Ask The Experts Security

How To Simply and Effectively Deal With Remote Access Trojans

Matthew Hughes 23-11-2015

We often write about malware here at MakeUseOf. One of the most perniciously evil types of malware is the “Remote Access Trojan”, or RAT. What separates them from the rest of the malware pack is that once installed, they allow an attacker to remotely control the infected computer from anywhere in the world. This week, Matthew Hughes explains what to do when you’ve been infected with one:


A Reader Writes:

For the past month my computer has been acting strangely. From what I’ve read, I’m pretty sure it’s been infected with a Remote Access Trojan. Obviously, I’m really concerned.

Can you tell me how to remove them, and how I can avoid getting infected in the future?

Matthew’s Reply:

Ouch. Remote Access Trojans are nasty, simply because they allow an attacker to do just that – remotely access your machine from anywhere in the world.

Getting infected with a RAT is just like getting infected with any other piece of malware. The user either downloads the malware by accident, or a vulnerability in an already-installed piece of software allows the attacker to launch a drive-by download. This means the malware can be installed without the user even knowing.

So far, so familiar. But what makes RATs different is what they allow the attacker to do.

A RAT Trojan can allow an attacker watch your screen as you browse through the Internet, and take control of your keyboard and mouse. They can launch (and close) applications as they see fit, and download additional malware. They can even open-and-shut your DVD drive, and surveil you through your own microphone and webcam How Easy Is It For Someone To Hack Your Webcam? Read More .

Although they’re perhaps one of the lesser-known, and more exotic forms of malware, they’ve been around for a really long time. One of the oldest is Sub7 (or SubSeven), which was first released in the late 90s, and even allowed an attacker to “talk” to the victim through Microsoft’s Text-To-Speech program 5 Ways to Make Your Computer Read Documents to You Can you make your computer read aloud to you? Of course! Try these text-to-speech methods and tools on your PC. Read More .



(For the sake of accuracy it’s worth noting that while Sub7 is often – and most notoroiusly – weaponized as a hacking tool, it can also be legitimately used as a remote administration tool.)

The driving motivations behind why people use RATs range from the financial, to the voyeuristic. They’re as sinister as they sound, but they’re easy to defeat when you know how.

Knowing When You’re Infected

So, how do you know when you’ve been infected? Well, a good clue is when your computer is acting strangely.


Does your keyboard or mouse act as though it has a mind of its own? Are words showing up on your screen without you typing them? Is your trackpad or mouse moving on its own accord? In many cases, this could simply be due to those peripherals being damaged. But if it looks deliberate, it could also be the result of a RAT.


RAT programs often allow the attacker to use the infected computer’s webcam to capture photos and video of the user. Most webcams have an LED “On” light that indicates when the peripheral is being used. If your webcam is spontaneously – or persistently – turned on, you might have cause for concern. Finally, run a scan of your anti-malware program. If it’s fully up-to-date, odds are good it’ll be able to identify and quarantine the infection.

Regardless of the operating system you use, you absolutely should have anti-malware software installed. There are lots of dependable options for Windows users and OS X aficionados. Linux has a number of really great options The 6 Best Free Linux Antivirus Programs Think Linux doesn't need antivirus? Think again. These free antivirus tools can ensure your Linux box remains virus-free. Read More , too.


Let’s move on. What can you do if you are infected?

Turn Off the Internet

The first step is, obviously, to disconnect your computer from the Internet.

Turning off the Wi-Fi or unplugging the Ethernet cord is the most immediate and effective way to wrest control of your computer back. It’s the only way you can guarantee they won’t be able to surveil you, or take control of your machine. The moment you disconnect your PC you dis-empower the attacker. It also means the attacker can’t interfere with your attempt to remove the RAT.



Of course, this comes with some pretty key disadvantages – namely you’ll struggle to update any anti-malware definitions if you haven’t already.

Fire Up Your Anti-Malware Software

If you’re sensible, you’ve likely already got some anti-malware already installed and updated. Now it’s just a matter of running it, and hoping that it catches whatever’s installed.

If you’re running old definitions, you’re going to need to install updates through another medium. The easiest way is through a USB stick. Most of the major anti-malware packages allow offline updates this way, including Avast, Malwarebyes, Panda, and BitDefender.

Alternatively, you can cleanse your system from a special Linux anti-malware Live CD Three Live CD Antivirus Scanners You Can Try When Windows Won't Start Can't boot your computer, and think the problem is malware? Boot a live CD made specifically for scanning your computer without starting Windows. A live CD is a tool that boots completely from a CD... Read More , or through a portable app How Portable Apps Can Make Your Life Easier & Save Resources If you frequently switch computers and have cloud storage space or USB drives to spare, here's an idea: outsource your applications. Read More . One of the best free examples of the latter is ClamWin ClamWin, An Open-Source Anti-Virus Solution For Your PC [Windows] New online threats emerge every day, attacking corporations and consumers alike. These potentials threats aren’t disguised just as links or emails anymore. They could be coming for your personal information in all sorts of ways.... Read More .

Wipe Your System

One of the biggest problems with RAT malware is that it gives the attacker complete control of your system. If they want, they can easily install additional malware. There’s also the risk that your chosen anti-malware won’t recognize the RAT on your system. With that in mind, you might be tempted to just wipe your machine and start afresh.

If you’re on Windows 10, that’s pretty simple. Just press Start > Settings > Update & Security > Recovery > Reset This PC.


Alternatively, you could revert from an earlier system restore point, or reinstall your OS from the original install media.

Prevention is Better Than the Cure

The most effective way to deal with RATs is to not get infected in the first place. I know, it’s easier said than done, but by adopting a few strategies, you drastically improve your odds.

Firstly, ensure you’re running an operating system (OS) that’s fully patched and updated, and continues to receive updates. Make sure all your installed software is similarly current. This includes things like browsers, Flash, Java, Office, and Adobe Reader.

You should also consider installing Faronics Deep Freeze, which can be bought for around $40 online, although is marketed more to enterprises more than individuals. This takes a snapshot of your computer and reverts to it every time the machine is restarted. That means that even if you get infected with a RAT, you need only power cycle to get rid of it. There are a number of free and paid alternatives, too System Restore On Reboot - Deep Freeze Your Windows Installation With Free Tools If you've ever wanted to maintain a system state to keep it secure and not allow any changes, then you might want to try deep freezing your Windows computer. Read More .

Related topics: Anti-Malware, Antivirus, Remote Control, Trojan Horse.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mumu
    May 14, 2019 at 7:58 am

    None of these ”methods” will actually help. Applied to case of RAT infestation these methods are completely useless and will only effect in loosing a lot of time and nerves.

    Crucial part of the infestation process is creation of a bunch of Virtual Disk Images, few of which contain a system rebuild template, complete with all necessarry files and controlled externally by remote user, or internally by a bot (when network unavailable).
    Volumes have custom permissions set as read only and are inaccessible for admin or even ”root user”, as the real root is the remote user/bot.
    System integrity protection doesn’t apply to these volumes, as they have custom root permissions and have all required certificates. So, even with the SIP disabled, access to Remote Volume will be denied.
    Another one of the images is a wrapper containing base version copy of the installed operating system, with altered system files map enforcing custom system preferences and permissions.
    It forces machine to boot OS from this volume instead of OS which was originally installed by user, on a selected boot drive.
    It also contains a custom built copy of system recovery mode, which overrides default system recovery mode on boot drive and uses altered version of the installer to copy all malicious content back again.
    It starts rebuilding database, as soon as any of files go missing by being deleted or renamed.
    It also immidietely starts enforcing agressive defense tactics, changing user passwords, blocking access to file search, controlling power management, etc.

    Sorry, formatting your drives will not help.

    RAT easily takes over any anti-virus / anti-malware installed, so this kind of software is not very useful at all. I need to read on this some more, but having super user control over machine, it somehow integrates with anti-virus software, fooling it that there are no issues present.
    I tested it on multiple programs including Intego, BitDefender, Norton, Sophos, Avast, Malwarebytes and few others, none of them detect anything unusual, with system being totally infected.

    Sorry, anti-virus, anti-malware - not in this case.

    Turning WiFi helps, as there is no remote access from outside anymore, but there still is a bot with super user permissions, ”sitting” inside the machine acting as an admin.
    With this bot having control of all the machine’s preferences and what’s more important controlling all the passwords and certificates, it is impossible to just delete it, as after first try bot will attempt to change the user password, succeeding most of the times, locking user out.

    So no, WiFi strategy is not very useful either.

  2. Stijn Velleman
    January 6, 2018 at 11:59 pm

    I have unaccidently taken someone's photo's from his server. (Due the lack of knowledge, now i understand what i did wrong) how do i know who i have to contact?

  3. Stijn Velleman
    January 6, 2018 at 11:56 pm

    How do i know who i have to contact ifi have a problem because i took unaccidently somebody's pictures from their server (my faut by doing something i didn't know anything abaut, now i understand that i was indeed in big mistake by excercising on a public domain)

  4. anon
    December 30, 2015 at 11:08 am

    God, that was hard to sit through. I've given you guys the benefit of the doubt but this has to be my last article I read by this website. I could literally hear even the boredom in your tone, its the same shallow material that'sbeenwrittenalready, and I'm pretty sure I've got some kind of adware virus after visiting this advertisement-riddled site. Hopefully writing isn't your day job, maybe I'll check back in a year.