A remote access Trojan variant called "njRAT" has re-emerged, and it's written in .NET 4.0 rather than C/C++. How...
does this help malware evade detection? Are there any controls that should be implemented to detect malware written in different code like .NET?
Most malware is developed in such a way that it requires a minimal set of dependencies to execute in order to have the highest probability of success. This is because the malware author doesn't know if the external dependency is present on the target system or not. The external dependency could, for example, just be a software library or even the Java JRE. Malware authors haven't wanted to include external dependencies in their malware in order to reduce the size of the malware and avoid making changes that might increase its chances of being detected on the target system.
For this reason, malware authors are starting to adopt different external dependencies. Macro-viruses are one type of malware that won't operate without the macro-environment installed. This brings us to njRAT. Malware written using .NET has some similarities with macro-viruses in that the .NET malware won't run without the .NET environment installed on the endpoint. Fortunately for malware authors -- and unfortunately for enterprises -- .NET has many software development benefits, so it has been widely installed in enterprise networks.
Tools like Detekt can be used to identify the njRAT malware, along with other standard antimalware tools, with the one caveat around state-sponsored attackers not necessarily showing up in standard antimalware tool definitions. However, many antimalware providers have stated they do not ignore certain malware at the request of state-sponsored attackers.
Analysis of network connections for anomalous connections could also identify potentially compromised endpoints that require further investigation.
The standard steps to secure an endpoint -- such as patch management, configuration management and least privilege -- are necessary to preventing malware infections. And while not installing the .NET runtime would make it more difficult for the njRAT malware to attack a system, it is probably not feasible in many enterprise scenarios.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
View the tools that can help enterprises detect remote access Trojans
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading