Remote Administration Trojans (RATs)
Remote Administration Trojans (RATs) are malicious pieces of code often embedded in legitimate programs through RAT-fiction procedures . They are stealthily planted and help gain access of victim machines, through patches, games, E-mail attachments, or even in legitimate-looking binaries . Once installed, RATs perform their unexpected or even unauthorized operations and use an array of techniques to hide their traces to remain invisible and stay on victim systems for the long haul. For instance, RAT-ified versions of programs UNIX ps and Windows taskmgr.exe keep RATs from appearing in the list of active processes; moreover, by modifying system configurations including the boot-scripts and the Registry database, RAT-binaries often survive system reboots or crashes. A typical RAT consists of a server component running ∗Correspondence to: Zhongqiang Chen Contract/grant sponsor: European Social Funds and National Resources Pythagoras Grant & Univ. of Athens Research Foundation; contract/grant number: - ZHONGQIANG CHEN, PETER WEI AND ALEX DELIS on a victim machine and a client program acting as the interface between the server and the attacker. The client establishes communications with its corresponding server as soon as the IP address and port of the latter become available through feedback channels such as Email, Instant Messaging and/or Web access . While interacting with a RAT server, an attacker can record keystrokes, intercept passwords, manipulate file systems, and usurp resources of victim systems. By continually changing their name, location, size, and behavior, or employing information encryption, port hopping and message tunneling for its communications, RATs may elude the detection of security protection systems such as firewalls, anti-virus systems (AVs), and intrusion detection/prevention systems (IDSs/IPSs). Once bound to legitimate programs, RATs in execution inherit a victim’s privileges and raise havoc; moreover, they launch attacks against other systems purporting themselves to be super users. RATs provide the ideal mechanism for propagating malware including viruses, worms, backdoors, and spyware. The number of RATs has been steadily increasing from in to in and their update rates are also impressive; just Sub Seven delivered versions in alone. The number of RAT infected machines is staggering: in % of security incidents in Korea were Trojan inflicted mostly by Back Orifice (BO) and in % of intrusions in Israel were due to Net Bus and BO. Pest Patrol reports that roughly % of all incidents are attributed to RATs. Compromised machines are often used as spring-boards for distributed denial of service attacks, further exacerbating the problem. The best option for avoiding RATs is to verify every piece of software before installation using a-priori known program signatures . This, however, becomes impractical as a comprehensive database of known program signatures is unavailable and RATs are frequently delivered via multiple channels such as patches, attachments, file sharing, or simply Web-site accessing. The polymorphic nature and parasitic mechanisms of RATs render their identification a challenge even if we seek specific and known types of Trojans . Host- and network-based techniques have been widely employed by firewalls, AVs and IDSs/IPSs to detect and block RATs . Static fingerprinting is the predominant method in host-based RAT detection where unique facets of Trojans are extracted to establish a Trojan Database, which entails file names, sizes, locations, checksums, and special patterns in RATs . By periodically scanning every file in a system and matching fingerprints against those in the established database, RATs can be revealed. In addition, monitoring the access of files in the startup folder, registries, auto start files, and configuration scripts of a system is another popular host-based technique that helps identify suspicious activities. Network-based methods follow a different philosophy as they examine both the status and activity on TCP/UDP ports to determine any deviation from expected network usage. Abnormal behavior and/or malformed network messages can be detected by monitoring port access patterns and/or analyzing protocol headers of packets exchanged among systems. Similar to host-based methods, unique RAT-manifested telltale patterns in network communications are exploited as signatures to distinguish malicious traffic . Clearly, the RAT detection accuracy of host- and network-based methods depends on the quality of the Trojan database and signatures used; the latter can be easily obfuscated by attackers using an array of evasion techniques. In this paper, we propose a comprehensive framework for detecting and dealing with known Rats which employs network-based detection methods and operates in inline mode to inspect and manipulate every passing packet in real-time. Our objective is to enhance the reliability and accuracy of the detection process in comparison with existing anti-Trojan options. To track suspicious RAT activities, our framework monitors network sessions established by both potential Trojans and normal applications, records and maintains state information for their entire lifetime; furthermore, this information is archived even after a session has terminated in order to conduct stateful inspection, intra-session data fusion, and inter-session correlation.