Backdoors, RATs, and Information Stealers

Backdoors
As their name implies, backdoors let hackers gain sneak attack access to an infected system, bypassing security "through the use of undocumented OS and network functions," Elisan writes. As an example, a backdoor was used to hack into RSA's systems in 2011, a large information security company. This was a targeted attack, gaining a foothold in RSA's network by sending innocent-looking phishing e-mails to workers. The e-mail had a subject line of "2011 Recruitment Plan" and contained an Excel file with an embedded Adobe Flash file that installed the backdoor:

Launching the attachment in Outlook led to the Flash object being executed by Microsoft Excel. By targeting a vulnerability allowing the execution of code, the object dropped a variant of the so-called "Poison Ivy" backdoor onto the RSA computer. Poison Ivy connects back to servers operated by malicious users. "Once the connection is made, the attacker has full remote access to the infected workstation," F-Secure wrote in 2011. "Even worse, it has full access to network drives that the user can access."

Remote Access Trojans
"A remote access Trojan (RAT) is a malicious administrative tool that has backdoor capabilities, enabling an attacker to gain root access to the compromised machine," Elisan writes. "The main difference between a RAT and a traditional backdoor is that the RAT has a user interface, the client component, which the attacker can use to issue commands to the server component residing in the compromised machine." Thousands of compromised computers can be controlled with remote access Trojans, letting attackers do "almost anything" they want. They can install programs on the infected PC, steal information, or just flat-out destroy the computer.

Information Stealers
Diving deeper into malware designed to steal information, Elisan describes keyloggers, desktop recorders, and memory scrapers, which can steal passwords, financial credentials, proprietary data, "or anything that the attackers can use to their advantage or monetize." A keylogger records the user's keystrokes and "stores them locally for later retrieval, or sends them to a remote server that the attacker has access to." Desktop recorders take periodic screenshots of the desktop, while memory scrapers take information out of a computer's memory while it's being processed. "Data that is processed in memory is unencrypted. This is why this is the best place to grab data," Elisan writes.

Resources
arstechnica.com

Security tips are brought to you by the CTS SOC. The mission of the CTS SOC is to provide centralized information sharing, monitoring, and analysis of Washington State security posture. Contact us at: soc@cts.wa.gov.