TY - JOUR
T1 - Catching Remote Administration Trojans (RATs)
AU - Chen, Zhongqiang
AU - Wei, Peter
AU - Delis, Alex
N1 - Copyright:
Copyright 2008 Elsevier B.V., All rights reserved.
PY - 2008/6
Y1 - 2008/6
N2 - A Remote Administration Trojan (RAT) allows an attacker to remotely control a computing system and typically consists of a server invisibly running and listening to specific TCP/UDP ports on a victim machine as well as a client acting as the interface between the server and the attacker. The accuracy of host and/or network-based methods often employed to identify RATs highly depends on the quality of Trojan signatures derived from static patterns appearing in RAT programs and/or their communications. Attackers may also obfuscate such patterns by having RATs use dynamic ports, encrypted messages, and even changing Trojan banners. In this paper, we propose a comprehensive framework termed RAT Catcher, which reliably detects and ultimately blocks RAT malicious activities even when Trojans use multiple evasion techniques. Employing network-based methods and functioning in inline mode to inspect passing packets in real time, our RAT Catcher collects and maintains status information for every connection and conducts session correlation to greatly improve detection accuracy. The RAT Catcher re-assembles packets in each data stream and dissects the resulting aggregation according to known Trojan communication protocols, further enhancing its traffic classification. By scanning not only protocol headers but also payloads, RAT Catcher is a truly application-layer inspector that performs a range of corrective actions on identified traffic including alerting, packet dropping, and connection termination. We show the effectiveness and efficiency of RAT Catcher with experimentation in both laboratory and real-world settings.
AB - A Remote Administration Trojan (RAT) allows an attacker to remotely control a computing system and typically consists of a server invisibly running and listening to specific TCP/UDP ports on a victim machine as well as a client acting as the interface between the server and the attacker. The accuracy of host and/or network-based methods often employed to identify RATs highly depends on the quality of Trojan signatures derived from static patterns appearing in RAT programs and/or their communications. Attackers may also obfuscate such patterns by having RATs use dynamic ports, encrypted messages, and even changing Trojan banners. In this paper, we propose a comprehensive framework termed RAT Catcher, which reliably detects and ultimately blocks RAT malicious activities even when Trojans use multiple evasion techniques. Employing network-based methods and functioning in inline mode to inspect passing packets in real time, our RAT Catcher collects and maintains status information for every connection and conducts session correlation to greatly improve detection accuracy. The RAT Catcher re-assembles packets in each data stream and dissects the resulting aggregation according to known Trojan communication protocols, further enhancing its traffic classification. By scanning not only protocol headers but also payloads, RAT Catcher is a truly application-layer inspector that performs a range of corrective actions on identified traffic including alerting, packet dropping, and connection termination. We show the effectiveness and efficiency of RAT Catcher with experimentation in both laboratory and real-world settings.
KW - Application-layer inspection
KW - Remote administration trojans
KW - Session and event correlation
KW - Trojan detection accuracy
UR - http://www.scopus.com/inward/record.url?scp=43949141223&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=43949141223&partnerID=8YFLogxK
U2 - 10.1002/spe.837
DO - 10.1002/spe.837
M3 - Article
AN - SCOPUS:43949141223
SN - 0038-0644
VL - 38
SP - 667
EP - 703
JO - Software - Practice and Experience
JF - Software - Practice and Experience
IS - 7
ER -