Is your PC at risk from a Remote Access Trojan (RAT)? In this article, we’ll explain exactly what RATs are, how to avoid them, and some of the best tools you can use to remove them.
If you think your network or computer may be compromised by a Remote Access Trojan, you should take action fast. RATs give an attacker more access to your computer than just your average virus.
Computers infected with RATs allow the hacker to capture your keystrokes, turn on your webcam, take control of your mouse, and even encrypt all of your files.
Here is a shortlist of some of the best software tools for detecting, preventing, and removing Remote Access Trojans:
- SolarWinds Security Event Manager (FREE TRIAL) provides advanced threat protection against some of the most persistent RATs on the web. SEM can even take automated action to clean and remove any RATs found on infected computers.
- MalwareBytes Anti-Malware can remove most of some of the most common threats found online. MBAM is available for both home users and business environments.
- Snort can provide system administrators and technicians with extremely detailed information on attempted RAT attacks, as well as identify which machines might be infected or vulnerable to an attack.
What exactly is a Remote Access Trojan, or RAT?
You can think of RATs as a significantly more dangerous version of a keylogger, where attackers can not only see exactly what you’re doing but also create more backdoors for themselves if one should be discovered.
Remote Access Trojans are about as intrusive as a computer virus can get. Most RATs now can capture screenshots, record video, access your webcam, transfer files, and even use your own internet connection for illegal activity.
What makes RATs even more dangerous is that they can vary in complexity depending on the attacker. Some Remote Access Trojan tools come premade and are sold to average people who want to carry out attacks. Some RATs are so complex that they can change their identity as they infect other machines.
Researchers have even found evidence that Remote Access Trojans are used by governments to conduct mass surveillance and espionage against other countries. No matter which RAT you might find, none of them are good.
A brief history on Remote Access Trojans
While no one is certain when the first RAT was created, Remote Access Trojans increased in popularity in the early 2000s. During this time, many people didn’t have adequate antivirus or knowledge on how viruses spread across the internet. RATs such as Back Orifice, SubSeven, and Poison-Ivy plagued computers who were susceptible to infection.
One of the most dangerous parts of these programs was that it didn’t take a lot of technical knowledge to use them. RATs like SubSeven provided an easy to use interface with buttons that allowed the attacker to download passwords, run commands, or even flip your screen upside down. The development of these ‘toolkits’ allowed hackers to not only profit from the information they were stealing, but also make money from selling the very RATs they were using.
This process evolved, and the threat landscape is much different. Multi-million dollar markets now exist where tools such as Remote Access Trojans are bought and sold to private entities and hostile organizations. Information stolen from victims is sold on the dark web, and new ways to hide RATs are constantly being tested.
Today RATs are much more sophisticated and are used primarily by nation-states and organized crime groups to steal sensitive information. Instead of the cruel joke viruses we saw in the late 90s, today we see RATs that go out of their way to remain undetected to try and steal as much information as possible.
How do I know If I’m infected with a Remote Access Trojan?
RATs can be difficult to detect, especially if your antivirus software has already missed the infection. Depending on the operators of the trojan, it could be close to impossible to detect a stealthy RAT infection without proper scanning. Here are a few of the most common signs of infection.
- Strange files appearing on your desktop
- Webcams turning themselves on for no apparent reason
- Slowness opening files and programs
- Antivirus software continuously crashing or very slow
- Web pages not loading or redirecting to other sites
Since RATs are so highly customizable you may experience some or none of these symptoms. At the end of the day, prevention is the easiest way to stop a RAT.
How did I get infected with a RAT?
It’s very rare that a Remote Access Trojan gets installed without someone downloading a file, or clicking on a link. Most attacks use social engineering to trick users into clicking on a link or downloading an attachment that initiates the infection of a RAT.
Since toolkits are now available, there have been more reports of average people using RATs for criminal activity. Students have been caught using RATs in school to hack teachers and try to alter their grades, while spouses may try to infect their significant others to spy on their online activity.
By far the most common method of infection has been through the use of email attachments. Attacks known as spear-phishing campaigns send emails pretending to be someone the victim knows or trusts in an attempt to get them to open the email, and ultimately the attachments.
Some of the most common emails are disguised as invoices, POs, or another business-related document that requires verification. Some attackers will use the fear of an outstanding balance to trick users into clicking on the attachment without thinking or using good judgment.
When the innocent-looking MS Word document is clicked, malicious VBA macros install the Remote Access Trojan, which quickly installs several backdoors and buries itself in the user’s registry files and startup processes.
Here are a few ways you can prevent getting infected with a Remote Access Trojan:
- Have a trusted antivirus installed that can prevent and remove RATs
- Don’t open email attachments from people you don’t know
- Configure your firewall to block attachments with VBA scripts
- Do not click on links in emails unless you are sure you know who they are from
- Lockdown physical access to your computer
- Be cautious of unsolicited phone calls urging you to install programs or contact support
- Use Two Factor Authentication for sensitive websites.
I think I’m infected with a RAT. Now what?
If you believe you or your network has been infected, you must assume all information on those machines has been compromised. Users should update any credentials they may have used on the infected machines from a PC that is clean and off the network. Potential victims should monitor their bank accounts, credit reports, and financial accounts for any suspicious activity.
System administrators should install a trusted tool to clean the infected machines, or wipe them completely and pull from a known good incremental backup. If your organization utilizes a SIEM tool it may be possible to track down the source of the infection through a forensic investigation. This can help you understand exactly how your network was compromised, as well as shed light on if the attack was from an inside threat.
The Best RAT Detection Software
Let’s take a more detailed look at a few tools that can help detect, prevent, and remove Remote Access Trojans.
SolarWinds Security Event Manager (SEM) is a comprehensive security software designed to stop Remote Access Trojans in their tracks before they even get a chance to execute. This is done through a combination of network-level monitoring and automated threat remediation.
While most tools of this caliber come with a steep learning curve, Security Event Manager packages this protection into preconfigured dashboards, easy to customize widgets, and wizards that make getting started simple. That means even if you’re unsure if your network is already compromised, SEM can get to work right away by identifying behavior that is indicative of a Remote Access Trojan infection.
You can customize automated responses to specific threats on your network. If a user account is showing signs of infection, you can tell SEM to automatically disable that user account and isolate that machine from the network.
If you don’t want to build your own, you can choose from hundreds of different prebuilt correlation templates that identify just about any type of threat you can imagine. These automated actions help take the burden off your help desk team and help your administrators be more proactive in their incidence response and overall security posture.
File monitoring inside of SEM can identify and stop files from running code, or detect when a file is behaving suspiciously. This includes harmless-looking files that could potentially harbor malicious RAT laden code.
In addition to real-time reporting, you can also configure alerts to be sent out based on a threshold or condition. This ensures the right people are only notified when absolutely necessary. Notifications can be sent via text, email, or third party integration such as Slack.
When it comes to preventing RATs and other advanced persistent threats, SolarWinds Security Event Manager is one of the most effective and easy to use tools for MSPs and corporate networks. You can test out SolarWinds SEM for free through a 30-day trial.
MalwareBytes Anti-Malware or MBAM for short has come a long way in protecting both home users and businesses alike. Years ago you would need another tool to use with MBAM to stop threats like RATs and Rootkits, but today this protection is all in one program.
The premium version of the software proactively waits on individual machines monitoring for suspicious or known threats. When a file tries to do something suspicious, or a RAT attempts to execute its payload, MBAM automatically kicks into gear and kills the process from ever executing.
For RAT threats that involve links to websites or drive-by downloads, MalwareBytes has active web protection that uses signatureless anomaly detection and a database of known bad actors. This combination of prevention leads to more real threats getting blocked, and less false positives you have to whitelist and allow through.
While most antivirus programs are resource-intensive, MBAM has a very small footprint and uses very little of the local machine’s resources when not running a full scan. It even comes with a ‘play mode’ that stops non-critical notification from alerting you when you’re playing a game or watching a fullscreen movie.
MalwareBytes is available for both Windows, macOS, and Android but can only stop ransomware and exploit attacks in the Windows version. MBAM is available for free and automatically includes a 14-day trial of its premium edition.
Snort is a well-known network intrusion and prevention system that is completely open-source and community-driven. With over five million downloads, Snort is arguably one of the most widely deployed IPS’s in the field. Snort works by ‘snorting’ up traffic on a network and analyzing its behavior, context, and contents to identify hard to find threats, including Remote Access Trojans.
The platform is rule-based and uses something called ‘Snort rules’ to identify, judge, and direct traffic. One of the best parts of Snort is that all of these rules are highly configurable and can be traded amongst other Snort users via their community forums. Rulesets can be made to specifically identify and weed out RATs, along with dozens of other threats and exploits.
Snort is one of the most flexible and comprehensive systems you can use to stop malicious traffic, however, it does come with a steep learning curve and is not something an average user can deploy. Snort is ideally for network and security professionals who have the time and willingness to invest in an open-source security solution.
RATs are difficult to detect, but a lot easier to prevent. If you don’t have adequate protection against these online pests, consider spending some time to ensure your PC and network is secure.
Have you ever been infected with a Remote Access Trojan? If so, how did you get rid of it? Let us know your experience in the comments below.