Last week, stories littered the news about how people, including Facebook founder Mark Zuckerberg, are disabling their computer's microphone and Web cam as a security measure.
While this may seem far-fetched, it's actually not, says Uri Rivner, head of Cyber Strategy at BioCatch. "The taped-over camera and microphone is a very basic way to protect against remote-access trojans (RATs), a growing problem and one that all the device-centric security solutions in the world can't protect against."
He says this mechanism prevents just one exposure. Once an attacker manages to install a RAT, they can covertly use the computer's camera and microphone to spy on the user. Although this is not the main capability of RATs, these features could be harmful to high-profile individuals for obvious reasons.
How RATs work
According to Rivner, there are four main methods through which RAT infections work. "Firstly, through vishing using good old social engineering. The user gets a phone call from the 'help desk' of their ISP, mobile provider, bank, or any third party they trust. There's a problem in their router, their phone, or their bank account. The friendly help desk says you can send them the computer or phone for fixing, or they can try to assist you right now with the help of a remote assistance tool."
He says many people choose to install a commercially available remote access tool such as TeamViewer or LogmeIn and just let the attacker in.
"Next, there is spear phishing, a method of targeting specific employees or high-net individuals are via e-mail or other communication means with a highly tailored message that is relevant to their ongoing work, or appears to come from someone they know.
"The e-mail includes a file that might have a zero-day vulnerability (if the attacker is a state-sponsored operator or someone with access to really advanced vulnerabilities) or a regular vulnerability that the PC is still exposed to if it wasn't fully patched."
Then there are drive by downloads, he explains. "With this sort of attack, the user's PC is automatically infected with malware that includes RAT capabilities, as the user visits a compromised Web site. As long as they don't have all Web components (Adobe Flash, PDF Reader, Java, browser) fully patched, the infection is automatic and does not require any interaction from the user."
Finally, he cites links to infection sites. "In this instance, the user receives a message that tricks them into clicking a link to an infection site. The message can appear on the wall of your Facebook friend, or it can be sent as a direct message, a private message, an SMS, and suchlike. An example would be: here are some cool videos, but you need to upgrade your Flash or video player to see them. Once the user clicks on the link they will be asked to download the malware (of course, it will have a completely innocent name)."
Rivner says for cyber criminals, the beauty of RATs is that there are no signs of infection. "RATs operate in the background, and unless the attacker wants the user to know - they won't, or they'll discover it after the damage has been done.
"The best way to protect yourself is not to fall for the infection to begin with. Patch your Web components regularly, and don't fall for any "please download this" tricks, and you''' be 95% safe."
Preventing RATs
He says BioCatch has developed technology that collects over 500 parameters related to the way users interact with their devices and the applications. "For example, the way a device is held or touched, or used to handle specific tasks. Also, the way the keyboard, mouse and trackpad are used, as well as the user's general behaviour."
These parameters are used to create a unique baseline of the user's regular behavioural patterns and habits, so if at a later stage an intruder or a RAT tries to access the application, the system immediately spots it. "RATs in particular leave specific patterns in the interaction that the system can effectively detect."
According to him, this is the only remedy that helps. "RATs are designed to defeat device recognition, which everyone uses to establish whether the activity is coming from a trusted device. However, with a RAT installed on the trusted device, it's basically game over. RATs also defeat dynamic malware detection since they don't behave like malware - they just allow a remote control of the PC from afar, which in itself isn't malicious - that's how help desks actually provide remote assistance."
If an application wants to protect itself against unlawful remote use, observing human behaviour is the only way it can detect a RAT, he concludes.
Share