|
How to Kill a RAT: Remote Access Trojan removal and security info
It does not take much skill to become a "hacker" these days. With the advent of remote access trojans, anyone with any skill level can quite easily take control of a remote computer and "hack" them. Its actually scary the kind of control that people can achieve using a remote access trojan. Most people do not realise the capabilities of some of these programs.
Most remote access trojans are made up of two parts, a client and a server. The client is similar to a your boss at work or a headmaster at a school, the client gives the instructions and the server obeys the orders. The hacker uses client part to control the computers that have been infected with the server part. Not all remote access trojans have clients as such, but they all have servers.
Other methods of controlling remote access trojan servers include:
IRC: the trojan servers can all be controlled from commands issued in an irc channel. This method is common among the Distributed Denial of Service (DDoS) trojans.
Telnet: Simple command line trojans can be controlled using windows telnet client (if you do not know what telnet is, go to start, then run and type telnet.exe then hit enter)
FTP: Many trojans simply install a ftp server on the infected computer allowing full read write access, any computer that has a web browser or ftp client installed can access these computers and delete, upload, and download any data they want to.
Here is the features of just one trojan called subseven, this is a more common trojan and is considered a threat: App redirect AIM, ICQ, MSN and YAHOO spy Caps lock on/ off Change resolution Change/view date and time Change volume settings Change windows colours Clipboard manager Control mouse Disable/enable ALT-CTRL-DEL Disable/enable keys File manager Find files Flip screen FTP server Get AIM password Get cached passwords Get home info Get ICQ password Get pc info Get RAS passwords Get screen saver password Get screen shot Hide/show clock Hide/show desktop Hide/show mouse cursor Hide/show start button Hide/show task bar ICQ takeover Key logger Log off, power off, reboot or shutdown windows Monitor on/off Network browser Nums lock on/off Open/close CD-Rom Packet sniffer Play tic-tac-toe with server Port redirect Print manager Process manager Record from microphone Registry manager Scrolls lock on/off Send keys Send message Send to URL Show matrix Swap mouse buttons Text-2-speech View webcam Window manager
You can see the list is long; I wont elaborate on each feature as most are self- explanatory, but if you become infected with a trojan like this, your computer is basically an open invitation for hackers.
Trojan hackers use a number of different techniques to find a victim; the most common way is to scan a range of ip numbers (this is the individual number you are allocated by your isp to allow your computer to communicate on the internet). The hacker can even use an infected computer to scan for him/her, this way the trojan hacker will not take the blame, the victim will be blamed because the scan will look like it originated from that computer.
When a trojan hacker scans for infected computers, they use a simple method. Many freeware and share ware sites have port scanners available for download, these programs have many legitimate uses, but like many things in life they can also be used in a negative way. The hacker sets the program to ping (send a small amount of data as a test) a range of ip numbers then he will send a small data packet to a specific port. The port scanner program will listen for replies from the computers, these data replies will tell the port scanning program that the remote computer has the specific port open that hacker is looking for. When the hacker finds one that is open, he can connect with his trojan.
Other ways for a trojan hacker to find an infected computer include: IP notification: Most remote access trojans have the ability to send an icq pager message to the hacker informing them the victim has come online. The pager message will normally include the victims IP number, the port that trojan is running on and any password details needed to access the server.
IRC notification: Many trojans have the ability to log into an irc channel and advertise the details in a similar way that the icq pager messages come through.
CGI scripts: Some trojans even have the ability to log the infected computer onto a webpage, typically a guestbook on a webpage and the message left on the guest book will include the time, date and the victims ip number (plus any other relevant details)
Protecting your computer remote access trojans
1) Always run a very good virus scanner, you don't need to shell out big bucks for one, you can find very good freeware ones on the internet. I suggest http://www.free-av.com. This product is very good and you cannot beat it as far as price is concerned.
2) Run a firewall at all times. Firewalls are not as hard to use as they look, and once you become accustomed to using one you will be a lot safer then before. You will be amazed at all the hack attempts a firewall will pick up, all these attempts you would have missed if you did not have one running.
3) Don't run anything your not sure about. Even if your closest friend sends you an email with a nice file attached, don't run it unless you are really sure that it's safe. Scan it first with a virus scanner. Trojans will only be hidden in executables, but there are ways to make executables look like files that are safe. If you are unsure then do not open the file.
4) Never choose the option to save your passwords in your browser etc. Most trojans can read these passwords from your computers cache and it makes it a lot easier for a hacker to access your email accounts or even hack your website (if you have your website passwords saved)
5) Warn your children about the dangers of download and or accepting files from others. You may know it's not safe, but when your son or daughter get online when your not looking they can pretty much wreck your pc in a few minutes !!! This is a bit of an exaggeration but make sure everyone in the family knows the dangers not just yourself.
6) Use a registry monitor. You can download a simple registry monitor here, this program will monitor the start up locations in your registry, and when any new start up value has been added you will be notified, you can choose to allow this registry entry to be created or to delete it.
Removing remote access trojans
Most trojans can be removed using the following formula:
1) Remove the start up entry: Remote access trojans will always have some sort of registry or ini entry that will allow them to restart when the computer has rebooted.
2) Reboot, then delete the trojan server file. After removing the start up entry, the server file cannot run on reboot, so you will find it can be deleted. If you try and delete the server before you reboot, your computer will display a message saying that windows cannot delete this file as it is in use.
|
|
