(Remote Access Trojans)事实证明,远程访问木马( RAT ) 在劫持计算机或与朋友恶作剧时对这个世界构成巨大风险。(RAT)RAT是恶意软件,可让操作员攻击(operator attack)计算机并获得未经授权的远程访问。RAT(RATs)已经存在多年,并且它们一直存在,因为即使对于现代防病毒软件来说,找到一些(Antivirus software)RAT(RATs)也是一项艰巨的任务。
在这篇文章中,我们将了解什么是远程访问木马,并讨论(Access Trojan and talks)可用的检测和删除技术(detection & removal techniques)。简而言之,它还解释了一些常见的RAT(RATs) ,如CyberGate(DarkComet)、DarkComet(CyberGate)、Optix、Shark、Havex、ComRat、 VorteX Rat、Sakula 和 KjW0rm(Sakula and KjW0rm)。
什么是远程访问木马
大多数远程访问特洛伊木马(Remote Access Trojan)都是通过恶意电子邮件、未经授权的程序和 Web 链接下载的,让您无处可去。RAT(RATs)不像键盘(Keylogger)记录程序那样简单——它们为攻击者提供了许多功能,例如:
- 键盘记录(Keylogging):可以监控您的击键,并从中恢复用户名、密码和其他敏感信息。
- 屏幕(Screen Capture)截图:可以获取屏幕截图以查看您的计算机上发生了什么。
- 硬件媒体捕获(Hardware Media Capture):RAT 可以访问您的网络摄像头和麦克风,以完全侵犯隐私来记录您和您的周围环境。
- 管理权限(Administration Rights):攻击者可以在未经您许可的情况下更改任何设置、修改注册表值并对您的计算机进行更多操作。RAT可以为攻击者提供管理员级别的权限。
- 超频(Overclocking):攻击者可能会提高处理器速度,超频系统会损坏硬件组件并最终将它们烧成灰烬。
- 其他特定于系统的功能(Other system-specific capabilitie):攻击者可以访问您计算机上的任何内容、文件、密码、聊天和任何内容。
远程访问木马如何工作
远程访问(Remote Access) 木马(Trojans)采用服务器-客户端配置,其中服务器秘密安装在受害 PC(victim PC)上,客户端可用于通过GUI或命令界面访问(command interface)受害 PC(victim PC)。服务器和客户端(server and client)之间的链接在特定端口上打开,服务器和客户端之间可以进行加密或明文通信。如果正确监控网络和(network and packets)发送/接收的数据包,则可以识别和删除RAT 。(RATs)
RAT 攻击预防
RAT(RATs)通过垃圾邮件、恶意程序软件或作为其他(spam emails)软件或应用程序(software or application)的一部分打包到计算机中。您必须始终在计算机上安装能够检测和消除RAT的良好(RATs)防病毒程序(antivirus program)。检测RAT(RATs)是一项相当艰巨的任务,因为它们以随机名称(random name)安装,可能看起来像任何其他常见应用程序,因此您需要有一个非常好的防病毒程序(Antivirus program)。
监控您的网络(Monitoring your network)也是检测任何通过 Internet 发送您的个人数据的木马的好方法。(Trojan)
如果您不使用(t use) 远程管理工具(Remote Administration Tools),请禁用(disable Remote Assistance connections)与您计算机的远程协助连接。您将在SystemProperties > Remote tab > Uncheck 允许远程协助连接到此计算机(Allow Remote Assistance connections to this computer)选项中获得设置。
随时更新您的操作系统(operating system)、已安装的软件,尤其是安全程序(security programs updated)。此外,尽量不要点击您不信任(t trust)且来源不明的电子邮件。请勿从其官网或镜像(website or mirror)以外的来源下载任何软件。
在 RAT 攻击之后
一旦您知道自己受到了攻击,第一步就是断开您的系统与Internet和网络(Network)(如果已连接)的连接。更改(Change)您的所有密码和其他敏感信息,并检查您的任何帐户是否已使用另一台干净的计算机被盗用。检查您的银行账户是否有任何欺诈性交易,并立即通知您的银行您计算机中的木马(Trojan)。然后扫描计算机以查找问题并寻求专业帮助(professional help)以删除RAT。考虑关闭端口 80(Port 80)。使用防火墙端口扫描程序(Firewall Port Scanner)检查所有端口。
您甚至可以尝试回溯并知道谁是攻击的幕后黑手,但您需要专业的帮助。一旦检测到 RAT,通常可以将其删除,或者您可以全新安装Windows以将其完全删除。
常见的远程访问木马
许多远程访问(Remote Access) 木马(Trojans)目前处于活动状态,并感染了数百万台设备。本文讨论了最臭名昭著的那些:
- Sub7 :通过向后拼写NetBus(一种较旧的RAT )衍生的“Sub7”是一种免费的(RAT)远程管理工具(remote administration tool),可让您控制主机 PC(host PC)。该工具已被安全专家归类为特洛伊木马,将其安装在您的计算机上可能存在潜在风险。
- Back Orifice:Back Orifice及其继任者 Back Orifice 2000(successor Back Orifice 2000)是一款免费工具,最初是为远程管理而设计的——(administration –)但它并没有花时间将该工具转换为远程访问特洛伊木马(Access Trojan)。该工具是否为特洛伊木马(Trojan)存在争议,但开发人员坚持认为它是提供远程管理访问(administration access)的合法工具这一事实。该程序现在被大多数防病毒程序识别为恶意软件。
- DarkComet:它是一个非常可扩展的远程管理工具(administration tool),具有许多可能用于间谍活动的功能。该工具还与叙利亚内战(Civil War)有关,据报道政府(Government)使用该工具监视平民。该工具已被大量滥用,开发人员已停止进一步开发。
- sharK:它是一个先进的远程管理工具(administration tool)。不适合初学者和业余黑客。据说它是安全专业人员和高级用户的工具。
- Havex:该木马已被广泛用于工业领域。它收集信息,包括任何工业控制系统(Industrial Control System)的存在,然后将相同的信息传递到远程网站。
- Sakula:一种远程访问木马(Trojan),包含在您选择的安装程序中。它将描述它正在您的计算机上安装一些工具,但会同时安装恶意软件。
- KjW0rm:该木马(Trojan)具有许多功能,但已被许多防病毒(Antivirus)工具标记为威胁。
这些远程访问木马(Remote Access Trojan)已帮助许多黑客入侵了数百万台计算机。必须对这些工具进行保护,并且只需一个具有警报用户的良好安全程序就可以防止这些特洛伊木马危害您的计算机。(security program)
这篇文章旨在成为一篇关于RAT(RATs)的信息性文章,并不以任何方式宣传它们的使用。无论如何,在您所在的国家/地区可能有一些关于使用此类工具的法律。
在此处阅读有关远程管理工具(Remote Administration Tools)的更多信息。
What is Remote Access Trojan? Prevention, Detection & Removal
Remote Access Trojans (RAT) have always proved to be a big risk to this world when it comes to hijacking a computer or just playing a prank with a friend. A RAT is malicious software that lets the operator attack a computer and gain unauthorized remote access to it. RATs have been here for years, and they persist as finding some RATs is a difficult task even for the modern Antivirus software out there.
In this post, we will see what is Remote Access Trojan and talks about detection & removal techniques available. It also explains, in short, some of the common RATs like CyberGate, DarkComet, Optix, Shark, Havex, ComRat, VorteX Rat, Sakula and KjW0rm.
What are Remote Access Trojans
Most of the Remote Access Trojan are downloaded in malicious emails, unauthorized programs and web links that take you nowhere. RATs are not simple like Keylogger programs – they provide the attacker with a lot of capabilities such as:
- Keylogging: Your keystrokes could be monitored, and usernames, passwords, and other sensitive information could be recovered from it.
- Screen Capture: Screenshots can be obtained to see what is going on your computer.
- Hardware Media Capture: RATs can take access to your webcam and mic to record you and your surroundings completely violating privacy.
- Administration Rights: The attacker may change any settings, modify registry values and do a lot more to your computer without your permission. RAT can provide an administrator-level privileges to the attacker.
- Overclocking: The attacker may increase processor speeds, overclocking the system can harm the hardware components and eventually burn them to ashes.
- Other system-specific capabilities: Attacker can have access to anything on your computer, your files, passwords, chats and just anything.
How do Remote Access Trojans work
Remote Access Trojans come in a server-client configuration where the server is covertly installed on the victim PC, and the client can be used to access the victim PC through a GUI or a command interface. A link between server and client is opened on a specific port, and encrypted or plain communication can happen between the server and the client. If the network and packets sent/received are monitored properly, RATs can be identified and removed.
RAT attack Prevention
RATs make their way to computers from spam emails, maliciously programmed software or they come packed as a part of some other software or application. You must always have a good antivirus program installed on your computer that can detect and eliminate RATs. Detecting RATs is quite a difficult task as they are installed under a random name that may seem like any other common application, and so you need to have a really good Antivirus program for that.
Monitoring your network can also be a good way to detect any Trojan sending your personal data over the internet.
If you don’t use Remote Administration Tools, disable Remote Assistance connections to your computer. You will get the setting in SystemProperties > Remote tab > Uncheck Allow Remote Assistance connections to this computer option.
Keep your operating system, installed software and particularly security programs updated at all times. Also, try not to click on emails that you don’t trust and are from an unknown source. Do not download any software from sources other than its official website or mirror.
After the RAT attack
Once you know you’ve been attacked, the first step is to disconnect your system from the Internet and the Network if you are connected. Change all your passwords and other sensitive information and check if any of your accounts has been compromised using another clean computer. Check your bank accounts for any fraudulent transactions and immediately inform your bank about the Trojan in your computer. Then scan the computer for issues and seek professional help for removing the RAT. Consider closing Port 80. Use a Firewall Port Scanner to check all your Ports.
You can even try to back-track and know who was behind the attack, but you’ll need professional help for that. RATs can usually be removed once they are detected, or you can have a fresh installation of Windows to completely remove it off.
Common Remote Access Trojans
Many Remote Access Trojans are currently active now and infecting millions of devices. The most notorious ones are discussed here in this article:
- Sub7: ‘Sub7’ derived by spelling NetBus (an older RAT) backward is a free remote administration tool that lets you have control over the host PC. The tool has been categorized into Trojans by security experts, and it can be potentially risky to have it on your computer.
- Back Orifice: Back Orifice and its successor Back Orifice 2000 is a free tool that was originally meant for remote administration – but it didn’t take the time that the tool got converted into a Remote Access Trojan. There has been a controversy that this tool is a Trojan, but developers stand upon the fact that it is a legitimate tool that provides remote administration access. The program is now identified as malware by most of antivirus programs.
- DarkComet: It is a very extensible remote administration tool with a lot of features that could be potentially used for spying. The tool also has its links with the Syrian Civil War where it is reported that the Government used this tool to spy on civilians. The tool has already been misused a lot, and the developers have stopped its further development.
- sharK: It is an advanced remote administration tool. Not meant for beginners and amateur hackers. It is said to be a tool for security professionals and advanced users.
- Havex: This trojan has been extensively used against the industrial sector. It collects information including the presence of any Industrial Control System and then passes on the same information to remote websites.
- Sakula: A remote access Trojan that comes in an installer of your choice. It will depict that it is installing some tool on your computer but will install the malware along with it.
- KjW0rm: This Trojan comes packed with a lot of capabilities but already marked as a threat by many Antivirus tools.
These Remote Access Trojan have helped many hackers compromise millions of computers. Having protection against these tools is a must, and a good security program with an alert user is all it takes to prevent these Trojans from compromising your computer.
This post was meant to be an informative article about RATs and does not in any way promote their usage. There may be some legal laws about the usage of such tools in your country, in any case.
Read more about Remote Administration Tools here.
