Network Traffic Analysis for IR — Discovering RATs
Introduction
A Remote Access Trojan (RAT) is part of the malware family. It enables covert surveillance, a backdoor channel and unfettered and unauthorized remote access to a victim’s computer. Using this malware, attackers can remotely perform various illegal activities on a victim machine, such as manipulating files and installing and removing programs.
Discovering RATs is not an easy task, as they neither show up on running processes nor slow down the computer speed. Nevertheless, incident response (IR) teams can perform a network traffic analysis to discover RATs.
Before knowing how IR teams discover RATs in networks, we need to understand the working of RATs on victim machines. In this article, we will explore content about RAT operations, as well as how RATs are discovered.
How do RATs work?
First and foremost, intruders gain access to the victim machine by covertly installing the RAT. This is often done through malicious links, crafted email attachments or infected torrents. After said intrusion, attackers establish direct connectivity with a compromised computer through a command-and-control (C2) server, which establishes a remote connection between hackers and the victim computer(s). This mechanism is based on a client-server architecture.
Hackers often use remote access tools to establish a remote C2 server connection. These tools might include Team Viewer, Ammyy Admin, LogMeIn and Go2Assist. You can go here to learn more about remote access tools.
Discovering RATs
RATs are sophisticated in their operations because in many cases, they don’t show up in systems running processes and tasks. RATs also don’t have any effect on the speed of your computer. Instead, they consume the bandwidth of your internet connection.
Although RATs are wily, some techniques can be used on network traffic analysis to discover them. Here are some helpful tips.
Fix Windows DLL: SVCHOST.EXE
SVCHOST. (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Chris Sienko. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ae0MU8XhcBg/
