Remote administration software

A remote administration tool (a RAT) is a piece of software that allows a remote "operator" to control a system as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity. Malicious RAT software is typically installed without the victims knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software.

The operator controls the RAT through a network connection. Such tools provide an operator the following capabilities:[1]

Its primary function is for one computer operator to gain access to remote PCs. One computer will run the "client" software application, while the other computer(s) operate as the "host(s)".

Contents

Reverse connection

In this mode of operation remote computer(s) acts as the "Host" for the RAT software, for the "client" remote administrator to control. RATs that use this method of connectivity have the following operational advantages.

A diagram is shown below which illustrates the remote administrator as the "client" connected to multiple "server" computers that are performing various functions:

Func   Func
   \    /    Func    Func
    [SERVER]   \    /
       |    [SERVER]
       |      /
       |     /
       |    /   Func    Func
       |   /      \     /
    [CLIENT]------[SERVER]

Direct connection

It is possible to remotely install a piece of software on a computer with the intention of taking control of that computer without the legitimate operator becoming aware of it. This connection type can normally only be made if the remote computer operator has the I.P address of the computer required to be controlled. Most "firewall" software usually "blocks" this type of invasive software. However, experienced computer software programmers have developed sophisticated programs to "bypass" typical firewall software. There is a continual process to produce counter measures against such intrusive software programs.[6]

Security is an important factor when choosing a remote support solution for any enterprise. Gone are the days where security was just a matter of the highest degree of encryption. Today, a truly secure remote support solution will allow organizations to centrally control who can do what and where safe in the knowledge that when each remote session has finished it should be able to document what actually took place.

For systems in environments that need to meet and maintain compliance requirements,[7] remote administration software must have strict security control. Software like Netop Remote Control 10 is able to exceed the toughest security standards including PCI DSS, ISO 27001, FIPS and HIPAA.

It is necessary to examine[8] the remote control software functionality that best serves organizations that need a highly secure tool that crosses all platforms and devices and is completely scalable in any environment. It will help IT professionals select a remote control solution that increases productivity and customer satisfaction, as well as enhances the flexibility of the IT organization and improves the company’s risk profile.

RAT trojan horses

Many trojans and backdoors now have remote administration capabilities allowing an individual to control the victim's computer. Many times, a file called the server must be opened on the victim's computer before the trojan can have access to it. These are generally sent through email, P2P file sharing software, and in internet downloads. They are usually disguised as a legitimate program or file. Many server files will display a fake error message when opened, to make it seem like it didn't open. Some will also kill antivirus and firewall software. Even if you have full control over a computer with a RAT, most people will disagree with you if you say you are hacking by trying one out. That's only remote controlling. RAT trojans can generally do the following:

Some RAT trojans are pranks that are most likely being controlled by a friend or enemy on April Fool's Day or a holiday. Prank RATS are generally not harmful, and won't log keystrokes or hack. They usually do disruptive things like flip the screen upside-down, open the CD-ROM tray, and swap mouse buttons. However, they can be quite hard to remove.

Typical RAT software and trojans

References

  1. ^ "Remote Server Administration Tools for Windows 7". Microsoft Technet June 4, 2009. http://technet.microsoft.com/en-us/library/ee449475%28WS.10%29.aspx. Retrieved 4 February 2011. ,
  2. ^ "Danger: Remote Access Trojans". Microsoft technet September 2002. http://technet.microsoft.com/en-us/library/dd632947.aspx. Retrieved 5 February 2011. 
  3. ^ "Understanding the Windows NT Remote Access Service". Microsoft technet date undisclosed. http://technet.microsoft.com/en-us/library/cc751300.aspx. Retrieved 5 February 2011. 
  4. ^ "Netsh commands for remote access (ras)". Microsoft technet January 21, 2005. http://technet.microsoft.com/en-us/library/cc757467%28WS.10%29.aspx. Retrieved 5 February 2011. 
  5. ^ "RAS Registry Modification Allowed Without Administrative Rights". Microsoft technet date undisclosed. http://support.microsoft.com/kb/267861. Retrieved 5 February 2011. 
  6. ^ "Firewall Policy Design Example". Microsoft technet January 20, 2009. http://technet.microsoft.com/en-us/library/cc731164%28WS.10%29.aspx. Retrieved 5 Fenruary 2011. 
  7. ^ "Compliance and Security Challenges with Remote Control" (PDF). SANS Analyst Program. http://www.sans.org/reading_room/analysts_program/netop-02-2011.pdf. 
  8. ^ "Insiders’ Guide to Evaluating Remote Control Software" (PDF). Netop Business Solution. http://www.netop.com/fileadmin/netop/resources/products/administration/remote_control/whitepapers/Insiders%20Guide%20to%20Evaluating%20Remote%20Control%20Software.pdf. 
  9. ^ "Code Access Security and bifrost". Coding hooro.com Mar 20, 2007. http://www.codinghorror.com/blog/2007/03/code-access-security-and-bitfrost.html. Retrieved 5 February 2011. 
  10. ^ "Remote administration tool". Poison ivy.com 20 November 2008. http://www.poisonivy-rat.com/. Retrieved 5 February 2011. 
  11. ^ "BD Y3K RAT 1.1". Symantec date undisclosed. http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20264. Retrieved 5 February 2011. 
  12. ^ "Backdoor.Lanfiltrator". Symantec date undisclosed. http://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99. Retrieved 5 February 2011. 

See also

..