Can you recommend any tools capable of remote access Trojan detection?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Remote access Trojans (RATs), such as the FAKEM family discovered earlier this year, try to mimic normal traffic to avoid detection. Generally speaking, RATs hide themselves inside HTTP and HTTPS traffic and thereby resemble normal network traffic. In the case of the FAKEM family, the malware is typically made to look like Windows Messenger, Yahoo Messenger or some other commonly used instant messaging service. Because the malicious code is embedded in commonly seen network traffic, deep packet inspection (DPI) is necessary.
To conduct DPI, some solid tools are needed. There are plenty of stand-alone commercial DPI vendors, including Fluke Networks, Network Instruments, Trend Micro and others that claim to be able to spot malicious RAT traffic, but those products cost money. If your budget is limited -- as most security budgets are -- I would recommend Snort. Now, you may be saying, "I thought DPI is too computationally intensive for Snort." At the risk of getting too deep into the weeds, studies indicate that Snort's behavior during DPI is actually faster than that of some of the more prominent hardware devices specifically dedicated to DPI. This is in large part due to Snort's lightweight nature, and the fact that its detection engine matches strings in parallel. That said, Snort's behavior in DPI scenarios is highly contingent on the Snort administrator's ability to configure the rules. For example, security administrators may want to search for the hexadecimal string "0x90" inside each packet because this is the NOP (No Operation) command in assembly language, and it is a very common exploit in the x86 architecture. The Snort administrator may then create the following alert rule:
alert tcp any any ‐> any any (msg:"Possible NOP exploit"; content:"|90|";)
This is an alert rule that focuses on TCP traffic, but more specifically, it focuses on traffic from any IP address to any IP address. A message is created indicating that the NOP exploit may be happening inside the network, and the Snort administrator may have saved the day simply by creating a one-line rule.
This was first published in July 2013