Threaded Mode | Linear Mode

Harvey · 04-24-2010, 09:45 PM

Hi, everyone.

This is an extract from a reference I was writing a few months ago. It was directed to White Hat Hackers in an attempt to educate them on RATs. There's a lot more to it, but I can't recover the whole guide at the moment, so I'll just post the midst of it.

4.0 - Remote Administration Trojans (RAT)

What is a Remote Administration Trojan?

A RAT or Remote Administration/Access Trojan/Tool (otherwise known as a Backdoor) is a form of malware used to gain control over someone's computer. This tool is most popular with the Black Hats and they're very common infections.

RATs are becoming extremely advanced these days, and they have the capability to completely destroy an unprotected computer. This is why, it's important as helpers to know how to combat RATs.

RATs have features including keyloggers, the ability to steal passwords, open and close CD trays, disconnect external devices such as monitors, delete or edit files, turn on a webcam without the user knowing, edit and delete registry entries, disable security software, and much more. Basically, they're capable of doing anything - the same things you'd do as if you were sitting in a seat behind the computer.

For More Information On RATs

More information can be found on Remote Administration Trojans at these links.

4.1 - Remote Administration Trojan (RAT) Cleaning

In this section, we're going to look at the process of cleaning a system from a RAT infection. We'll look at how to identify a RAT and what distinguishes them from other infections. I'm also going to tell you about some malware scanners that are often used to clean RATs.

How To Recognize a RAT Infection

To recognize an infection, you'll need to analyze the symptoms the infected member is experiencing. With experience, you'll be able to apply your common sense and knowledge to determine, based on what has been said by the infected, whether or not the user has been infected by a RAT (or any other infection for that matter).

There are many things that you can look for to help determine whether or not you're dealing with a RAT, so I'm going to list some of them below. Before I do that, I'd like to alert you to some popular RAT names, just for quick reference.

Common RATs

Poison Ivy
Bifrost
ProRAT
Cerebus
Spy-Net
CyberGate
Turkojan
SubSeven
Albertino

Source: http://hackforums.net/showthread.php?tid=226219

Symptoms of RAT Infections

Unexplainable deletion of files.
Unexplainable editing of files.
CD Tray opening and closing, though not provoked.
Webcam randomly turning on.
Keylogging.
Cursor moving freely.
Blocked access to particular sites (usually security-based websites).
Random messages appearing.
Unknown files/documents being created.
Slow Internet speeds.
Unresponsive components (monitors being disabled).
Passwords being changed.

Please note that there are many more symptoms of RAT infection - these are just a few. It's important that you memorize these symptoms for when assisting members with their infections. If the infected member complains about experiencing one or several of these symptoms, you're going to have to know that it's most likely a RAT infection.

Because a RAT infection is, basically, someone controlling one's system from a remote location, common sense can tell you whether or not particular symptoms are going to be of relation to a RAT infection.

After Diagnosis - Cleaning

After you've confirmed that you're dealing with a RAT, you can go about removing it from the infected's computer. Now, there are many issues that can arise when removing RATs, and your recommendations won't always be right. This is why analyzing the symptoms is crucial.

General RAT Cleaning & Removal Tools

This section will address removing the basic, less advanced RAT. Obviously, you'll be able to get a sense of the ferocity of the infection, judging by what you've been told by the infected. If they reveal little more than the bare minimal necessary for your to deduce that they're infected by a RAT, you should do the following.

Ask the user for as much information as possible, including inquiring about all noticed symptoms. This will help you gain a better understanding of the infection.
Decide whether to offer the default removal recommendations or something more advanced. Once again, this will depend greatly on what you've been told. This is where assumptions are going to be necessary.

Thanks,
Harvey

Hero · (This post was last modified: 05-01-2010 07:24 PM by Hero.)

Very nice and and clean reference on RATs. I am sure this will help people who doesn't know what RATs are or are just looking to extend their knowledge.

**Mitch** · 05-01-2010, 07:29 PM

Some more symtomps you could add

taskbar hiding
taskmsgr blocked
locked/reversed mouse buttons
random websites opening up
start button hiding

thinking of some more

Hero · 05-01-2010, 07:31 PM

@mitchz; those are some fun activities that RATs do. I doubt any professional RAT owner who is looking for money would use those.

PerM · (This post was last modified: 05-01-2010 08:14 PM by PerM.)

Very nice guide, it will help people who doesn't know much about hacking. Btw remember when cleaning the computer may not have access to the internet.

Admiral · 05-01-2010, 08:29 PM

Thanks for posting this up, I've heard so much about RATs but I never knew what they actually were. This has really broadened my understanding on this topic.

~~lonleycrow~~ · 05-01-2010, 11:25 PM

Very good!
Thank you for posting this guide It will help for a lot of people Including me.
Now all I need to do Is to find time to read It all once again.

~~uruharazetsu~~ · 05-02-2010, 01:02 AM

it was a very nice guide .
do this so called rats involve encryption of files?
everyweek i scan my laptop on safemode .
and yet still some files are not scanned because they are marked as blue .
my friend said it was either encrypted or password protected .
does the administrations tools i have read could help out?

nitind · 05-02-2010, 02:14 AM

good share bro ! will surely help people who are new to this stuffs ! :)

**Mitch** · 05-02-2010, 04:12 PM

(05-01-2010 07:31 PM)Hero Wrote: @mitchz; those are some fun activities that RATs do. I doubt any professional RAT owner who is looking for money would use those.

I know, but it are symptomps right?