Catching Remote Administration Trojans (RATs)

Zhongqiang Chen, Peter Wei, Alex Delis

Research output: Contribution to journalArticlepeer-review

Abstract

A Remote Administration Trojan (RAT) allows an attacker to remotely control a computing system and typically consists of a server invisibly running and listening to specific TCP/UDP ports on a victim machine as well as a client acting as the interface between the server and the attacker. The accuracy of host and/or network-based methods often employed to identify RATs highly depends on the quality of Trojan signatures derived from static patterns appearing in RAT programs and/or their communications. Attackers may also obfuscate such patterns by having RATs use dynamic ports, encrypted messages, and even changing Trojan banners. In this paper, we propose a comprehensive framework termed RAT Catcher, which reliably detects and ultimately blocks RAT malicious activities even when Trojans use multiple evasion techniques. Employing network-based methods and functioning in inline mode to inspect passing packets in real time, our RAT Catcher collects and maintains status information for every connection and conducts session correlation to greatly improve detection accuracy. The RAT Catcher re-assembles packets in each data stream and dissects the resulting aggregation according to known Trojan communication protocols, further enhancing its traffic classification. By scanning not only protocol headers but also payloads, RAT Catcher is a truly application-layer inspector that performs a range of corrective actions on identified traffic including alerting, packet dropping, and connection termination. We show the effectiveness and efficiency of RAT Catcher with experimentation in both laboratory and real-world settings.

Original languageEnglish (US)
Pages (from-to)667-703
Number of pages37
JournalSoftware - Practice and Experience
Volume38
Issue number7
DOIs
StatePublished - Jun 2008

Keywords

  • Application-layer inspection
  • Remote administration trojans
  • Session and event correlation
  • Trojan detection accuracy

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Catching Remote Administration Trojans (RATs)'. Together they form a unique fingerprint.

Cite this