Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Question about RAT detection
Message
<blockquote data-quote="struppigel" data-source="post: 938205" data-attributes="member: 86910"><p>Hi Tutman.</p><p></p><p></p><p></p><p>RATs are not different to malware per se in that regard.</p><p></p><p>Malware either gets onto your system, because </p><p>1) It is very new and not yet detected by an antivirus program. OR</p><p>2) Parts of your antivirus program are not configured correctly or disabled. </p><p></p><p>What is rather RAT specific: Once the attacker gains control of your system, they can do anything they like. That includes setting scan exceptions for the RAT executable in your antivirus, or disabling updates of the antivirus or the antivirus itself. This will prevent future detections by your antivirus software and ensures that the RAT stays on the system for as long as possible.</p><p></p><p>Usually, if a malware is entirely new and evades antivirus, it takes a few hours or up to a few days until antivirus picks up on the malware. RATs often circumvent this by the behaviour mentioned above.</p><p></p><p></p><p></p><p>If the RAT is working on the host, the RAT operator also has full control of anything that happens inside an emulator or sandbox within the host system.</p><p>The other way around is usually not possible unless there are exploits that allow the malware break out.</p><p></p><p><span style="color: rgb(61, 142, 185)"><strong>Scenario 1:</strong></span> If you have a Windows host system and an Android emulator running in the host, a <span style="color: rgb(184, 49, 47)"><strong>RAT infecting the Android system</strong></span> will usually not be able to do anything to the host.</p><p></p><p><span style="color: rgb(61, 142, 185)"><strong>Scenario 2:</strong></span> Same as above, but the <span style="color: rgb(184, 49, 47)"><strong>RAT infects the Windows host</strong></span>. The RAT itself will usually not spread to the Android system. That would require the RAT to work on both operating systems which is very uncommon. However, the operator of the RAT can do anything they like to the Android system because the host has control of it. They can infect the Android system with a different malware if they wish.</p><p></p><p>The worst thing about RATs is that the actions by the operator are unpredictable. For any other malware, if I (or any other malware analyst) get hands on the executable, I can tell you exactly what it is capable of and what it won't do to the system.</p><p>A RAT allows full control to a human, so we never know what is being done to the system and cannot exclude anything.</p><p></p><p>Due to that we always recommend <strong>repaving</strong> the operating system after RAT infection, that means, reformat the HDD and reinstall the operating system.</p><p>A system that was infected by a RAT cannot be trusted again.</p></blockquote><p></p>
[QUOTE="struppigel, post: 938205, member: 86910"] Hi Tutman. RATs are not different to malware per se in that regard. Malware either gets onto your system, because 1) It is very new and not yet detected by an antivirus program. OR 2) Parts of your antivirus program are not configured correctly or disabled. What is rather RAT specific: Once the attacker gains control of your system, they can do anything they like. That includes setting scan exceptions for the RAT executable in your antivirus, or disabling updates of the antivirus or the antivirus itself. This will prevent future detections by your antivirus software and ensures that the RAT stays on the system for as long as possible. Usually, if a malware is entirely new and evades antivirus, it takes a few hours or up to a few days until antivirus picks up on the malware. RATs often circumvent this by the behaviour mentioned above. If the RAT is working on the host, the RAT operator also has full control of anything that happens inside an emulator or sandbox within the host system. The other way around is usually not possible unless there are exploits that allow the malware break out. [COLOR=rgb(61, 142, 185)][B]Scenario 1:[/B][/COLOR] If you have a Windows host system and an Android emulator running in the host, a [COLOR=rgb(184, 49, 47)][B]RAT infecting the Android system[/B][/COLOR] will usually not be able to do anything to the host. [COLOR=rgb(61, 142, 185)][B]Scenario 2:[/B][/COLOR][B] [/B]Same as above, but the [COLOR=rgb(184, 49, 47)][B]RAT infects the Windows host[/B][/COLOR]. The RAT itself will usually not spread to the Android system. That would require the RAT to work on both operating systems which is very uncommon. However, the operator of the RAT can do anything they like to the Android system because the host has control of it. They can infect the Android system with a different malware if they wish. The worst thing about RATs is that the actions by the operator are unpredictable. For any other malware, if I (or any other malware analyst) get hands on the executable, I can tell you exactly what it is capable of and what it won't do to the system. A RAT allows full control to a human, so we never know what is being done to the system and cannot exclude anything. Due to that we always recommend [B]repaving[/B] the operating system after RAT infection, that means, reformat the HDD and reinstall the operating system. A system that was infected by a RAT cannot be trusted again. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
