An Incident where RAT was found on a Corporate Network
Grimes (2002) reports a case he encountered while he was a forensic investigator. His client’s PC had been experiencing some very strange symptoms such as inverted screen images, random opening and closing of a CD-ROM tray as well as the PC’s slowing down in performance and many unexpected error messages which were strange. He had to go through his malware hunting steps by serving his client’s internet connection to identify the culprits; two RATs which were lesser-known The Thing and Back Orifice. Even though the malicious intruders seemed to be kids whose interests were just to trade pornography and cause online problems, it is a clear indication that those operating corporate networks must take caution to ensure that their networks are safe (Grimes, 2002).
One Method of Identifying Potential RAT Program
According to Grimes (2002), one of the best methods that a forensic investigator can use to identify a potential RAT program is by typing the key words which are in this case Remote Access Trojan into a given internet search engine. This will lead to many hundreds of Remote Access Trojans; with Back Office and Subseven being the most popular. Other methods may include such technologies as that of Cerberus malware which is integrated in FTK 4 (AccessData Group, 2012).
Items to Consider when Creating a Malware Analysis Environment
With the advancements in technology, antivirus companies are somehow being rendered unable to keep up with almost all malware samples that are submitted to them. It is therefore crucial that every organization develops its own capabilities to analyze malwares (Kirk, 2010). These can be done by considering the operating system and network isolation. According to Sanders (2011), the use of operating system is applicable based on the fact that malware behaves differently according to the operating system which it is put on. Additionally, some malware only functions on some given Linux versions while others may only work on the operating systems which are windows sever based (Rouse, 2012).
That is, certain malware, when installed in a Windows Vista, may completely crash the system while, when installed in Windows 7 System might join the system’s control panel and botnet command. It is thus best for one to have variety of operating systems when analyzing malware. Equally, it is also wise to have access to the major Windows Operating Systems and the most known modern Linux distribution to serve as the infected hosts during the process. This will help in the installation of analysis tools and codes that can help execute and examine the malware (Sanders, 2012).
Another item to consider in malware analysis creation is network isolation. That is, one should take an extra care to the location of his/her malware analysis within his/her network. Besides isolating one’s malware analysis host from other people’s computers, one should keep them safe from the internet too (Constantin, 2012). These will prevent the possibility of the author of that malware knowing about your one’s existence hence enabling the malware to be safe from any attacker’s attempt to disable it. Malware analysis hosts should thus be isolated completely from the network. The best way of achieving this is through putting gaps between lab systems in a way that they are not plugged in any network (Sanders, 2012).
Yes. If a given malware detects a potential malware environment it reacts differently. This can be known through such methods of analysis as behavioural analysis and code analysis. Central to behavioural analysis is the premise that, if a malware is executed in an environment which is not controlled, it is likely to take more time in its performance. Because code analysis helps in disassembling the malware’s code, if the codes are not done in a proper static manner, the malware will detect and react to a potential malware environment by reflecting another preferred analysis type (Sanders, 2012).