How to smell a RAT - remote administration tools vs backdoor Trojans

Jakub Kaminski Computer Associates Pty Ltd
Hamish O'Dea Computer Associates Pty Ltd

One of the trends we have been observing for some time now is the blurring of divisional lines between different types of malware. Classifying a newly discovered `creature' as a virus, a worm, a Trojan or a security exploit becomes more difficult and anti-virus researchers spend a significant amount of their time discussing the proper classification of new viruses and Trojans.

However, the real problems start when the most important division line dissolves - the one between intentionally malicious programs and the legitimate clean programs.

Detecting an innocent package as a virus or a Trojan or dismissing a malicious program as a clean one might have very serious repercussions. A whole range of damage, from data loss and loss of reputation, to legal action might be at stake.

The best example of an area causing the anti-virus researchers problems is the Trojans.

Anyone responsible for malware analysis knows how true the saying is: ` A Trojan to one user is just a utility to another (and vice versa) .'

This statement is particularly applicable to one type of Trojan - the backdoors.

Depending on the point of view, very often, the same program may be perceived as a Remote Administration Tool (RAT) or as a Remote Access Trojan (RAT) allowing a potentially malicious user to remotely control the system.

The paper will explore and analyse the problem further. It will present the development of backdoors, their operating principles, implemented techniques and installation modes. This will include Windows as well as a few examples of Unix/Linux malware. The development of remote access utilities will also be presented, highlighting the similarities and differences between legitimate tools and backdoor Trojans.

The discussion will focus on fine details that make a particular program a backdoor Trojan. It will also try to prove that ` frequently what really matters is not what you do but how you do it `. Some questionable techniques implemented by writers of legitimate utilities will be described and the reasons why they could be triggering false alarms will be discussed.

Similarly a case when a Trojan backdoor has become a legitimate commercial product will be shown and discussed.

Also, it will be explained what producers of remote administration tools can do in order to help computer users and minimize some of the potential confusion and misunderstandings.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.