WAYS OF INFECTION
Remote administration tools aren’t similar to regular computer viruses. Their server parts must be installed to the affected system as any other software with or without user content. There are two major ways unsolicited RATs can get into the system.
1. A legitimate remote administration tool can be manually installed by system administrator or any other user who has sufficient privileges for the software installation. A hacker can break into the system and setup own RAT. In both cases a privacy threat gets installed without the affected user’s knowledge and consent.
2. Malicious remote administration tools are installed by other parasites like viruses, backdoors or worms. Often they are dropped by specific trojans, which get into the system using Internet Explorer ActiveX controls or exploiting certain web browser vulnerabilities. Their authors run insecure web sites filled with malicious code or distribute unsafe advertising pop-ups. Whenever the user visits such a site or clicks on such a pop-up, harmful scripts instantly install a trojan. The user cannot notice anything suspicious, as a threat does not display any setup wizards, dialogs or warnings.
Widely spread malicious remote administration tools affect mostly computers running Microsoft Windows operating system. However, lots of less prevalent parasites are designed to work under different environments.
WHAT A REMOTE ADMINISTRATION TOOL DOES?
- Allows the intruder to create, delete, rename, copy, edit any file, execute various commands, change any system settings, alter the Windows registry, run, control and terminate applications, install arbitrary software or parasites.
- Allows the attacker to control computer hardware devices, modify related settings, shutdown or restart a computer without asking for user permission.
- Allows the malicious person to monitor user activity, steal his passwords, login names, personal documents, identity details and other sensitive information.
- Captures screenshots of user activity and transfers them to the intruder.
- Degrades Internet connection speed and overall system performance, decreases system security and causes software instability. Some parasitical RATs are badly programmed, they waste too much computer resources and conflict with installed applications.
- Provides no uninstall feature, hides processes, files and other objects in order to complicate its removal as much as possible.
EXAMPLES OF REMOTE ADMINISTRATION TOOLS
There are thousands of different remote administration tools. The following examples illustrate how powerful and extremely dangerous these threats can be. RemoteStorm
is a dangerous RAT parasite that gives the remote attacker full unauthorized access to user’s computer. The threat can wipe out all data from hard disks, manage files, record user keystrokes, restart or turn off a computer, take screenshots, display messages and modify critical system settings. It also is able to download and run software, steal system information. RemoteStorm consists of client and server. The latter runs in the infected system and receives commands from the attacker. Remote Config
is a legitimate remote administration tool used by system administrators to modify essential networking settings of remote systems. Remote Config can change IP address, DNS address, computer name, default gateway, etc. It also can shutdown or restart a computer. Back Orifice
is an infamous malicious remote administration tool that allows the intruder to do with a compromised computer everything he wants and even more. This tool has a massive amount of dangerous functions and leaves the victim completely unprotected and disorientated. Back Orifice can be used to manage files, run and install applications, terminate defined processes, modify essential system and networking settings, control the operating system, installed software and hardware devices, log keystrokes, take screenshots, capture video or audio, steal passwords, etc. This remote administration tool supports plugins and therefore can have different additional functionality.
CONSEQUENCES OF A RAT INFECTION
A remote administration tool allows the attacker to work with an infected computer in the same way as with its own PC and use it for various malicious purposes or even criminal offences. The responsibility for such activity is usually assumed by guiltless users on which systems malicious RATs were installed, as in most cases it is really hard to find out who was controlling a parasite.
Practically all remote administration tools are very difficult to detect. They can violate user privacy for months and even years until the user will notice them. The malicious person can use a RAT to find out everything about the user, obtain and disclose priceless information like user’s passwords, login names, credit card numbers, exact bank account details, valuable personal documents, contacts, interests, web browsing habits and much more.
Any remote administration tool can be used for destructive purposes. If the hacker was unable to obtain any valuable and useful information from an infected computer or have already stole it, he eventually may destroy the entire system in order to wipe out his tracks. This means that all hard disks would be formatted and all the files on them would be unrecoverably erased.
HOW TO REMOVE A REMOTE ADMINISTRATION TOOL?
Parasitical remote administration tools can be detected and removed with the help of effective antivirus products like Symantec Norton AntiVirus, Kaspersky Anti-Virus, McAfee VirusScan, eTrust EZ Antivirus, Panda Titanium Antivirus, AVG Anti-Virus. Some advanced spyware removers, which are able to scan the system in a similar way antivirus software does and have extensive parasite signature databases can also detect and remove certain remote administration tool and related components. Powerful anti-spyware solutions such as Microsoft AntiSpyware Beta
, Spyware Doctor
, Ad-Aware SE
or eTrust PestPatrol
are known for quite fair RAT detection and removal capabilities.
In some cases even an antivirus or spyware remover can fail to get rid of a particular remote administration tool, especially of a legitimate one, which used for malicious purposes. That is why there are Internet resources such as 2-Spyware.com, which provide manual malware removal instructions. These instructions allow the user to manually delete all the files, directories, registry entries and other objects that belong to a parasite. However, manual removal requires fair system knowledge and therefore can be a quite difficult and tedious task for novices.