Remote access tool 2023
In this article we will learn about Remote access tool.
What is Remote access tool?
Remote Access Tool is software that is used to remotely access or control a computer. This tool can be legitimately used by system administrators to access client computers. Remote access tools, when used for malicious purposes, are known as Remote Access Trojans (RATs). They can be used by a malicious user to control the system without the victim’s knowledge. Most popular RATs are capable of key logging, screen and camera capture, file access, code execution, registry management, password sniffing, etc.
RAT can also be called as a synonym for backdoor which includes client and server program. A server or program with prohibited advertising, if installed on a compromised system unknowingly by the owner of that system, is called a remote access Trojan.
Remote Administration Trojans (RATs) are malicious pieces of software that infect a victim’s computer to gain administrative access. They are often included in pirated software through patches, as a form of cracked game or email attachments. Once infected, it can perform unauthorized operations and hide its presence in the infected system. An attacker can remotely control the system by obtaining key logs, webcams, audio recordings, screenshots, etc.
RATs usually obfuscate their presence by changing their name, size, and often their behavior or encryption methods. In this way, they avoid AV, firewalls, IDS, IPS and security defense systems. Apart from remote access capabilities, some RATs also act as backdoors to the system by infecting it with viruses, worms, spyware, adware, etc. Thus, infected machines can also be used as bots or zombies to carry out a chain of attacks on other machines including DDOS.
RAT detection
RATs can be avoided by verifying each piece of software before installation using authorized program signatures. This program signature may be available from product vendors; however, it can be difficult to align this practice at an organizational level. In addition, RATs use different levels of obfuscation methods to hide their characteristics from the detection system. RATs normally embed themselves in legitimate pieces of software or even distribute them as patches or other updates, making them harder to catch.
Different host and network detection methodologies can be correlated with correct RAT detection. In host-based detection, unique RAT characteristics can be stored at the database level, which includes file name, size, checksum, and other unique characteristics. This RAT database can be scanned with new programs and if matching patterns are found then it can be recognized as a RAT. Startup files, registries, autostart and configuration scripts can be monitored and if any unusual behavior is detected, it can be detected as a RAT.
In a network-based detection method, network communication protocols can be monitored to determine if there are deviations in network usage behavior. Ports can be monitored for exceptional behavior and can analyze the protocol headers of packets between systems. Network traffic can be analyzed and RAT behavior patterns can be distinguished from other legitimate traffic.
Types of RATs
Back opening
Back Orifice 2000 (BO2K) was released in July 1999 at DefCon VII, a computer hacking convention held in Las Vegas, Nevada. It was developed by a group of computer hackers called “Dead Cow Cult”.
BO2K is a client/server application that can remotely control an information processing application with a fixed Internet Protocol (IP) address by hiding its presence from the victim’s computer. Once installed, BO2K collects information, executes system commands, reconfigures machines, and redirects network traffic to unauthorized services.
This RAT should be installed by the end user and then it will perform its function unbeknownst to the user. B02K installation involves two separate operations, including a client and a server. The server part should be executable and is usually named bo2k.exe.
B02K has a configuration interface that can be used to set up the functionality of the program. The configuration interface can be used to set the server file, network protocol including TCP or UDP, port number, encryption mechanism and password encryption key.
The B02K client interface contains a server list that displays a list of vulnerable servers, and this server has its name, IP address, and connection information. Several commands can be used to collect data from the victim’s machine and this command can be executed using the attacker’s machine by specifying the intended parameters. Responses can be viewed using the Server Response window.
Bandook RAT
Bandook RAT has the ability to inject processes, disconnect APIs, bypass Windows firewall, etc. In this, the client has the ability to extend the functionality of the server by sending plugin code. The server has the ability to hide it by creating a process using browser defaults.
Bandook was programmed using a combination of C++ and Delphi. It does not use any cryptographic methods for encryption, but uses the XORing method. In this, the server part is installed in the System32 folder of the Windows OS and at startup; establishes a connection with the attacker, listens for incoming connections on the specified port. The attacker can then execute the specified server command on the victim’s computer. It has spy features like screen manager with click on screen, cam manager which supports multi-camera system, live keylogger, cache reader, screen recording etc.
The server component (28,200 bytes) is dropped under Windows, System32 or Program Files, Applications folders, the default name is ali.exe. Once the server component is running, it establishes a connection with an attacking client that listens for incoming connections on a configurable port to allow the attacker to execute arbitrary code from the computer.
ProRAT
ProRAT is a remote access Trojan that features a client-server architecture. It works by opening a port on the computer that allows the attacker to execute several commands on the victim’s computer. This RAT has the ability to record keystrokes, steal passwords, take screenshots, view webcam, download and run files, etc.
This RAT has features that allow them to go undetected by antivirus and firewall; it can run quietly in the background. It also has the ability to disable and remove system restore points, remove security software, display error messages, etc.
Sub7 RAT
Sub7 RAT is performed on the machine in an undetected and unauthorized manner. Sub7 worked on Windows 9x to Windows XP operating systems. Sub7 also shares the same architecture as other RATs and allows an attacker to execute server-side commands to gain access and information.
One of the distinguishing features of the Sub7 RAT is that it has a directory that allows the attacker to find out whether the victim’s computer is online or not.
On the client side, the software had a “directory” that let the controller know when the target computers were online. In addition, the server program can be modified before delivery using the so-called server editor. The main incident related to Sub7 is that a hacker distributed an email that tricked users into downloading a RAT and getting them compromised.
njRAT
The remote access Trojan is thorough in its data-stealing capabilities. In addition to launching a keylogger, the variants are capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes, and viewing the user’s desktop.
The malware is delivered via spear phishing emails or car downloads. Attackers also inject malware into other applications such as L517 Word List Generator; the malware is compressed and obfuscated by a number of tools to avoid detection by security software.
Once a victim is infected, the malware is also able to search for other computers on the same network, looking for other vulnerable computers to infect. njRAT is a classic APT-style attack tool that uses this ability to move once within a network along with legitimate credentials and other data it collects through its key logging capabilities.
The malware stores keystrokes in a .tmp file and connects to the control server via port 1177 registered to an IP address in Gaza City, Palestine. A copy of the malware is stored in a second directory created by the attacker so that it can run again after a reboot. Once connected to the command and control server, it sends system information including the computer name, attacker identifier, system location, operating system information, whether the computer has a built-in camera, and which windows are open.
Poison Ivy
Poison Ivy is a remote access tool that includes features common to most Windows-based RATs, including key logging; screen capture, video capture, file transfer, system administration, password theft and traffic transfer.
The Poison Ivy builder kit allows attackers to customize and build their own PIVY server that is delivered as mobile code to a target that has been compromised, usually through social engineering. Once the server starts on the compromised computer, it connects to the PIVY client installed on the attacker’s computer, giving the attacker control over the compromised system.
In 2011, attackers used a RAT to compromise security firm RSA and steal data about its SecureID authentication system. That same year, PIVY also played a key role in a campaign known as Nitro, which targeted chemical manufacturers, government agencies, defense contractors and human rights groups. More recently, PIVY was the payload of a zero-day exploit in Internet Explorer that was used in an attack known as “Strategic Web Compromise” against visitors to a US government website and a number of others.
Poison Ivy uses TCP to communicate and is encrypted using the Camellia cipher using a key of 256. The key is created from the password created by the attacker when creating the PIVY server.
Many hacker groups have used PoisonIvy to attack various categories of targets around the world. These include a group called admin@338, which specializes in attacks targeting the financial services industry; th3bug has been targeting universities and healthcare facilities since 2009. The menuPass hacking group has launched cyber espionage attacks against defense vendors over the past four years.
Related article:Ethical Hacking Interview Questions 2023
Organizational Policy Requirements for RATs
Remote administration tools provide great help in IT related work at the organizational level. Employees from remote locations can access the computer and work as if they were in the same location. These are the organization-level policy requirements for using remote management tools.
- All remote access tools that allow communication to and from the Internet must require multi-factor authentication.
- The Remote Management Tools authentication database source should be AD or LDAP, and the authentication protocol must include a challenge-response protocol.
- Remote access tools must support application layer proxies rather than direct connections through a perimeter firewall.
- It should support strong end-to-end encryption of remote access communication channels as specified in the Network Encryption Protocols Policy.
- All anti-virus, data loss protection and other security systems must not be disabled, interfered with or circumvented in any way.
- Remote management tools must be procured through a standard purchasing process and the IT group must approve the purchase.
