How to smell a RAT - remote administration tools vs backdoor Trojans presented at Virus Bulletin 2002

by Jakub Kaminski (Computer associates pty ltd),


Summary : " One of the trends we have been observing for some time now is the
blurring of divisional lines between different types of malware.
Classifying a newly discovered `creature' as a virus, a worm, a Trojan
or a security exploit becomes more difficult and anti-virus
researchers spend a significant amount of their time discussing the
proper classification of new viruses and Trojans.

However, the real problems start when the most important division line
dissolves - the one between intentionally malicious programs and the
legitimate clean programs.

Detecting an innocent package as a virus or a Trojan or dismissing a
malicious program as a clean one might have very serious
repercussions. A whole range of damage, from data loss and loss of
reputation, to legal action might be at stake.

The best example of an area causing the anti-virus researchers
problems is the Trojans.

Anyone responsible for malware analysis knows how true the saying is:
` A Trojan to one user is just a utility to another (and vice versa)

This statement is particularly applicable to one type of Trojan - the

Depending on the point of view, very often, the same program may be
perceived as a Remote Administration Tool (RAT) or as a Remote Access
Trojan (RAT) allowing a potentially malicious user to remotely control
the system.

The paper will explore and analyse the problem further. It will
present the development of backdoors, their operating principles,
implemented techniques and installation modes. This will include
Windows as well as a few examples of Unix/Linux malware.
The development of remote access utilities will also be presented,
highlighting the similarities and differences between legitimate tools
and backdoor Trojans.

The discussion will focus on fine details that make a particular
program a backdoor Trojan. It will also try to prove that ` frequently
what really matters is not what you do but how you do it `.
Some questionable techniques implemented by writers of legitimate
utilities will be described and the reasons why they could be
triggering false alarms will be discussed.

Similarly a case when a Trojan backdoor has become a legitimate
commercial product will be shown and discussed.

Also, it will be explained what producers of remote administration
tools can do in order to help computer users and minimize some of the
potential confusion and misunderstandings.