Deterring and exterminating RATs

There is no easy way to stop installation of back doors in software. Because the back door code is passive, just waiting to be activated, it doesn't do anything particular while its carrier program is installed. The rules for preventing infestation are the same for RATs as they are for other cybervermin; here's a short list that you can use for your users that will also reduce damage from viruses, worms, spyware and scumware:

* To prevent known RATs from installing, use up-to-date antivirus software. Such tools include recognition lists for some of the RATs in circulation and treat them like any other malicious code.

* Don't install software that anyone else has sent you by e-mail or otherwise. Always go to the originating site rather than relying on code that may have been modified in transit.

* Don't "Hide file extensions for known file types" in Windows Explorer - you need to be able to see the complete name of every file.

* Delete all unsolicited _executable_ attachments that you receive via e-mail, even if you know the sender.

* Reject executable archives (e.g., .EXE file created using WinZIP and other tools) and request retransmission using nonexecutable formats such as a simple .ZIP data file.

* Don't open e-mail attachments, no matter how attractive the description, unless you personally know that the sender wrote or otherwise created them and unless you have explicitly agreed in advance to receive such a file. Call the sender up by phone rather than using the e-mail address reported in the suspicious package. Validate the message's digital signature block, if there is one.

* Don't install software yourself; consult your technical support service for authorized software installation.

If your corporate policy authorizes it, you can add a word about nonantivirus scanners that identify and remove RATs:

* Scan your PC regularly with updated anti-RAT tools and remove RATs and other malicious software.

For more advanced users who are allowed to install software themselves and who will understand suggestions about using firewalls:

* Download software only from reputable sites, not from warez and other hacker-oriented sites.

* Read the end-user license agreement carefully for all software.

* Don't install stolen software of any kind.

* Enable your PC or other firewall (e.g., ZoneAlarm) to detect attempts to initiate outbound connections.

* In general, if your firewall signals that a product that should not be using the Internet is in fact trying to do so, block the communication until you find out more.

* Before approving such unexpected connections, be sure that you know which program's component is attempting to communicate and find out with whom; if available, follow the reverse IP lookup to identify where a communication is supposed to go and to judge whether you want to approve it.

Finally, as system and network administrators, be sure you close the most obvious back doors: canonical passwords. Any device, software, user ID or account that uses the original, out-of-the box standard access code is a back door waiting to be opened by a technically savvy attacker.

For example, door locks that use numerical buttons or keypads often come with a default code. Change it before you use the lock.

Databases, voice-mail systems, operating systems - all of them can be installed with standard passwords that are known to thousands or even millions of other people. Change them before you put them into production.

For an extensive list of antimalware programs (not antivirus tools), see part of a white paper by my friends at PestPatrol in which they report their study of such tools: see "A Comparison of Pest Detecting Tools" at: I have known some of the principals at PestPatrol for over a decade and have recently been paid to write a white paper for them; however, I have no financial interest in their company or products. My references to PestPatrol should not be construed as an endorsement of its products.

Join the newsletter!

Error: Please check your email address.
Show Comments