RAT (Remote Administration Tool) - III

Posted by Sharan R On 7:22 AM

Counter And Defense Against RAT Attack

Welcome to the third part of The RAT tutorial and I am extremely sorry you have to wait a little more so see this article coming up. By the way in this section we ll make ourselves aware how we can counter and create a defense against RAT attack. Dear visitor if you are reading this post without reading its previous parts then I urge you to please read,


before you read this.

So as seen before RAT may use any unknown port to communicate with attacker and the best defense against any process communicating using unknown port is firewall. There are various commercial firewalls available but here are few good free firewalls that can even lead a commercial firewall bow down to its feet. Following are few good free firewall programs on basis of their ranking by customers,

1.Online Armour
2.Zone Alarm
3.Comodo Firewall
4.Private Firewall

People consider Online Armour as one of the toughest free firewall available, by the way I prefer Comodo Firewall. Comodo firewall also shows you process which are communicating, port numbers via which they are communicating and full path of process invoking executable file, here's a view of how Comodo shows you process.
Now as we discussed in RAT - II a RAT becomes fully undetectable if he/she applies any process discussed in previous RAT post. That means if your anti-virus fails to detect it, following can be symptoms that can appear on your system which can help you identify its presence,

1.Disable Of Task Manager and Disable Of Folder Option
2.Sudden Opening And Closing Of CD/DVD-ROM
3.Blue Screen Of Death or Just Blue Screen
4.High Bandwidth Consumption
5.Sudden Open Of Web Pages
6.Pop Ups
7.Change Of Wallpaper
8.Disappear Of Mouse Arrow, Start Button and Task Manager

If you find any of the above things happening on your PC its time to manually check your system for RAT. But as I told you before RAT server may hide in known processes or may even use only known ports to communicate with attacker so detection would not be easy. Here we'll learn step by step approach how you can manually detect its presence.

As told earlier a RAT can hide it self in process space of another process like explorer.exe, iexplorer.exe, scvhost.exe, services.exe. Open your firewall and check out if explorer.exe or services.exe are communicating with remote host. If yes then you are infected because these processes never communicate with any remote host. Now the process that communicate are svchost.exe and iexplorer.exe.

To find out whether iexplorer.exe is communicating with remote host as client to installed RAT server close Internet Explorer, wait for 5-6 seconds and see if its communicating then you are infected. Now if attacker has configured to close connection as soon as Internet Explorer(IE) closes you will not be able to detect its presence in firewall, in this case you have to keep yourself prepared by watching how much memory IE takes while opening www.google.com leave IE like that and open “Task Manager” by typing taskmgr.exe in RUN window. Keep your eye on memory consumption(not CPU consumption) of IE if it fluctuates even after 1 minute then you can be sure you are 100% infected.

What if attacker decides to hide process in scvhost.exe? In this case open firewall and watch for ports with which svchost.exe is communicating. Make sure port numbers should be 53 or 443 on remote host in listening mode only, if not then you are infected. Now if attacker has planted port number 53 or 443 in RAT for communication with svchost.exe then how you gonna detect. Now here you'll need a little technical brain, a scvhost.exe process runs in three modes,

System Mode: Which never communicates with internet
Local Mode: Which never communicates with internet
Network Mode: Which communicates with internet.

All three modes run as different processes with different process IDs. Now the Network Mode scvhost.exe runs as network service, so open taskmgr.exe and locate scvhost.exe where username is Network Service now note process ID, disconnect from network and wait for 1-5 minute monitoring that process memory consumption. You have to wait for 5 minutes just because even after disconnecting scvhost.exe does not settle down network and hence memory usage appears fluctuating for long time. Once memory usage becomes stable then wait for sometime and monitor it for memory usage fluctuation, it should not be above 2 MBs.

Now above were manual method to identify presence of RAT in your system if your Anti-Virus and even malware detection software fails to detect RAT. So far as my view is concerned Norton, Avast Professional, Avira and AVG professional are best Security Suites available to tackle all kind of software based threats and malware. And if you use your system for critical purposes then you are the fellow who is in very much need of “Black Ice Defender”. It is awesome piece of code written specially to avoid any kind of intrusion on your system.

8 comments

  1. sandy star Said,

    Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.
    AWS Training in Bangalore |Best AWS Training Institute in Bangalore BTM, Marathahalli
    AWS Training in Chennai | AWS Training Institute in Chennai Velachery, Tambaram, OMR

    Posted on September 1, 2018 at 7:37 AM

     
  2. Revathy A Said,

    I'm here representing the visitors and readers of your own website say many thanks for many remarkable

    angularjs Training in bangalore

    angularjs Training in electronic-city

    angularjs Training in online

    angularjs Training in marathahalli

    Posted on September 25, 2018 at 11:41 PM

     
  3. sai Said,

    Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.
    Python training in marathahalli | Python training institute in pune

    Posted on October 12, 2018 at 10:43 PM

     
  4. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end.
    Devops training in marathahalli
    Devops training in rajajinagar

    Posted on October 15, 2018 at 4:12 AM

     
  5. vijay antony Said,

    Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    rpa training in velachery| rpa training in tambaram |rpa training in sholinganallur | rpa training in annanagar| rpa training in kalyannagar

    Posted on October 17, 2018 at 6:08 AM

     
  6. Afiah B Said,

    Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.
    Java training in Chennai | Java training in Bangalore

    Java online training | Java training in Pune

    Posted on October 17, 2018 at 10:17 PM

     
  7. Ram priya Said,

    Nice post. By reading your blog, i get inspired and this provides some useful information. Thank you for posting this exclusive post for our vision. 
    Data Science Training in Chennai | Data Science training in anna nagar

    Data Science training in chennai | Data science training in Bangalore

    Data Science training in marathahalli | Data Science training in btm layout

    Posted on October 17, 2018 at 10:49 PM

     
  8. cardactiv Said,

    Posted on October 25, 2018 at 11:05 AM