As the use of computing devices, software, and the Internet expands, threats from malicious software, also referred to as “malware,” increases as well. Such malware can be used, for example, to take control of some or all of a computing device's functionality, to collect otherwise-sensitive or private information, and to spread malware to other devices. Malware has been used in conjunction with criminal activities such as fraud (e.g., identity theft), corporate espionage, and other illicit activities.
Remote Access Trojans (or RATs) are one such form of malware, and can be used to open a hidden channel that allow an attacker to remotely control a victim's system for a variety of illicit purposes, including spying on a spouse to stealing corporate information. Remote control tools are often added into the most popular kits of malware, allowing criminals to bypass modern defenses, particularly where stealing credentials to access a system is alone not sufficient to gain access.
Various attempts to defend against malware include adding more restrictive authentication factors, such as machine identification or Internet Protocol (IP) address whitelisting, but malware versions typically evolve to respond to such defenses. Some institutions implement authentication processes that require to be started from a known machine and also verify the presence of specialized software or devices such smartcards or pen drives. Some security mechanisms are configured to reject transactions coming from unknown IP addresses.
RATs, however, provide criminals with the capability to bypass diverse authentication controls by posing as a legitimate user using a legitimate machine. With RATs, the attack is performed using the very same machine as the legitimate user, effectively circumventing protections based on device identification, environment profiling and hardware-based authentication tokens such as smart cards or pen drives.
On the one hand, RATs pose a severe security threat to many institutions, but on the other hand desktop sharing and remote administration are widely used for a variety of legitimate purposes. At least some embodiments disclosed herein help detect and address illicit remote-access events while allowing valid remote-access events to function as intended, as well as addressing other issues.