Sloppy Remote-Access Trojan Operators Show Up in Internet Scans

Researchers use Internet scans to find hundreds of home computers managing remote-access Trojans, potentially revealing the software operators' IP addresses.

detecting remote access Trojans

Cyber-criminals who misconfigure their management nodes for commodity remote-access Trojans (RATs)—software used to monitor and control other computers—can be detected by simple Internet scans, possibly revealing the operator's location, according to research published on Sept. 29 by data-analysis firm Recorded Future.

The company used automated scanning service Shodan to search the Internet for default communication ports left open by six different families of Trojans, finding more than 600 likely installations of the RATs in a week, the company stated in its report.

The cyber-criminals and digital Peeping Toms who frequently use commodity remote-access Trojans, and who do not change the default port on the software, have made it easy to identify the systems and their IP addresses, Levi Gundert, vice president of threat intelligence for Recorded Future, told eWEEK.

"They are installing these remote-access Trojans, and as soon as they install it, there is an open port on their system that we can scan for," he said. "And when the system responds, it sends a unique text string, so it is highly unlikely that you are looking at a false positive."

While more sophisticated attackers will change the port number or, more likely, host the management console on a remote system, the study shows that some less technical criminals could be identified by law enforcement. Many of the Internet addresses appear to come from residential networks, Gundert said.

"A significant portion of RAT operators are installing them at home; it is not every instance, but we see that happens quite a bit," he said.

The study sought out signs of six popular commodity RATs: BlackShades, DarkComet, NetBus, Poison Ivy, XtremeRAT and njRAT. Those remote-access Trojans continue to be popular choices of cyber-criminals, espionage agents and other malicious online actors, Recorded Future said. By scanning the Internet, businesses and security firms can create a list of Internet addresses that can then be investigated or blocked.

Less than a quarter of the IP addresses linked to the software had been previously discovered by security researchers and added to VirusTotal, an online database of malicious code and IP addresses run by Google.

Interestingly, a significant number of RAT management consoles, or clients, are located in the Middle East, the report stated. While attribution remains tricky, operators in Algeria, Syria, the United Arab Emirates and other Middle Eastern nations have little to worry about prosecution, Gundert said.

"They don't care about the effects of attribution," he said. "There is one host that is running Dark Comet in Syria."

XtremeRAT and njRAT are popular in the Middle East while Poison Ivy has traditionally been used by Chinese cyber-spies. Overall, Dark Comet is the most popular RAT, the study found.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...