We often write about malware here at MakeUseOf. One of the most perniciously evil types of malware is the “Remote Access Trojan”, or RAT. What separates them from the rest of the malware pack is that once installed, they allow an attacker to remotely control the infected computer from anywhere in the world. This week, Matthew Hughes explains what to do when you’ve been infected with one:
A Reader Writes:
For the past month my computer has been acting strangely. From what I’ve read, I’m pretty sure it’s been infected with a Remote Access Trojan. Obviously, I’m really concerned.
Can you tell me how to remove them, and how I can avoid getting infected in the future?
Ouch. Remote Access Trojans are nasty, simply because they allow an attacker to do just that – remotely access your machine from anywhere in the world.
Getting infected with a RAT is just like getting infected with any other piece of malware. The user either downloads the malware by accident, or a vulnerability in an already-installed piece of software allows the attacker to launch a drive-by download. This means the malware can be installed without the user even knowing.
So far, so familiar. But what makes RATs different is what they allow the attacker to do.
A RAT Trojan can allow an attacker watch your screen as you browse through the Internet, and take control of your keyboard and mouse. They can launch (and close) applications as they see fit, and download additional malware. They can even open-and-shut your DVD drive, and surveil you through your own microphone and webcam.
Although they’re perhaps one of the lesser-known, and more exotic forms of malware, they’ve been around for a really long time. One of the oldest is Sub7 (or SubSeven), which was first released in the late 90s, and even allowed an attacker to “talk” to the victim through Microsoft’s Text-To-Speech program.
(For the sake of accuracy it’s worth noting that while Sub7 is often – and most notoroiusly – weaponized as a hacking tool, it can also be legitimately used as a remote administration tool.)
The driving motivations behind why people use RATs range from the financial, to the voyeuristic. They’re as sinister as they sound, but they’re easy to defeat when you know how.
Knowing When You’re Infected
So, how do you know when you’ve been infected? Well, a good clue is when your computer is acting strangely.
Does your keyboard or mouse act as though it has a mind of its own? Are words showing up on your screen without you typing them? Is your trackpad or mouse moving on its own accord? In many cases, this could simply be due to those peripherals being damaged. But if it looks deliberate, it could also be the result of a RAT.
RAT programs often allow the attacker to use the infected computer’s webcam to capture photos and video of the user. Most webcams have an LED “On” light that indicates when the peripheral is being used. If your webcam is spontaneously – or persistently – turned on, you might have cause for concern. Finally, run a scan of your anti-malware program. If it’s fully up-to-date, odds are good it’ll be able to identify and quarantine the infection.
Regardless of the operating system you use, you absolutely should have anti-malware software installed. There are lots of dependable options for Windows users and OS X aficionados. Linux has a number of really great options, too.
Let’s move on. What can you do if you are infected?
Turn Off the Internet
The first step is, obviously, to disconnect your computer from the Internet.
Turning off the Wi-Fi or unplugging the Ethernet cord is the most immediate and effective way to wrest control of your computer back. It’s the only way you can guarantee they won’t be able to surveil you, or take control of your machine. The moment you disconnect your PC you dis-empower the attacker. It also means the attacker can’t interfere with your attempt to remove the RAT.
Of course, this comes with some pretty key disadvantages – namely you’ll struggle to update any anti-malware definitions if you haven’t already.
Fire Up Your Anti-Malware Software
If you’re sensible, you’ve likely already got some anti-malware already installed and updated. Now it’s just a matter of running it, and hoping that it catches whatever’s installed.
If you’re running old definitions, you’re going to need to install updates through another medium. The easiest way is through a USB stick. Most of the major anti-malware packages allow offline updates this way, including Avast, Malwarebyes, Panda, and BitDefender.
Wipe Your System
One of the biggest problems with RAT malware is that it gives the attacker complete control of your system. If they want, they can easily install additional malware. There’s also the risk that your chosen anti-malware won’t recognize the RAT on your system. With that in mind, you might be tempted to just wipe your machine and start afresh.
If you’re on Windows 10, that’s pretty simple. Just press Start > Settings > Update & Security > Recovery > Reset This PC.
Alternatively, you could revert from an earlier system restore point, or reinstall your OS from the original install media.
Prevention is Better Than the Cure
The most effective way to deal with RATs is to not get infected in the first place. I know, it’s easier said than done, but by adopting a few strategies, you drastically improve your odds.
Firstly, ensure you’re running an operating system (OS) that’s fully patched and updated, and continues to receive updates. Make sure all your installed software is similarly current. This includes things like browsers, Flash, Java, Office, and Adobe Reader.
You should also consider installing Faronics Deep Freeze, which can be bought for around $40 online, although is marketed more to enterprises more than individuals. This takes a snapshot of your computer and reverts to it every time the machine is restarted. That means that even if you get infected with a RAT, you need only power cycle to get rid of it. There are a number of free and paid alternatives, too.