is an unexpected open IP port on the suspected machine, especially if the port number matches a known Trojan port. If there is a suspicion that the PC has been infected, PC should be disconnected from the Internet so that the remote intruder could not detect the security check and initiate more damage in due course. Opening Task List and closing all running programs connected to the Internet such as email or instant messaging should be done. All programs running from the system tray should be closed. Booting to safe mode is not suggested because doing so often prevents the Trojan from loading into memory, thus defeating the purpose of the test. If the user has sufficient understanding of IP ports and which port numbers particular programs use in that case listening IP ports—UDP and TCP—on a local host could be helpful and any unexpected ports should be investigated.
Preventing and protecting the system from RAT attacks is possible, using the same procedures used to prevent other types of malicious infections.
- keep antivirus and anti-malware software updated. They should be run twice a week or set to do so automatically.
- random attachments received in an email should not be opened, even if the email appears to be from someone known and trusted.
- all programs should be scanned for viruses before downloading or opening.
- it is better not to save passwords when asked by browser.
- in addition to antivirus and anti-malware protection, firewall should be used as well.
Organizations should have the ability to provide virtual private network (VPN) access from secured endpoints meaning security controls are installed and functioning. By using sensitive applications like VPN and VDI clients are used, the ability of the attackers to leverage the RAT to execute an attack is dramatically reduced. VPN is the extension of a private network across shared or public networks like the Internet. It enables sending data between two computers across a shared or public internetwork by providing a point-to-point private link. It is used for working from home or road to connect in a secure manner. VDI is virtual desktop infrastructure or desktop virtualization which means it is a software technology that separates the desktop environment and associated application software from the physical client device that is used to access it. Users can access the desktop over a network using a remote display protocol.
Prevention is the best cure for these types of malicious malware attacks, therefore it is wise to remain cautious and keep the computer protected at all times. Therefore, keep antivirus software up to date and do not download programs or open attachments from unknown source. On the administrative level, block unused ports, turn off unused services and monitor outgoing traffic continuously.
Interesting RAT Case Study Analyses
There are two most popular RAT types such as “back orifice” and “SubSesven”.
Back orifice was created in 1998. It added space for RAT to have application programming interfaces. In 2000 BO2k was on a market through operating system with general public license with a legitimate purposes. By means of configuration utility, the attacker can harm a victim with server options from user datagram protocol, transmission control protocol, port number, configuring encryption, stealing plug-in details and access to password. Back orifice can do keystroke logging, browsing of hypertext transfer protocol, registry editing, video and audio tracking, the transmission control protocol registered ports changing, remote relock and reboot, sending out messages, packet encryption and file reduction. This program can work through plugin with its software development kit.
SubSeven is also keystroke logger, changes registry and port, tracks packet, can record camera and microphone. the attacker can remotely mix mouse buttons, activate or turn off Caps lock, number and scroll lock. On a keyboard it can paralyse Ctl-alt-Del combination. it is capable of logging off a user and turning on/off CD ROM drive or the desktop itself. with this, it can shut down or restart your computer. SUBSeven uses instant messaging computer program, email, Internet relay chat, common gateway interface scripting so that it can connect to the hacker. The trojan can chaotically change its server port and still keep the attacker updated to the change. SubSEven can get password for AOL instant messenger, instant messaging computer program, remote access server and screensaver as well.
Let us discuss a case from 2013, which seems interesting from money making perspective with the help of RAT and good social engineering. “One day an administrative assistant of a vice president at French based multinational company got an email showing some kind of an invoice on one of the well-known file sharing service. In a few minutes, the assistant had a phone call from another vice president from the same company where she worked. She was ordered to check the invoice and process it. The vice president seemed that he was a native French speaker and he was very confident and professional at the same time. In fact, the invoice was fake and the vice president was an adroit, skillful attacker.
Finally, it turns out that the invoice a remote access Trojan that was formed to contact a command and control server in Ukraine. Through RAT the attacker could gain the power to control the assistant’s infected computer. If RAT gets in a system it is capable of searching out the information sending to a remote server and hackers can successfully investigate it. The bad thing is that it is impossible to detect it with the help of standard antivirus software. This way sometimes, it is even possible to control even specific server an organization. It was a good opportunity to have an access to logged keystrokes, desktop, all of the browsed and downloaded files. The data was transferred and money stolen. Using the information hackers managed to impersonate company’s official representative and called the organization’s telecommunication provider and proved their authenticity. They said that physical disaster had happened and asked for the organization’s phone numbers to be redirected to the attacker-controlled phones. It was a good opportunity for them to fax a request to the organization’s bank requesting several big sum wire transfers to various offshore accounts. Then the bank received a verbal confirmation of the request and since the hackers hijacked the company’s phone system, the “executive” gave a permission and money was transferred.”
Therefore by means of RAT it became easy to get the confidential information.
RAT attack on middle east is another good example. “According to a white paper (PDF) published by General Dynamics Fidelis Cybersecurity Solutions, the malware, dubbed “njRAT,” has been used specifically against the government, telecommunications and energy sectors in the region.”
There was a file called authorization.exe, which was either word document or PDF file in the mail attachment. However, Trojan can infect computer through USB drives or when downloading something. This kind of virus can have access to the keystrokes, login passwords and even control the camera on your computer. This way attacker knows almost every step that computer user takes and tracks him or her without their knowledge. Attacker can delete or create files on the screen, move files and download programs, change keys and values. It can become a good source for identity theft for example. In addition to all of these, RAT can spread different other malicious software in a computer and update them.
According to the white paper, “njRAT” is capable of scanning other systems in network once it gets to the computer. The point is that it sends encrypted data to its command-and-control server, which carries the attack campaign. It helps to know how the malware worked. The C&C hub gets the serial numbers of a victim computer, its location, the name and the type of the operating system used and what version of malicious software is on the computer.
Researchers said that for that moment RAT target was middle east countries but there was a high possibility that it could spread to other. Hackers can hide their real locations but a site having the malware showed the connection to the IP addresses in UK and Vietnam.
In 2012, Tibetan Activist organizations, international campaign of Tibet and central Tibet organization became good target for RAT. Chinese government was the one that was “blamed”. AlienVaulT lab researchers said that one year ago the same group of hackers attacked chemical and defense companies by means of operation called “Nitro”. The hackers started with testing phishing campaign by infected Microsoft file to use a vulnerability in Microsoft (overflow vulnerability -CVE-2010-3333). The email contained an information which was connected to the Tibetan religious festival. The malicious software used Gh0st RAT for documents theft and cyber espionage. “For the precision have been identified five families of malware, free Web hosting services for their command and control machines and also a malware called TROJ_WIMMIE. This malware exploited Rich Text Format Stack Buffer Overflow Vulnerability (CVE-2010-3333) and also Adobe Reader and Flash Player vulnerabilities.”
- ↑ , Trojan Horse. Greek mythology.
- ↑ , Trojans and other security threats.
- ↑ 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 , Danger: Remote Access Trojans.
- ↑ , Remote Administration Software. Wikipedia.
- ↑ , Trojans and other security threats.
- ↑ 6.0 6.1 6.2 , Keep Yourself Safe from a Remote Access Trojan.
- ↑ , Backdoor, Remote Access Tool/Remote Access Trojan (RAT).
- ↑ , UK cyber cops arrest five for Remote Access Trojan scam..
- ↑ , Poison Ivy still alive, old malware new cyber threats – FireEye report. .
- ↑ 10.0 10.1 10.2 , Remote Access Trojan (RAT).
- ↑ , Virtual Private Networking: An Overview.
- ↑ , Virtual desktop infrastructure.
- ↑ , SC magazine article for IT security professionals .
- ↑ , Security affairs, blog