What Is It Good For?
Identifying and blocking remote access Trojans.
Perhaps the most common way to break into a home computer and gain control, is
by using a remote access Trojan (RAT). (sometimes it is called "backdoor
Trojan" or "backdoor program". Many people simply call it a
"Trojan horse" although the term "Trojan horse" is much
more generic). A Trojan horse, is a program that claims to do something really
innocent, but in fact does something much less innocent. This goes to the days where
the Greek soldiers succeeded to enter through the gates of Troy by building a
big wooden horse, and giving it as a present to the king of Troy. The soldiers
allowed the sculpture to enter through their gates, and then at night, when the
soldiers were busy guarding against an outside attack, many Greek soldiers who
were hiding inside the horse went out and attacked Troy from the inside. This
story, which may or may not be true, is an example of something which looks
like something innocent and is used for some less innocent purpose. The same
thing happens in computers. You may sometimes get some program, via ICQ, or via
Usenet, or via IRC, and believe this program to be something good, while in
fact running it will do something less nice to your computer. Such programs are
called Trojan horses. It is accepted to say that the difference between a
Trojan horse and a virus, is that a virus has the ability to self-replicate and
to distribute itself, while a Trojan horse lacks this ability. A special type
of Trojan horses, is RATs (Remote Access Trojans, some say "remote admin
Trojans"). These Trojans once executed in the victim's computer, start to
listen to incoming communication from a remote matching program that the
attacker uses. When they get instructions from the remote program, they act
accordingly, and thus let the user of the remote program to execute commands on
the victim's computer. To name a few famous RATs, the most common are Netbus,
Back-Orifice, and SubSeven (which is also known as Backdoor-G). In order for
the attacker to use this method, your computer must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection by viruses. Antivirus programs can identify and remove most of the more common RATs. Personal firewalls can identify and block remote communication efforts to the more common RATs and by thus blocking the attacker, and identifying the RAT.
Prevention of infections by RATs is no different than prevention of infection by viruses. Antivirus programs can identify and remove most of the more common RATs. Personal firewalls can identify and block remote communication efforts to the more common RATs and by thus blocking the attacker, and identifying the RAT.
No comments: