A remote administration tool (or RAT) is a program that allows certain persons to connect to and manage remote computers in the Internet or across a local network. A remote administration tool is based on the server and client technology. The server part runs on a controlled computer and receives commands from the client, which is installed on other remote host. A remote administration tool works in background and hides from the user. The person who controls it can monitor user’s activity, manage files, install additional software, control the entire system including any present application or hardware device, modify essential system settings, turn off or restart a computer.
Remote administration tools are divided into malicious and legitimate applications. Parasitical RATs, also known as remote administration trojans, are analogous to backdoors and have very similar functionality. However, they aren’t viral, do not propagate by themselves and usually do not have additional destructive functions or other dangerous payload. These parasites do not work on their own and must be controlled by the client.
Legitimate remote administration tools are commercial products targeted mostly to system administrators. Their main purpose is to allow the authorized personnel to remotely control and fix user computers. Nevertheless, legitimate RATs have practically the same functionality as parasitical programs and therefore can be used for obvious malicious purposes.
Remote administration tools aren’t similar to regular computer viruses. Their server parts must be installed to the affected system as any other software with or without user content. There are two major ways unsolicited RATs can get into the system.
1. A legitimate remote administration tool can be manually installed by system administrator or any other user who has sufficient privileges for the software installation. A hacker can break into the system and setup own RAT. In both cases a privacy threat gets installed without the affected user’s knowledge and consent.
2. Malicious remote administration tools are installed by other parasites like viruses, backdoors or worms. Often they are dropped by specific trojans, which get into the system using Internet Explorer ActiveX controls or exploiting certain web browser vulnerabilities. Their authors run insecure web sites filled with malicious code or distribute unsafe advertising pop-ups. Whenever the user visits such a site or clicks on such a pop-up, harmful scripts instantly install a trojan. The user cannot notice anything suspicious, as a threat does not display any setup wizards, dialogs or warnings.
Widely spread malicious remote administration tools affect mostly computers running Microsoft Windows operating system. However, lots of less prevalent parasites are designed to work under different environments.
- Allows the intruder to create, delete, rename, copy, edit any file, execute various commands, change any system settings, alter the Windows registry, run, control and terminate applications, install arbitrary software or parasites.
- Allows the attacker to control computer hardware devices, modify related settings, shutdown or restart a computer without asking for user permission.
- Allows the malicious person to monitor user activity, steal his passwords, login names, personal documents, identity details and other sensitive information.
- Captures screenshots of user activity and transfers them to the intruder.
- Degrades Internet connection speed and overall system performance, decreases system security and causes software instability. Some parasitical RATs are badly programmed, they waste too much computer resources and conflict with installed applications.
- Provides no uninstall feature, hides processes, files and other objects in order to complicate its removal as much as possible.
There are thousands of different remote administration tools. The following examples illustrate how powerful and extremely dangerous these threats can be.
Remote Config is a legitimate remote administration tool used by system administrators to modify essential networking settings of remote systems. Remote Config can change IP address, DNS address, computer name, default gateway, etc. It also can shutdown or restart a computer.
Back Orifice is an infamous malicious remote administration tool that allows the intruder to do with a compromised computer everything he wants and even more. This tool has a massive amount of dangerous functions and leaves the victim completely unprotected and disorientated. Back Orifice can be used to manage files, run and install applications, terminate defined processes, modify essential system and networking settings, control the operating system, installed software and hardware devices, log keystrokes, take screenshots, capture video or audio, steal passwords, etc. This remote administration tool supports plugins and therefore can have different additional functionality.
Beast is just another virus, which belongs to a huge family of Remote Administration Tools. The author of the this threat is a known hacker, who is called Tataye. As we know, the first versions of Beast appeared from April 2001 to March 2004. This threat is written in Delphi and is compressed with ASPack.
A remote administration tool allows the attacker to work with an infected computer in the same way as with its own PC and use it for various malicious purposes or even criminal offences. The responsibility for such activity is usually assumed by guiltless users on which systems malicious RATs were installed, as in most cases it is really hard to find out who was controlling a parasite.
Practically all remote administration tools are very difficult to detect. They can violate user privacy for months and even years until the user will notice them. The malicious person can use a RAT to find out everything about the user, obtain and disclose priceless information like user’s passwords, login names, credit card numbers, exact bank account details, valuable personal documents, contacts, interests, web browsing habits and much more.
Any remote administration tool can be used for destructive purposes. If the hacker was unable to obtain any valuable and useful information from an infected computer or have already stole it, he eventually may destroy the entire system in order to wipe out his tracks. This means that all hard disks would be formatted and all the files on them would be unrecoverably erased.
Parasitical remote administration tools can be detected and removed with the help of effective antivirus products like Symantec Norton AntiVirus, Kaspersky Anti-Virus, McAfee VirusScan, eTrust EZ Antivirus, Panda Titanium Antivirus, AVG Anti-Virus. Some advanced spyware removers, which are able to scan the system in a similar way antivirus software does and have extensive parasite signature databases can also detect and remove certain remote administration tool and related components. Powerful anti-spyware solutions such as Microsoft AntiSpyware Beta, Spyware Doctor, Ad-Aware SE, SpyHunter or eTrust PestPatrol are known for quite fair RAT detection and removal capabilities.
In some cases even an antivirus or spyware remover can fail to get rid of a particular remote administration tool, especially of a legitimate one, which used for malicious purposes. That is why there are Internet resources such as 2-Spyware.com, which provide manual malware removal instructions. These instructions allow the user to manually delete all the files, directories, registry entries and other objects that belong to a parasite. However, manual removal requires fair system knowledge and therefore can be a quite difficult and tedious task for novices.