Researcher Finds Key to Detecting Poison Ivy RAT and Similar Concealed Malware Threats
The modification of malicious code by hackers for the purposes of avoiding detection has long been a means for creating advanced malware infections that basically slip past defense mechanisms or your every-day antispyware/antivirus applications. What has been discovered about these new concealed malware threats, most of them technically described as Remote Administration/Access Tools (RAT), is that they leave tracks that can be discovered through network traffic much like malware successors.
In the event that a computer is infected with an concealed or hidden malware threat, the infection typically connects to a command and control server where it may download new code to obtain additional instructions. This set of instructions tell the malware what steps to take next, much like a Botnet. Matt Norris, senior engineer at Mischel Kwon & Associates, discovered that malware performing this function leaves a trail through analysis of network traffic that can be used to detect the threat.
Through additional analysis, Norris was able to use the Poison Ivy RAT threat to demonstrate how we are able to highlight its weakness of leaving virtual bread crumbs for us to pick up for detection purposes. These figuratively speaking bread crumbs are indicators of malicious activity through network traffic.
By already knowing the makeup of the Poison Ivy RAT threat, which has been around since 2005, Norris was able to track down the specific gateway it used, port 80, also used by HTTP traffic. Being that a traffic type other than HTTP traffic was sent through port 80 gave a clear indication of the Poison Ivy RAT malware making its network connection moves, which can lead to detection.
In no way is the discovery and termination of RAT threats an easy feat. Spotting the malware is the first step. Using a Passive DNS tool is one avenue explored by Norris in his study to detect RATs. The relationships between addresses and domain names can also be revealed through large amounts of data transmitted.
To really put RAT threats and other similar network-hogging concealed malware to its demise, one would require tools that can clearly examine network traffic to identify patterns. These patterns can trigger not only from simple network traffic on a certain port, but by typical users, applications, addresses and protocols being used. Once suspicious activity is then detected, it could throw up a red flag warning the user of an infiltration. Basically, armed with the right tool to combat a RAT or other highly sophisticated concealed malware threat, which that transmits data to and from a control server, would be the ultimate second line of defense in most RAT infection situations.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.