A lot of attention is rightly given to worms and viruses, but users should be aware of the dangers of a third kind of malicious code that may be worrisome this year. Some experts predict this to be an especially destructive year for Trojan horse programs, specifically remote access Trojans (RATs).
RATs are programs, unwittingly installed by users, that allow attackers access to a backdoor into infected systems. RATs can include a keystroke-logging program to harvest passwords or other sensitive information. "They can also remove or overwrite files and other nasty things," said Chris Wraight, technology consultant at antivirus vendor Sophos.
RATs can travel much like viruses and worms. They can be attached to e-mail messages or spread via network file shares. Often, they rely on trickery to get potential victims to install the RAT program on their systems. Once installed, it can be hard for users to notice the RATs are running because they often don't show up in the task list or close program list.
There are some things companies can do to prevent or mitigate the effects of RATs. For example, shutting off unused services or blocking unused ports is a good step. Another is monitoring outbound network traffic, Wraight said.
The surest way of preventing RATs from infecting systems is similar to prevention methods for viruses and worms. Keep antivirus signature files updated. Make sure end users don't open attachments or install programs they are unsure of.
Yet detecting RATs can be tricky because legitimate programs mimic their activities. Some companies worry that security measures meant to prevent RATs will hamper functionality that they rely on. For example, IT professionals use programs such as PC Control to remotely manage systems, Wraight said.
For companies that need remote access control, using signature-based Trojan scanning is probably preferable. Just using heuristics would block beneficial programs like PC Control. Signature-based scanning would recognize it as such and ignore it.
Detecting RATs with signature-based scanning does have its problems. Sometimes RAT writers target specific companies with their creations. As such, the Trojans aren't floating around in cyberspace to be discovered by antivirus researchers, said Alex Shipp, senior antivirus technologist with MessageLabs, a Gloucester, England-based managed service e-mail content filtering outsourcer. "Antivirus companies need to see a specimen before they can create a pattern file for it," he said.
Perhaps the most famous RAT is Back Orifice, created by a group called Cult of the Dead Cow. Antivirus companies are aware of it, so their scanners look for it.
However, sometimes legitimate programs can be used by attackers to get under the radar screen. British citizen Gary McKinnon was indicted last November for hacking into dozens of U.S. military systems and dropping in the legitimate program, RemotelyAnywhere, in order to gain access to them. While antivirus scanners ignored the program, investigators were able to trace McKinnon based on information he entered to download the program from its Milwaukee-based distributor.