Can enterprises do anything to mitigate the effects of remote administration toolkits (RATs) like Poison Ivy, which...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
allow unsophisticated attackers to craft their own malware attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises have some options for mitigating the effects of remote administration toolkits (RATs) impact on their networks. But first, let's examine why these RATs, not unlike the actual rodent, are such a nuisance.
Remote administration toolkits are essentially malware packages created by attackers to plant on target machines and take control of them remotely under the guise of a legitimate remote support tool. Unsophisticated attackers crafting their own RATs, such as Poison Ivy RAT malware, are a relatively recent development, although RATs for Windows have been around since 1998. Probably the best-known early RAT is Back Orifice (BO) from the hacker group Cult of the Dead Cow. Back Orifice is a more general RAT and could be used for legitimate remote support, but many of the modern RATs have been designed solely to evade firewalls and other perimeter network defenses, and to circumvent the security of the local system.
However, there are legitimate RATs or remote support tools that are used regularly to support remote workers. The distinction between legitimate and malicious RATs is that a malicious RAT is designed to hide itself from detection, but legitimate RATs typically have notifications sent to the local user indicating usage and to ensure the end user knows it is installed.
Enterprises may want to assume that endpoints are at risk of compromised by RATs and implement network controls to compensate for compromised endpoints. The least appealing option for blocking RATs is to not allow Internet access, but this would most likely not be reasonable in most environments. Enterprises could force all Internet traffic through a proxy server, but a RAT could work through a proxy server depending on the functionality of the RAT. The RAT may look like legitimate HTTP traffic and not be detected, but using an IDS, SEIM, and analysis of the logs, you might be able to detect the traffic. An antimalware device may be implemented that includes RAT monitoring and management in the functionality. An enterprise could also just ensure that it has minimal detections in place through an existing IDS and updated signatures.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.