pixel_dreams - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

njRAT: How can .NET malware be detected and mitigated?

A Trojan called njRAT has emerged that is written in .NET rather than the traditional C/C++. Expert Nick Lewis explains how to detect and avoid the threat.

A remote access Trojan variant called "njRAT" has re-emerged, and it's written in .NET 4.0 rather than C/C++. How...

does this help malware evade detection? Are there any controls that should be implemented to detect malware written in different code like .NET?

Most malware is developed in such a way that it requires a minimal set of dependencies to execute in order to have the highest probability of success. This is because the malware author doesn't know if the external dependency is present on the target system or not. The external dependency could, for example, just be a software library or even the Java JRE. Malware authors haven't wanted to include external dependencies in their malware in order to reduce the size of the malware and avoid making changes that might increase its chances of being detected on the target system.

For this reason, malware authors are starting to adopt different external dependencies. Macro-viruses are one type of malware that won't operate without the macro-environment installed. This brings us to njRAT. Malware written using .NET has some similarities with macro-viruses in that the .NET malware won't run without the .NET environment installed on the endpoint. Fortunately for malware authors -- and unfortunately for enterprises -- .NET has many software development benefits, so it has been widely installed in enterprise networks.

Tools like Detekt can be used to identify the njRAT malware, along with other standard antimalware tools, with the one caveat around state-sponsored attackers not necessarily showing up in standard antimalware tool definitions. However, many antimalware providers have stated they do not ignore certain malware at the request of state-sponsored attackers.

Analysis of network connections for anomalous connections could also identify potentially compromised endpoints that require further investigation.

The standard steps to secure an endpoint -- such as patch management, configuration management and least privilege -- are necessary to preventing malware infections. And while not installing the .NET runtime would make it more difficult for the njRAT malware to attack a system, it is probably not feasible in many enterprise scenarios.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)

Next Steps

View the tools that can help enterprises detect remote access Trojans

This was last published in September 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal