Q&A Question about RAT detection

Tutman

Level 10
Verified
Apr 17, 2020
465
I have a question. Are RATS that elusive that they are not detected by AV security software like AVG, Kaspersky etc?

And if you though you might be infiltrated by a RAT doesn't it require Windows operating system to work correctly if you are using say Windows 10 and think you have an infection? I am curious as to how the remote works. If say you run an android emulator on your desktop would the programs IN the emulator be safe from tampering or hacking by the RAT? Since it is a virtual android operating system per say and NOT Windows OS. I am trying to get more insight and understand the nature of these horrible trojans.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
419
Hi Tutman.

Are RATS that elusive that they are not detected by AV security software like AVG, Kaspersky etc?

RATs are not different to malware per se in that regard.

Malware either gets onto your system, because
1) It is very new and not yet detected by an antivirus program. OR
2) Parts of your antivirus program are not configured correctly or disabled.

What is rather RAT specific: Once the attacker gains control of your system, they can do anything they like. That includes setting scan exceptions for the RAT executable in your antivirus, or disabling updates of the antivirus or the antivirus itself. This will prevent future detections by your antivirus software and ensures that the RAT stays on the system for as long as possible.

Usually, if a malware is entirely new and evades antivirus, it takes a few hours or up to a few days until antivirus picks up on the malware. RATs often circumvent this by the behaviour mentioned above.

And if you though you might be infiltrated by a RAT doesn't it require Windows operating system to work correctly if you are using say Windows 10 and think you have an infection? I am curious as to how the remote works. If say you run an android emulator on your desktop would the programs IN the emulator be safe from tampering or hacking by the RAT? Since it is a virtual android operating system per say and NOT Windows OS. I am trying to get more insight and understand the nature of these horrible trojans.

If the RAT is working on the host, the RAT operator also has full control of anything that happens inside an emulator or sandbox within the host system.
The other way around is usually not possible unless there are exploits that allow the malware break out.

Scenario 1: If you have a Windows host system and an Android emulator running in the host, a RAT infecting the Android system will usually not be able to do anything to the host.

Scenario 2: Same as above, but the RAT infects the Windows host. The RAT itself will usually not spread to the Android system. That would require the RAT to work on both operating systems which is very uncommon. However, the operator of the RAT can do anything they like to the Android system because the host has control of it. They can infect the Android system with a different malware if they wish.

The worst thing about RATs is that the actions by the operator are unpredictable. For any other malware, if I (or any other malware analyst) get hands on the executable, I can tell you exactly what it is capable of and what it won't do to the system.
A RAT allows full control to a human, so we never know what is being done to the system and cannot exclude anything.

Due to that we always recommend repaving the operating system after RAT infection, that means, reformat the HDD and reinstall the operating system.
A system that was infected by a RAT cannot be trusted again.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
419
Thanks much for the education and very detailed response! So it should still be flagged by an AV unless it is basically new or zero day or the RAT has crippled your AV?

Another possibility I did not mention is installing a legitimate remote access tool without your consent. Those are not technically malware, but can be abused. Oftentimes AVs will flag remote access tools with silent install options as riskware but not everyone enables PUP and Riskware detection in their AV product.

It's a red flag if you find a remote access tool installed onto your system and you don't remember installing it.

Apart from that yes, your AV should pick things up after while unless it has been partially or fully disabled, added new exclusions, disabled updates or was otherwise damaged.
 

Vitali Ortzi

Level 21
Verified
Dec 12, 2016
1,052
Hello,
I have an ingenuous question to ask.
What are the most effective AV to stop RAT malwares ?
As long as it’s set to default deny it’s great so any av with default deny sandboxing or hips /app control
If they av doesn’t include such options a policy can be set manually (assuming you have a supporting windows version)
Or something like hard configurator

basically any actual decent solution will have a lot of false positives to some users

Use only if you don’t install software frequently and know how to manage it to some degree
 

JB007

Level 23
Verified
May 19, 2016
1,293
As long as it’s set to default deny it’s great so any av with default deny sandboxing or hips /app control
If they av doesn’t include such options a policy can be set manually (assuming you have a supporting windows version)
Or something like hard configurator

basically any actual decent solution will have a lot of false positives to some users

Use only if you don’t install software frequently and know how to manage it to some degree
Thanks @Vitali Ortzi
So if my understanding is right, a basic user like me cannot protect his PC with an antivirus not tweaked and if even if the AV is tweaked well it is very difficult for me to make the difference between a FP and a RAT ? :unsure:
 
  • Like
Reactions: venustus
Top