Can enterprises do anything to mitigate the effects of remote administration toolkits (RATs) like Poison Ivy, which...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
allow unsophisticated attackers to craft their own malware attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises have some options for mitigating the effects of remote administration toolkits (RATs) impact on their networks. But first, let's examine why these RATs, not unlike the actual rodent, are such a nuisance.
Remote administration toolkits are essentially malware packages created by attackers to plant on target machines and take control of them remotely under the guise of a legitimate remote support tool. Unsophisticated attackers crafting their own RATs, such as Poison Ivy RAT malware, are a relatively recent development, although RATs for Windows have been around since 1998. Probably the best-known early RAT is Back Orifice (BO) from the hacker group Cult of the Dead Cow. Back Orifice is a more general RAT and could be used for legitimate remote support, but many of the modern RATs have been designed solely to evade firewalls and other perimeter network defenses, and to circumvent the security of the local system.
However, there are legitimate RATs or remote support tools that are used regularly to support remote workers. The distinction between legitimate and malicious RATs is that a malicious RAT is designed to hide itself from detection, but legitimate RATs typically have notifications sent to the local user indicating usage and to ensure the end user knows it is installed.
Enterprises may want to assume that endpoints are at risk of compromised by RATs and implement network controls to compensate for compromised endpoints. The least appealing option for blocking RATs is to not allow Internet access, but this would most likely not be reasonable in most environments. Enterprises could force all Internet traffic through a proxy server, but a RAT could work through a proxy server depending on the functionality of the RAT. The RAT may look like legitimate HTTP traffic and not be detected, but using an IDS, SEIM, and analysis of the logs, you might be able to detect the traffic. An antimalware device may be implemented that includes RAT monitoring and management in the functionality. An enterprise could also just ensure that it has minimal detections in place through an existing IDS and updated signatures.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
SSL attacks "in stealth mode" are helping attackers avoid detection and analysis. Expert Nick Lewis explains how to discover and defend against the ...continue reading
Learn how sinkholing is helping security experts analyze infected devices and even disable malware in compromised endpoints.continue reading
Motion and gestures are being used for mobile malware detection on smartphones. Learn how this method works and whether it is a worthy addition to an...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.