Matthew Gardiner

Finding & Eradicating RATs

Blog Post created by Matthew Gardiner Employee on Aug 7, 2014

RATs are hard to deal with in part because they are small, scamper around generally unseen, and take your stuff without your knowledge.  Of course anyone in this product community who is reading this knows that I am talking about Remote Access Trojans and not the small mammals with small noses and big tails.  Computer RATs and the people that develop and use them are just as cunning as their furry namesakes, but are perhaps more dangerous.  There are many varieties of RATs out there (Hydraq, LURK, Sogu, Poison Ivy etc..), but in general they share many characteristics, such as they tend to be small and downloaded invisibly, delivered via an email attachment to an unsuspecting and sufficiently socially engineered user, typically enable user monitoring via keyloggers to steal the user’s credentials and other information, take screen shots of the host system for delivery to their master, install/delete software or reformat drives, not to mention “recruit” their hosts and others on the network into botnet armies.  In short, RATs can be extremely valuable to the bad guys and extremely annoying to you and your organization.  But how to detect and get rid of them? If you want to learn more about RATs and how to find and eradicate them from your environment, I encourage you to come and take part in our upcoming (early September in Washington DC) user conference, the RSA Global Summit.  There are two sessions that focus specifically on how to detect RATs, one by using RSA Security Analytics and its network-based visibility (Blind Spot Analysis – Finding RAT Communications Through Entropy and Analytics) and the other how to do it by leveraging RSA ECAT and its endpoint-level visibility (Catching the RAT with ECAT).  Both delivered by off-the-charts experts on the topic. Check out these sessions as well as dozens of others on the Summit registration site.