Many of us start up our computer and conduct all types of activities and business, including banking, without a second thought. Well, I have written this article so that perhaps you will give it a second thought.
Imagine this scenario, you are sitting at your computer browsing the web, sending a few emails, checking your bank balance, making a few online purchases with your credit card and updating your personal finances. However without you knowing and without any indication that something is wrong, someone half a world away is monitoring everything you are doing, they can view your computer screen as though they were sitting in front of it, every keystroke you are typing is being recorded electronically, they can even turn on your connected or integrated camera and microphone to watch and listen to everything you say and do.
The scenario above is scary and it happens to millions of people every day and they are completely oblivious.
This is made possible by software available on hacking forums on the “deep web”, and most of this software is free.
This software is called “RAT” which stands for Remote Access Terminal. There are some remote access software packages available for legitimate purposes such as IT managers remotely managing computers etc, but the RAT packages I am talking about do a lot more than the legitimate ones.
RAT can be installed on your computer by visiting an infected website, clicking on a link or picture that was emailed to you by a friends’ spoofed email address, downloading a legitimate software package that has been infected, viewing a video on YouTube. Those are just a few ways in which your computer can be infected with RAT.
It take only one second to install and infect your computer and you would have no idea that it has because it automatically turns off you antivirus programs and disable your firewall without any indication that it has done so. You could have been infected for weeks, months or years without knowing it.
Below are some of the capabilities of one of the most popular RAT’s which has had more than 100,000 downloads;
Module Options
- Melt server executable after initial execution
- Change file creation date (if selected, the date is set to 16/04/2007 unless specified otherwise, no option is available for time change)
- Persistence installation (Various persistence methods have been seen including use of the HKLM Run Key and Userinit Keys)
Stealth Mode Options
- File attributes (select multiple, default none): Hidden, System, Archive, Temporary, Read Only
- Hide startup key from msconfig (32bit only)
- Hide software from explorer and related file management tools
- Explorer Injection is also available in a specific “FWB” (Firewall Bypass) version
Capability Options
- Disable Task Manager
- Disable Registry
- Disable Windows Firewall (XP SP3 to Windows 7)
- Disable Windows UAC
- XP SP2 or earlier:
- Disable Anti Virus Notify
- Disable Security Center
- Disable Windows Update
- Disable Control Panel
- Keylogging – The keylog created by offline keylogging can also be sent via FTP (disabled by default).
How do you know you have been infected with a RAT?
You will not know, if you suspect that you may have been infected by a RAT, contact a computer forensics company like Rick Crouch & Associates as they would have all the current tools needed to detect a RAT on your computer. Your corner computer repair company or retail computer warehouse will not have the capabilities to detect and remove a RAT should you have been infected.
Contributed by:
Rick Crouch
Rick Crouch & Associates
rick@rickcrouch.co.za