How to detect and mitigate Poison Ivy RAT malware-style attacks

Learn how to prevent malcode like the Poison Ivy RAT malware, sophisticated malware that has been crafted especially for an enterprise take-down.

Can enterprises do anything to mitigate the effects of remote administration toolkits (RATs) like Poison Ivy, which...

allow unsophisticated attackers to craft their own malware attacks?

Ask the expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

Enterprises have some options for mitigating the effects of remote administration toolkits (RATs) impact on their networks. But first, let's examine why these RATs, not unlike the actual rodent, are such a nuisance.

Remote administration toolkits are essentially malware packages created by attackers to plant on target machines and take control of them remotely under the guise of a legitimate remote support tool. Unsophisticated attackers crafting their own RATs, such as Poison Ivy RAT malware, are a relatively recent development, although RATs for Windows have been around since 1998. Probably the best-known early RAT is Back Orifice (BO) from the hacker group Cult of the Dead Cow. Back Orifice is a more general RAT and could be used for legitimate remote support, but many of the modern RATs have been designed solely to evade firewalls and other perimeter network defenses, and to circumvent the security of the local system.

However, there are legitimate RATs or remote support tools that are used regularly to support remote workers. The distinction between legitimate and malicious RATs is that a malicious RAT is designed to hide itself from detection, but legitimate RATs typically have notifications sent to the local user indicating usage and to ensure the end user knows it is installed.

Enterprises may want to assume that endpoints are at risk of compromised by RATs and implement network controls to compensate for compromised endpoints. The least appealing option for blocking RATs is to not allow Internet access, but this would most likely not be reasonable in most environments. Enterprises could force all Internet traffic through a proxy server, but a RAT could work through a proxy server depending on the functionality of the RAT. The RAT may look like legitimate HTTP traffic and not be detected, but using an IDS, SEIM, and analysis of the logs, you might be able to detect the traffic. An antimalware device may be implemented that includes RAT monitoring and management in the functionality. An enterprise could also just ensure that it has minimal detections in place through an existing IDS and updated signatures.

This was last published in May 2012

Dig Deeper on Malware, virus, Trojan and spyware protection and removal