- Does your mouse cursor move without your consent?
- DVD tray spontaneously open?
- Have you noticed aberrant behavior such as slow performance and obscure error messages that don’t resemble anything you’ve ever seen before?
If so, it’s possible that you have a Remote Access Trojan (RAT) living on your computer that is clandestinely providing remote access to a hacker.
RATs aren’t just for squalid homes and subway tracks anymore; in fact, they have recently reared their ugly heads in the news. Blackshades is a notorious RAT but there are many others.
Most RATs provide a veritable buffet of tools for voracious hackers to snoop around your system. For example, it’s not uncommon for RATs to come replete with:
- Webcam Hijackers
- Registry Modifiers
- Password Stealers
In my experience, downloading pirated software from peer-to-peer file sharing applications such as Bittorrent or from underground software distribution forums is the the most common way to get infected. The aloof victim thinks he’s downloading the full season of Game of Thrones not realizing there’s a RAT lurking in the .RAR file.
Once the Trojan is executed, it opens a TCP port on the client machine which allows the attacker to furtively send commands to the victims computer.
The easiest way to make sure you’re not infected is to open a command prompt and use a tool named Netstat (the abridged form of Network Statistics) to see all the active and listening ports on your system.
In Windows 8, you can open a command prompt with Administrator rights (Windows Key + x + a) and type:
The a after the dash tells Netstat to reveal all the current connections to your computer. The b option in the command displays the binary file; in other words, the actual application name that’s creating the connection.
The netstat output above probably looks disorganized but there are actually four columns:
- Local Address
- Foreign Address
Amid the melee of connections you want to zero in on any IP addresses which seem suspicious. Netstat will take several minutes to complete but when it finishes you want to pay close attention to the Local and Foreign Address columns.
How can you distinguish the unsavory connections from the good guys?
Looking for culprits
In my netstat results you’ll see an application name in brackets. For example I’ve placed my cursor on [googledrivesync.exe] but there are others present here including [spoolsv.exe] and [Dropbox.exe].
If you see a process named something general like [process.exe] then your ears should perk up. It doesn’t mean you have a Trojan but it should give you pause.
Throw the process name in Google and see what results come back. If it seems deleterious, axe it with a good antivirus program, change your passwords and monitor your credit card statements.
Incidentally, you should definitely request a free credit report especially if you suspect the attacker made fraudulent charges against your card. I also suggest filing a complaint and immediately notifying your card issuer.
In addition to the process name, zero in on the Local and Foreign addresses. The local address is the IP address and port of the computer you executed the netstat command from, it’s your address thus it’s aptly called local.
Conversely, the Foreign Address is the IP address and port of the computer connected to you. Most of the IP address and port combos you see here, known as sockets, are innocuous; however, if you’re infected with RATs the TCP or UDP ports will tell you for sure.
Each IP address is a collection of four decimal numbers separated with dots. After the last number, there’s a colon and then another number. That number following the colon is the port.
In the screenshot above, you can see the local IP address following [googledrivesync.exe] is 10.255.77.167. The port is a little harder to see since my cursor is occluding part of it so I’ll just tell you that it’s 51025.
In the world of networking, ports are integral for communication. Without ports, it would be impossible to run multiple applications on a single computer. Ports allow one computer to have many networked programs such as Skype, Dropbox and Chrome all on a single network connection. The bad guys don’t connect using well-known or registered ports; on the contrary, they use non-standard ports that are known for being malicious.
So I would compare the port number against a list of malicious ports. If nothing comes back, toss it in Google and see what you can find.
Ultimately, the best way to avoid rats is to keep your house clean. In the same way, you should keep your PC clean by running regular virus scans and refusing to install software from questionable sources.
The terror of Trojans
Being infected with RATs is an unnerving experience.
I know it first hand because about two decades ago, I was a victim of the infamous SubSeven exploit. I was still in high school and deep into the underground scene. Someone tricked me into downloading something enticing (probably the picture of a hot girl) but for the first week or so my computer showed zero signs of infection.
Initially, there were no anomalies; however, as the days moved forward I noticed little things that seemed insignificant but were still alarming.
For example, new text randomly inserted itself into documents and icons moved to different places. These were the nascent indications of a Trojan but I still was completely clueless and ignored it.
I didn’t get freaked out until I got a weird pop-up telling me the password of my AOL Instant Messenger account. That’s when I panicked and scoured the internet amassing all the knowledge I could about how to eradicate the Trojan.
I eventually removed the Malware, but the experience left an indelible mark. Pay attention to what you download.
The Bottom Line
Remote Access Trojans are so appealing because they’re so easy to use.
You don’t need to be a programmer to own someones computer. With a little guile and some patience you can trick people into downloading tools that give you carte blanche access to their systems.
We need to think like hackers when we defend our computers.
Stay alert because there are covert circles of unscrupulous hackers just waiting to see a new victim pop-into their administration consoles. Don’t let that PC be you.
Netstat is one way to check for threats but the best offense is a healthy dose common sense.
Have you ever been infected with a RAT? Have any stories to share? Let me know in the comments!