What is a Remote Access Trojan or RAT

Remote Access Trojans (RATs) are a type of malware threat that lets a hacker take control of your computer. The spying activities that the hacker may carry out once that RAT is installed vary from exploring your files system, watching activities on the screen, and harvesting login credentials.

The hacker might also be using your internet address as a front for illegal activities, impersonating you, and attacking other computers. Viruses downloaded through RAT will infect other computers, while also causing damage to your system by erasing or encryption essential software. RATs should not be confused with Remote Administration Tools which share the same acronym.

Here is our list of the best intrusion detection tools for RAT software, scanners & detection tools:

  1. SolarWinds Security Event Manager EDITOR’S CHOICE Goes beyond RAT detection with automated remediation tasks that help you block RAT activities and review suspicious behavior on your entire network. Download a 30-day free trial.
  2. Snort Industry stalwart in NIDS first launched by Cisco.
  3. OSSEC Open-source HIDS gaining a following for data gathering capabilities.
  4. Zeek Free network-based intrusion detection system for Unix, Linux, and Mac OS.
  5. Suricata Monitors IP, TLS, TCP, and UDP protocol activity.
  6. Sagan Not a standalone intrusion detection system, good for automating scripts.
  7. Security Onion Open-source amalgamation of other open-source tools on this list.
  8. AIDE Specializes in rootkit detection and file signature comparisons.
  9. OpenWIPS-NG Preferred for wireless packet sniffing.
  10. Samhain Great for setting alerts, but no real troubleshooting capabilities.
  11. Fail2ban Scans log files and bans IPs that show malicious activity.

RAT software tools and APTs

RATs are tools that are usually used in a stealth type of hacker attack, which is called an Advanced Persistent Threat, or APT. This type of intrusion is not focused on damaging information or raiding computers quickly for data.

Instead, APTs consist of regular visits to your network that can last for years. RATs can also be used to reroute traffic through your company network to mask illegal activities.

Did You Know…

Some hacker groups, predominantly in China, have even created a hacker network that runs through the corporate networks of the world and they rent out access to this cybercrime highway to other hackers. This is called the “terracotta VPN” and it is facilitated by RATs.

Early invasions

RATs have quietly been around for more than a decade. The technology was discovered to have played a part in the extensive looting of US technology by Chinese hackers back in 2003. The Pentagon launched an investigation, called Titan Rain, which discovered data theft from US defense contractors, with development and classified testing data being transferred to locations in China.

You may recall the US East Coast power grid shutdowns of 2003 and 2008. These were also traced back to China and were also facilitated by RATs. In short, a hacker who can get a RAT onto a system can activate all of the software that the users of those computers have at their disposal.

Hybrid warfare

A hacker with a RAT can command power stations, telephone networks, nuclear facilities, or gas pipelines. RATs not only represent a corporate network security risk, but they can also enable belligerent nations to cripple an enemy country.

The original users of RATs for industrial espionage and sabotage were Chinese hackers. Over the years, Russia has come to appreciate the power of RATs and has integrated them into its military arsenal. APTs are now officially part of the Russian offense strategy that is known as “hybrid warfare.”

When Russia seized territory from Georgia in 2008 it employed DDoS attacks to block internet services and APTs using RATs to gather intelligence, control, and disrupt Georgian military hardware and essential utilities. Russia’s use of RATs to destabilize Ukraine and the Baltic States continues to this day.

Russia employs semi-official hacker groups, such as APT28. Another hacker group, known as APT15 is regularly used by the Chinese government. The names of these groups explain their main strategy, the “advanced persistent threat,” which is facilitated by RATs.

The rise in trade tariff tensions in 2018 has seen a new spurt in Chinese hacker activity, particularly the semi-military APT15 group. The troubles between the USA and North Korea that have been rumbling on since 2015 have also caused a rise in RAT-assisted APT activity originating in North Korea.

So, while threat actors & hackers around the world use RATs to spy on companies and steal their data and money, the RAT problem has now become an issue of national security for many countries, particularly the USA. We have included some examples of RAT tools below.

Defense against Remote Access Trojan software

Antivirus systems don’t do very well against RATs. Often the infection of a computer or network goes undetected for years. The obfuscation methods used by parallel programs to cloak the RAT procedures make them very difficult to spot. Persistence modules that use rootkit techniques mean that RATs are very difficult to get rid of. Sometimes, the only solution to rid your computer of a RAT is to wipe out all of your software and reinstall the operating system.

RAT prevention systems are rare because the RAT software can only be identified once it is operating on your system. The best way to manage the RAT problem is to use an intrusion detection system. Comparitech has a guide on intrusion detection systems, which gives you a full explanation of how these systems work and a rundown of recommended tools.

The best intrusion detection tools for RAT software, scanners & detection tools

Our methodology for selecting remote access Trojan protection systems

We reviewed the market for remote access Trojan scanners and analyzed the options based on the following criteria:

  • Options for network and host-based RAT scanning
  • Threat mitigation services to get rid of detected RATs
  • Options for scanning wireless networks
  • Alerts to draw attention to RATs and guide removal
  • Detection and removal logging for data protection standards compliance
  • A free tool or a free trial period for assessment
  • A good mix of tools at a fair price that represents value for money

Features Comparison Table

Product/FeaturesSolarWinds Security Event ManagerSnortOSSECZeekSuricataSaganSecurity OnionAIDEOpenWIPS-NGSamhainFail2ban
Network-Based IDSYesYesNoYesYesYesYesNoYesNoNo
Host-Based IDSNoNoYesNoNoNoNoYesNoYesYes
Real-Time MonitoringYesYesYesYesYesYesYesNoYesYesYes
Signature-Based DetectionYesYesYesNoYesYesYesNoYesYesNo
Anomaly-Based DetectionYesNoYesYesYesNoYesYesNoYesNo
Open SourceNoYesYesYesYesYesYesYesYesYesYes
Integration with Other SystemsYesYesYesYesYesYesYesNoNoNoYes
Customizable RulesYesYesYesYesYesYesYesNoNoNoYes
Support and CommunityYesYesYesYesYesYesYesYesYesYesYes

1. SolarWinds Security Event Manager (FREE TRIAL)

Tested on: Windows Server, Cloud/SaaS (Hypervisor, AWS and MS Azure)

SolarWinds SEM dashboard
I find the Critical Node Health summaries indispensable

Intrusion detection systems are important tools for blocking software intrusion that can evade detection by antivirus software and firewall utilities. The SolarWinds Security Event Manager is a Host-based Intrusion Detection System. However, there is a section of the tool that works as a Network-based Intrusion Detection System. This is the Snort Log Analyzer. You can read more about Snort below, however, you should know here that it is a widely used packet sniffer. By employing Snort as a data collector to feed into the Snort Log Analyzer, you get both real-time and historic data analysis out of the Security Event Manager.

Key Features:

  • Log file searches for intrusion
  • Live data monitoring for anomalies
  • Automated remediation
  • Compliant with PCI DSS, HIPAA and SOX

Why do we recommend it?

SolarWinds Security Event Manager identifies suspicious activity whether it is human driven or software based. Like all forms of malware, RATs need to be spotted quickly and removed. This tool offers good value for money because it identifies and removes a range of threats, not just RATs.

This dual capability gives you a full Security Information and Event Management (SIEM) service. This means that you can watch Snort-captured events live and also examine cross-packet intrusion signatures identified through log file records.

SolarWinds SEM - Events view
I added filters to the top PCI Events for a live view

The Security Event Manager goes beyond RAT detection because it includes automated remediation tasks that help you block RAT activities. The tool is compliant with a range of data security standards, including PCI DSS, HIPAA, SOX, and DISA STIG.

Who is it recommended for?

Although businesses of all sizes need cybersecurity protection, The SolarWinds Security Event Manager is aimed more at large enterprises. This is because it is a large software package that needs to be installed and maintained. Its pricing structure is also more interesting for large businesses that for small companies.

Pros:

  • Designed specifically to detect and immediately stop RATs, malware, worms, and insider threats
  • Supports tools such as Snort, allowing SEM to be part of a larger security strategy
  • Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
  • Threat response rules are easy to build and use intelligent reporting to reduce false positives
  • Built-in reporting and dashboard features help reduce the number of multi-vendor tools needed for your cybersecurity strategy

Cons:

  • Feature dense – requires time to fully explore all features
SolarWinds SEM Version Download Selection
During download, you will be prompted to select the download version for HyperV, VMWare or Azure

The SolarWinds Security Event Manager can be installed on Windows Server. The utility isn’t free to use, but you can get it on a 30-day free trial.

EDITOR'S CHOICE

SolarWinds Security Event Manager is our Editor’s Choice because it has hundreds of out-of-the-box correlation rules which can alert you to suspicious behaviors in real-time. You can also set up new rules thanks to the normalization of log data. The dashboard gives you a powerful command center for identifying potential network vulnerabilities.

Official Site: solarwinds.com/security-event-manager

OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure

2. Snort

Snort screenshot

Snort is free to use and it is the industry leader in NIDS, which is a Network Intrusion Detection System.

Key Features:

  • The world’s leading NIDS
  • Packet sniffer
  • Intrusion detection mode
  • Data analysis
  • Free to use

Why do we recommend it?

Snort is both an open source system and a property of Cisco Systems. This combination creates a sweet spot that means you are getting a very widely-used network traffic analyzer that is supported by the world’s leading network device producer.

This system was created by Cisco Systems and it can be installed on Windows, Linux, and Unix. Snort can implement defense strategies, which makes it an intrusion prevention system. It has three modes:

  • Sniffer mode – a live packet sniffer
  • Packet logger – records data packets to a file
  • Intrusion detection mode – includes an analysis module

The IDS mode of Snort applies “base policies” to the data. These are alert rules that provide intrusion detection. Policies can be acquired for free from the Snort website, sourced from the user community, or you can write your own. Suspicious events that Snort can highlight include stealth port scanning, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. Snort is capable of both signature-based detection methods and anomaly-based systems.

The front-end of Snort isn’t very good and most users interface data from Snort to better consoles and analysis tools, such as Snorby, BASE, Squil, and Anaval.

Snort on Github
I love the straightforward download and install instructions direct on their front page

Who is it recommended for?

Snort is a sophisticated tool for network specialists – it isn’t an out-of-the-box package. For this reason, although it is free to use, it isn’t a solution that small businesses that don’t have technicians on staff could use.

Pros:

  • Completely free and open source
  • Large community shares new rule sets and configurations for sysadmins to discover new RATs and evolving threats
  • Supports packet sniffing for live traffic analysis in conjunction with log scanning

Cons:

  • Reliant on the community for support
  • Has a steeper learning curve than other products with dedicated support
  • Would like to see more out of the box features

3. OSSEC

OSSEC screenshot
I enhanced the visualizations using filters

OSSEC stands for Open Source HIDS Security. A HIDS is a Host Intrusion Detection System, which examines events on the computers in a network rather than trying to spot anomalies in the network traffic, which is what network intrusion detection systems do. OSSEC is the current HIDS leader and it can be installed on Unix, Linux, and macOS operating systems. Although it can’t run on Windows computers it can accept data from them. OSSEC examines event logs to look for RAT activities. This software is an open-source project that is owned by cybersecurity firm, Trend Micro.

When we tested OSSEC we found the following key features.

Key Features:

  • Log file-based IDS
  • Adaptable detection rules
  • Free to use

Why do we recommend it?

Like Snort, OSSEC is a free, open source project that is supported by a major corporation – Trend Micro in this case. Trend Micro is a leading anti-malware provider and OSSEC ties in well with that business’s strengths because it examines events on endpoints. The utility spots unexpected behavior, which will spot attempts to install RATs as well as other malware.

This is a data-gathering tool, which doesn’t have a very user-friendly front-end. Generally, the front end for this system is supplied by other tools, such as Splunk, Kibana, or Graylog. The detection engine of OSSEC is based on policies, which are alert conditions that might arise in the data. You can acquire pre-written packages of policies from other OSSEC users who make their packages available for free on the OSSEC user community forum. You can also write your own policies.

OSSEC Installation
Make sure to consult the docs for a seamless installation using a shell script

Who is it recommended for?

Also like Snort, OSSEC is a tool for use by specialists. You need to be able to understand how cybersecurity tools work in order to get this package working effectively to identify threats and remove them automatically.

Pros:

  • Can be used on a wide range of operating systems, Linux, Windows, Unix, and Mac
  • Can function as a combination SIEM and HIDS
  • The interface is easy to customize and highly visual

Cons:

  • Requires secondary tools like Graylog and Kibana for further analysis
  • The open-source version lacks paid support

Get started with the installation using a shell script.

4. Zeek

Tested on: Unix, Linux, and MacOS

Zeek on Kibana
Getting Zeek working on a Kibana graphic interface

Zeek is a very well-established network-based intrusion detection system. This free tool is better known by its old name: Bro. The tool changed its name to Zeek in 2018. Zeek is an open-source project that is supported financially by some very big names, including the Mozilla Foundation and the International Computer Science Institute.

Key Features:

  • Application Layer detection
  • Anomaly-driven and signature-based searches
  • Free to use

Why do we recommend it?

Zeek is an excellent alternative to Snort. While not quite as highly respected as Snort, this tool is a close competitor. The Zeek system is easier to set up than Snort but it performs a competent scan of network traffic, looking for chains of activity that indicate malicious actions. The service will also identify manual intrusion.

Despite being a network-based system, Zeek doesn’t operate on live data. This is because packet analysis doesn’t spot many types of attacks that are implemented in stages, across packets, and from different sources. So, Zeek captures data packets and then stores them in files. This makes it an application-level NIDS.

The packet files are analyzed by the Zeek Event Engine. This is a semantic analyzer that looks for unusual patterns that break out of standard activity behavior. The detection techniques used by the analyzer are therefore anomaly-based. However, the analyzer also does a sweep for well-known malicious intruder behavior, so it deploys signature-based analysis as well.

Zeek runs on Unix, Linux, and MacOS. The system includes a scripting language that enables technicians to write their own capture routines and anomaly scans. This technical aspect might put many people off using the system. However, the monitor has a large following, so there is a big user community out there to advise newbies. A big problem with Zeek is that it doesn’t have its own front end, so it needs to be paired up with other interfaces. Kibana is probably the most regularly used interface for Zeek.

Installing Zeek on Kali Linux
Installing Zeek on Kali Linux

Who is it recommended for?

Zeek is a little easier to operate and understand than Snort because it applies automated searches on traffic that you can just treat as a black box. Nevertheless, the need to pair this system with a third-party front end means there is a learning curve involved just to get the system running. If you can hire a technician to set the service up for you, you would be able to operate Zeek without technical skills.

Pros:

  • Highly customizable, designed for security professionals using nix operating systems
  • Utilizes signature detection and anomalous behavior scanning to detect known and unknown threats
  • Supports automation through scripting, allowing admins to script different actions easily

Cons:

  • Only available for Unix, Linux, and Mac
  • Not as user friendly, requires deep knowledge in cybersecurity
  • Better suited for researchers and specialists

5. Suricata

Suricata running on Logstash Templates
We got it running on Logstash templates with Kibana

Suricata is a NIDS that can be installed on Windows, Linux, Mac OS, and Unix. This is a fee-based system that applies application layer analysis, so it will detect signatures that are spread across data packets. Suricata monitors IP, TLS, TCP, and UDP protocol activity and focuses on key network applications, such as FTP, HTTP, ICMP, and SMB. It can also examine TLS certificates and focus on HTTP requests and DNS calls. There is also a file extraction facility that enables the analysis of virus-infected files.

Key Features:

  • Application Layer analysis
  • Great data visualizations
  • Analyzes network traffic

Why do we recommend it?

Suricata is another free network traffic analyzer that implements system defense. The package runs on-premises and it can monitor internet traffic to and from cloud services as well as LAN activity. Suricata is able to block the malicious activities that it spots.

Suricata has a built-in scripting module that enables you to combine rules and get a more precise detection profile. This IDS uses both signature-based and anomaly-based detection methods. VRT rules files written for Snort can also be imported into Suricata because this intrusion detection system is compatible with the Snort platform. This also means that Snorby, BASE, Squil, and Anaval can serve as front ends to Suricata. However, the Suricata GUI is very sophisticated and includes graphical representations of data, so you might not need to use any other tool to view and analyze data.

Who is it recommended for?

Anyone can use Suricata. The system is easy to set up and use because it has a very good user interface and runs on all of the major operating systems. As Suricata is free to use, it is suitable for businesses of any size. The frontend isn’t the best you can get and if you have technical skills, you can feed data into other analysis tools. The Suricata system also includes a scripting language, which enables those who have technical skills to really expand the intrusion prevention features in this tool.

Pros:

  • Collects data at the application layers, giving it unique visibility into the behavior of RATs
  • Analyzes and reassembles protocol packets very efficiently
  • Can monitor multiple protocols and check the integrity of certificates in TLS, HTTP, and SSL

Cons:

  • Built-in scripting could be easier to use
  • Is free, but doesn’t have as large of a community as tools like Snort or Zeek
  • Could use better-looking visualizations on the live dashboard

6. Sagan

Sagan screenshot
It’s free to download, but I could only install on Linux

Sagan is a free host-based intrusion detection system that can be installed on Unix, Linux, and Mac OS. You can’t run Sagan on Windows but you can feed Windows event logs into it. Data gathered by Snort, Suricata, or Bro can be imported into Sagan, which gives the data analytical tool of this utility a NIDS perspective as well as its native HIDS capabilities. Sagan is also compatible with other Snort-type systems, such as Snorby, BASE, Squil, and Anaval, which could all provide a front end for data analysis.

Why do we recommend it?

Sagan is a free log analysis tool that is good for malware and intrusion detection. This service can also centralize data gathered from many of the other tools on this list. Look upon Sagan as a free alternative to SolarWinds Security Event Manager.

Sagan is a log analysis tool and it needs to be used in conjunction with other data gathering systems in order to create a full intrusion detection system. The utility includes an IP locator, so you can trace the sources of suspicious activities to a location. It can also group together the activities of suspicious IP addresses to identify team or distributed attacks. The analysis module works with both signature and anomaly detection methodologies.

Sagan can automatically execute scripts to lock down the network when it detects specific events. It performs these prevention tasks through interaction with firewall tables. So, this is an intrusion prevention system.

Who is it recommended for?

If you have the money and you want to install a SIEM tool to spot RATs, you should really go for the SolarWinds tool. However, if you don’t want to pay anything and you are prepared to put in a little work, you should consider using Sagan. Creating rules to automatically shut down threats takes a bit of learning, but you will save a lot of money for the time that you invest.

Pros:

  • A free log analysis tool
  • Is compatible with other open-source tools like Zeek and Snort
  • Does a good job at offering automated remediation of threats

Cons:

  • Not available for Windows operating systems
  • Isn’t a standalone solution to RAT removal/prevention
  • Has a fairly sharp learning curve for new users

7. Security Onion

Security Onion Customizable Dashboard
I made personal touches to the customizable dashboard

Security Onion was developed by splicing together the code for Snort, Suricata, OSSEC, Bro, Snorby, Sguil, Squert, Kibana, ELSA, Xplico, and NetworkMiner, which are all open-source projects. This powerful tool is a free Linux-based NIDS that includes HIDS functionality. It was written to run specifically on Ubuntu.

Why do we recommend it?

Security Onion was created to address the problem that we have flagged a number of times in the reviews above. The problem is that all of the systems on this list would work a little better if they are combined into a suite. Security Onion links together the best free intrusion detection systems so you don’t have to learn how best to fit these utilities together into an impressive intrusion prevention system to block RATs and other malicious activities.

Host-based analysis checks for file changes and network analysis is conducted by a packet sniffer, which can display passing data on a screen and also write to a file. The analysis engine of Security Onion is complicated because it combines the procedures of so many different tools. It includes device status monitoring as well as network traffic analysis.

There are both signature-based and anomaly-based alert rules included in this system. The interface of Kibana provides the dashboard for Security Onion and it includes graphs and charts to ease data analysis.

Setting Alerts in Security Onion
I filtered the alerts according to the rule name, event module and event severity

Who is it recommended for?

As it involves so many packages, Security Onion takes time to download and install. However, the setup process is guided and that makes this tool easy to use by anyone. The one problem that some businesses will face is that Security Onion only runs on Ubuntu Linux. So, if your enterprise only has Windows PCs, you will have to convert one of them to Linux to use security Onion.

Pros:

  • Free open-source software
  • Designed for security professionals
  • Features built-in packet sniffer for live traffic analysis – ideal for highlighting RAT communication

Cons:

  • Only available for Linux
  • Uses Kibana for visualization, would like to see builtin visualizations
  • The interface is fairly complicated, could be more user friendly

8. AIDE

Tested on: Linux

AIDE screenshot
Some prefer simple command line tools

AIDE stands for “Advanced Intrusion Detection Environment.” This is a free HIDS that runs on Mac OS, Unix, and Linux. This IDS focuses on rootkit detection and file signature comparisons. The data gathering module populates a database of characteristics that are gleaned from log files. This database is a system status snapshot and any changes in device configuration trigger alerts. Those changes can be canceled by reference to the database or the database can be updated to reflect authorized configuration alterations.

Why do we recommend it?

As it is a free, open-source host-based intrusion detection system, AIDE competes with OSSEC, Suricata, and Samhain. This is worth a try. However, its command-line interface makes the AIDE utility difficult to use. If you have the time and the skills, you can forward AIDE data files and display them in another tool.

System activity checks are performed on-demand and not continuously, but it can be scheduled as a cron job. The rules base of AIDE uses both signature-based and anomaly-based monitoring methods.

Who is it recommended for?

AIDE isn’t available for Windows, so if you only have PCs, you won’t be able to use this tool. This is a system that will appeal to technical experts who like to tinker.

Pros:

  • Free open-source software
  • Designed for security professionals
  • Extremely lightweight deployment – can run in legacy environments to detect RATs

Cons:

  • Only available for Linux and Unix operating systems
  • Not beginner-friendly
  • Utilizes command-line interface for most actions

9. OpenWIPS-NG

OpenWIPS-NG screenshot

OpenWIPS-NG comes from the developers of Aircrack-NG. In fact, it integrates Aircrack-NG as its wireless packet sniffer. Aircrack-NG is a well-known hacker tool, so this association may make you a little wary. WIPS stands for “Wireless Intrusion Prevention System” and it runs on Linux. This is a free utility that includes three elements:

  • Sensor – the packet sniffer
  • Server – data storage and analysis rule-base
  • Interface – user-facing front end.

Why do we recommend it?

OpenWIPS-NG is unique on this list because it operates on wireless networks. It can be used to extract packets and analyze them and also to inject traffic back into the wireless networks. A great feature of this tool is that it is free to use. However, don’t think that it will be able to crack transmission encryption, so you won’t be able to spy on WiFi users.

The sensor is also a transmitter, so it can implement intrusion prevention actions and cripple unwanted transmissions. The server performs analysis and also launches intervention policies to block detected intrusions. The interface module displays events and alerts to the systems administrator. This is also where settings can be tweaked and defensive actions can be adjusted or overridden.

Who is it recommended for?

Like its stablemate, Aircrack-NG, OpenWIPS-NG is good for hackers. However, the ability to respond to detected malicious activities makes it very useful. You would need to be a competent network engineer to use this tool.

Pros:

  • Highly flexible tool, developed by the hacking community to secure WiFi networks
  • Lightweight command-line interface
  • Easy to memorize syntax

Cons:

  • Designed primarily for security specialists
  • Relies on other tools to expand the functionality
  • Not ideal for those looking for an all in one solution

10. Samhain

Samhain screenshot

Samhain, produced by Samhain Design Labs in Germany, is a free host-based intrusion detection system that installs on Unix, Linux, and Mac OS. It uses agents running at different points on the network, which report back to a central analysis module. Each agent performs file integrity checking, log file monitoring, and port monitoring. The processes look for rootkit viruses, rogue SUIDs (user access rights), and hidden processes.

Why do we recommend it?

Samhain is a host-based intrusion detection system so it competes with other HIDS on this list. It is a free, open source project and so you can alter the code if you want to. Features that no other IDS on this tool has include the ability to mask its running processors and its strong protection of log files.

Network communication between agents and the console is protected by encryption. Connections for the delivery of log file data include authentication requirements, which prevent intruders from hijacking or replacing the monitoring process.

Samhain will highlight warning signs of intrusion but it doesn’t have any resolution processes. You will need to keep backups of your configuration files and user identities in order to take action to resolve the problems that the Samhain monitor reveals. Samhain keeps its processes hidden by stealth technology, called “steganography” in order to prevent intruders from manipulating or killing the IDS. Central log files and configuration backups are signed with a PGP key to prevent tampering by intruders.

Who is it recommended for?

Samhain can be used as a log management tool and it provides a log viewer. The system is useful to have if only for those services and it would be useful for businesses of any size. This is yet another tool that won’t run on Windows.

Pros:

  • Free open-source tool
  • Can detect rouge processes, intrusions, and malicious connections from log files
  • Can monitor user access rights to detect privilege escalation, a common RAT behavior

Cons:

  • No paid support options
  • Not available for Windows operating systems
  • The interface feels outdated and isn’t particularly easy to use

11. Fail2Ban

Fail2ban screenshot

Fail2Ban is a free host-based intrusion prevention system that runs on Unix, Linux, and Mac OS X. The IDS analyses log files and imposes bans on IP addresses that display suspicious behavior. Automatic lockouts occur in Netfilter/IPtables or PF firewall rules and the hosts.deny table of TCP Wrapper. These blocks usually only last a few minutes, but that can be enough to disrupt a standard automated brute-force password-cracking scenario. Alert situations include excessive failed login attempts. A problem with Fail2Ban is that it focuses on repeated actions from one address. This doesn’t give it the ability to cope with distributed password cracking campaigns or DDoS attacks.

Why do we recommend it?

Fail2Ban is a host-based intrusion prevention system that scans application activity for suspicious activity. For example, it will set up a monitor to focus on mail servers and another to watch an Apache Web server. You set up playbooks that tell Fail2Ban what to do when it detects suspicious activity.

The monitoring scope of the system is defined by a series of “filters.” These instruct the IPS on which services to monitor. These include Postfix, Apache, Courier Mail Server, Lighttpd, sshd, vsftpd, and qmail. Each filter is combined with an action to perform in the event of an alert condition being detected. The combination of a filter and an action is called a “jail.”

Who is it recommended for?

Fail2Ban runs on Unix, Linux, and macOS but not on Windows. Although there are some interesting features in this system, it operates at the command line and so small business owners and other non-technical users will struggle to get the best out of Fail2Ban. However, it is open source and free to use, so anyone can give it a try.

Pros:

  • Completely free tool
  • Automatically bans attacking IP addresses – great for stopping RAT C&C servers
  • Acts as a combination IDS and HIDS

Cons:

  • No paid support
  • Lacks more preventive features found in our top choices
  • Available for Unix, Linux, and Mac only

RAT programs and examples

There are a number of remote access systems that could have legitimate applications, but are well-known as tools that are mainly used by hackers as part of a Trojan; these are categorized as Remote Access Trojans. The details of the best-known RATs are explained below.

Back Orifice

Back Orifice, which is also referred to as BO is an American-made RAT that has been around since 1998. This is the granddaddy of RATs and has been refined and adapted by other hacker groups to produce newer RAT systems. The original system exploited a weakness in Windows 98. Later versions that ran on newer Windows operating systems were Back Orifice 2000 and Deep Back Orifice.

This RAT is able to hide within the operating system, which initially makes it difficult to detect. However, nowadays, most antivirus systems have the Back Orifice executable files and occlusion behavior logged in their databases as signatures to look out for. A nice feature of this software is that it has an easy-to-use console that the intruder can use to navigate around the infected system. The remote element can be slipped into a target computer through a Trojan. Once installed, this server program communicates with the client console using standard networking procedures. Back Orifice is known to use port number 21337.

Beast

The Beast RAT attacks Windows systems from Windows 95 up to Windows 10. This uses the same client-server architecture that Back Orifice pioneered with the server part of the system being the malware that gets installed surreptitiously on the target computer. Once the server element is operational, the hacker can access the victim computer at will through the client program. The client connects to the target computer at port number 6666. The server is also able to open connections back to the client and that uses port number 9999. Beast was written in 2002 and is still widely in use.

Bifrost

This Trojan begins its infection with the installation of a server builder program. Initially, this program just makes contact with a Command and Control server and waits for instructions. The Trojan infects Windows systems from Windows 95 to Windows 11. However, its capabilities are reduced on Windows versions XP and later.

Once it is triggered, the server builder will set up a server program on the target computer. This enables the hacker, using a corresponding client program to get access to the compromised machine and execute commands at will. The server software is stored in C:\Windows\Bifrost\server.exe or C:\Program Files \Bifrost\server.exe. This directory and file are hidden and so some anti-virus system checks fail to detect Bifrost.

The server builder does not end its operations once the server has been created. Instead, it operates as a persistence system and will recreate the server in a different location and with a different name if the original server installation is spotted and removed. The server builder also employs rootkit methods to mask server processes and make the operating intrusion system very difficult to detect.

Since Windows Vista, the full destructive capabilities of Bifrost have been slowed down because many of the services that the malware uses require system privileges. However, if a legitimate user is tricked into installing the disguised server builder with system privileges, the Bifrost system can become fully-operational and will be very difficult to remove.

Related: The best free rootkit removal, detection and scanner programs

Blackshades

Blackshades is an off-the-peg hacking tool that was sold to hackers by its developers for $40 a pop. The FBI estimated that its producers earned a total of $340,000 selling this software. The developers were shut down and arrested in 2012 and a second wave of arrests in 2014 captured more than 100 users of Blackshades. However, there are still copies of the Blackshades system in circulation and it is still in active use. Blackshades targets Microsoft Windows from Windows 95 to Windows 11.

The toolkit includes methods of infection, such as malicious code to embed in websites that trigger installation routines. Other elements propagate the RAT by sending out links to infected web pages. These are sent to the social media contacts of an infected user.

The malware enables a hacker to get access to the target computer’s files system and download and execute files. Uses of the program include botnet functions that get the target computer to launch denial of service attacks. The infected computer can also be used as a proxy server to route hacker traffic and provide identity cover for other hacker activities.

The Blackshades toolkit is very easy to use and enables those who lack technical skills to become hackers. The system can also be used to create ransomware attacks. A second obfuscation program sold alongside Blackshades keeps the program hidden, enables it to relaunch when killed, and evades detection by anti-virus software.

Among attacks and events that have been traced to Blackshades are a 2012 campaign of disruption that targeted Syrian opposition forces.

See also: 2017-2018 Ransomware statistics and facts

The Ransomware Removal Handbook: Dealing with common strains of ransomware

DarkComet

French hacker Jean-Pierre Lesueur developed DarkComet in 2008, but the system didn’t really proliferate until 2012. This is another hacker system that targets the Windows operating system from Windows 95 up to Windows 11. It has a very easy-to-use interface and enables those without technical skills to perform hacker attacks.

The software enables spying through keylogging, screen capture, and password harvesting. The controlling hacker can also operate the power functions of a remote computer, allowing a computer to be turned on or off remotely. The network functions of an infected computer can also be harnessed to use the computer as a proxy server to channel traffic and mask the hacker’s identity during raids on other computers.

DarkComet came to the cybersecurity community’s attention in 2012 when it was discovered that an African hacker unit was using the system to target the US government and military. At the same time, DarkComet attacks originating in Africa were launched against online gamers.

Lesueur abandoned the project in 2014 when it was discovered that DarkComet was in use by the Syrian government to spy on its citizens. The general populace had taken to employing VPNs and secure chat apps to block government surveillance, so the spyware features of DarkComet enabled the Syrian government to circumvent those security measures.

Mirage

Mirage is the key RAT used by the state-sponsored Chinese hacker group known as APT15. After a very active spying campaign from 2009 to 2015, APT15 suddenly went quiet. Mirage itself was in use by the group from 2012. The detection of a Mirage variant in 2018 signaled that the group was back in action. This new RAT, known as MirageFox was used to spy on UK government contractors and was discovered in March 2018. Mirage and MirageFox each act as an agent on the infected computer. The Trojan part of the intrusion suite polls a Command and Control address for instructions. Those instructions are then implemented on the victim computer.

The original Mirage RAT was used for attacks on an oil company in the Philippines, the Taiwanese military, a Canadian energy company, and other targets in Brazil, Israel, Nigeria, and Egypt. Mirage and MirageFox get onto target systems through spear-phishing campaigns. These are usually targeted at the executives of a victim company. The Trojan is delivered embedded in a PDF. Opening the PDF causes scripts to execute and they install the RAT. The RAT’s first action is to report back to the Command and Control system with an audit of the infected system’s capabilities. This information includes the CPU speed, memory capacity and utilization, system name and username.

The initial system report makes it seem as though the designers of Mirage made the RAT in order to steal system resources rather than access data on the target system. There is no typical Mirage attack because it seems that each intrusion is tailored towards specific targets. The RAT installation can be presaged by a fact-finding campaign and system checks. For example, the 2018 attack on British military contractor NCC gained access to the system via the company’s authorized VPN service.

The fact that each attack is highly-targeted means that a lot of expense is entailed by a Mirage infection. This high cost shows that Mirage attacks usually only aim at high-value targets that the Chinese government wishes to undermine or from which to steal technology.

Dealing with Remote Access Trojan threats

Although much RAT activity appears to be government-directed, the existence of RAT tool-kits makes network intrusion a task that anyone can perform. So, RAT and APT activities are not going to be limited to attacks on the military or high tech companies, security awareness is key to stop any security breaches of your networks.

RATs combine with other malware to keep themselves hidden, which means that installing antivirus software on your computers isn’t enough to prevent hackers from controlling your system with these methods. Investigate intrusion detection systems in order to defeat this hacker strategy.

Have you experienced a network intrusion that resulted in damage or loss of data? Have you implemented an intrusion prevention strategy to head off the RAT problem? Leave a message in the Comments section below to share your experiences.

Remote Access Trojans FAQs

Can a Remote Access Trojan be installed to BIOS?

Access to the BIOS has been known to the world’s hackers since 2015. Many believe that the NSA was planting RATs and trackers on BIOS even earlier.

How is a Remote Access Trojan RAT different from a regular Trojan?

A Trojan is a virus that gets onto a victim computer by passing itself off as a legitimate piece of software. A RAT is a Trojan that the hacker can use to gain regular access to the target system.

What is the Sakula Remote Access Trojan RAT?

Sakula is a RAT that is used to intrude on IT systems serving government departments and agencies, healthcare facilities, and other large organizations. Sakula acts as a hacker platform and can facilitate a range of malicious activities, including ransomware attacks.