Trojan and RATs – SY0-601 CompTIA Security+ : 1.2

Malware can often find its way onto your system through misdirection. In this video, you’ll learn about Trojan horses, potentially unwanted programs (PUPs), backdoors, RATs, and more.

<< Previous Video: Ransomware and Crypto-malware Next: Rootkits >>



In history, a Trojan horse was a large wooden horse that was used by the Greeks to capture Troy from the Trojans. In our computers, there is a digital version of this Trojan horse used by attackers to be able to sneak their software onto your system. This Trojan horse software is software that pretends to be something else and it looks like software that is perfectly normal.

You may think you’re installing a spreadsheet, an imaging editing program, or a game. But in reality, you’re installing malware that’s only pretending to be that software. Trojan horse software is not only designed to look innocuous to you, it’s also designed to look non-threatening to your antivirus software. And very commonly, Trojan horse software can get onto your system, disable all your security tools, and then have free reign of your computer.

Now that the Trojan horse is running, it can configure back doors or download additional malware to install on your system. One type of software that’s commonly downloaded by this Trojan horse software is a PUP. This is a potentially unwanted program. This may not be malicious software, but it could be undesirable and may cause performance problems on your computer.

For example, it might install a browser toolbar that becomes very difficult to uninstall or remove from your browser. Or it may be a backup utility that constantly shows advertising even when it’s not backing up. Or it might be software that hijacks your browser, and every time you try to search something in Google, it redirects you to a different search engine.

Here’s a list of potentially unwanted programs that I found on one of my very infected Windows systems. And it’s a mixture of software that’s designed for backups, looks like there is a download process and a toolbar that’s installed. And these potentially unwanted programs with names like Conduit, MyPC Backup, Spigot, and Mobo Genie were very easily found by my anti-malware software.

We mentioned earlier that when malware finds itself a way to run on your computer, one of the things that it tends to do is to open up a back door on your system. That’s because it’s very, very difficult to find vulnerabilities and to get users to click on these links. And once malware is running, it wants to find a way to easily reconnect to your system later on without having to go through that very difficult process again.

To be able to do that, it starts up some new software on your computer that opens a back door. This would be very similar to the back door of your house. The malware simply creates a new way to get into your system without having to go through the front door. What’s interesting about some of these back doors is that the same backdoor process can be used by multiple types of malware. So once one type of malware gets onto your system, other types of malware are able to get into and infect your computer through that same back door that was created originally.

You might even find that software or hardware that you thought was secure may also include a backdoor into its code. For example, very old versions of Linux had a back door that was built into the kernel. And you might also find that applications and other equipment that’s connected to your network might inadvertently include back doors as part of the software that’s running on those systems.

A type of software that attackers might install as part of the back door is a Remote Access Trojan, or a RAT. You might also hear this referred to as a Remote Administration Tool. This is a remote access tool that gives a third party access to your computer to have nearly complete control over the operating system. The malware that gets installed onto a computer might install this Remote Access Trojan. And from that point on, the third party is able to access your computer remotely and control many aspects of what the operating system is doing.

It can collect a log of all the keys you press, including your usernames and passwords. It might record the screen or take screenshots and transfer those back to the attacker. It can copy files, either from your computer or to your computer. And of course, it can then run and embed more malware on your system.

This is a screenshot from the attackers perspective who’s taking advantage of a system that’s infected with the DarkComet RAT. And you can see this graphical administration frontend allows the attacker to perform many different functions. They can change the configurations of the registry. They can run scripts. They can transfer files or even restart the computer, all from this graphical administration frontend.

The process of preventing a Trojan or RAT from running on your system is very similar to preventing any other type of malware. You don’t want to click any unknown links or links inside of your emails. You always want to be sure that your antivirus software is running and that you have the latest signatures installed for that software. It’s always good to have a backup so that if a system does become infected and you’re not able to remove that software, you can easily restore your system from that known good backup.