RATS Vs. TROJANS

Strictly speaking, a "trojan" is a program that appears to do one thing but does something else, or something else as well. It does not propagate or automatically install, it requires some user intervention.

"Remote Access" means a backdoor. These can be the payload of a virus, worm or trojan and can even be installed manually if physical access is possible.

So, a "Remote Access Trojan" is a trojan program with a backdoor as its payload. I have noticed some literature that seems to imply that the backdoor is the trojan. I guess the general media don't understand the difference between the carrier and the payload.

The same is true of "viruses", which must infect to be true viruses. The media frequently describe worms as viruses.

Quote:

---

how the hell else are you gonna access a trojan!

---

Actually Nokia the victim accesses the trojan, usually via their mail client or web browser or running something they downloaded.

The payload (back door) is what is accessed remotely, although some could be accessed directly with physical access to the machine.

:)

Nokia

Quote:

---

Remote - Access - Trojan.....how the hell else are you gonna access a trojan!

---

EXXXACTLY my point!!!! Majority of the articles I have read about RATs refer to it as a remote access trojan.

What Nokia meant by that quote, was how else was the person crafting the trojan going to access the server aspect of it. But Nihil is right in saying that it could be accessed locally.
And yes, definitions about trojans do say that it poses on one thing and performs another. So TECHNICALLY, it might not actually be a backdoor in.
I think that the majority of people out there would automatically assume though that the common usage of the word "trojan" implies the Client Server/Backdoor application.
oooor.... an extremely good night with a significant other.

Yikes... how did I let that stupid article on MSN set me off like this. I got pretty P.O'ed when they tried to sell everyone the idea that Trojans were a new threat.

Quote:

---

Actually Nokia the victim accesses the trojan, usually via their mail client or web browser or running something they downloaded.

---

Hi Nihil,

I meant how else is the person who "installed" the trojan going to access it - it has to be remotley. So a Remote Access Trojan - is just a Trojan!

If your accessing it localy, your already on the machine, so you dont need a trojan, if you follow what I mean?

I believe MsMittens had it down quite nice.. a RAT (Remote Administration Tool) can be thought of as what is typically used to legally access a PC using a client/server software application. For example, PCAnywhere could be a RAT. Those applications are usually used to access other PC's for legit reasons/purposes. A trojan, however, deals with the same concept (client/server) but is usually used for malicious purposes and isn't usually authorized by the other PC user. It is typically used to control another PC from afar without knowledge of the other PC user and/or without permission.

So, to simplify it.. RAT (Remote Administration Tool) = A "legal" trojan, usually involving the user to have permission on the client machine and server machine. This user usually owns both machines anyways.. Whilist a Trojan is typically used in an illegal sense.. the user generally doesn't have permission and doesn't legally own the other machine.

I really hope I explained it better for some people, although I think I was repetitive.. :D

Hmmm,

I think that we are missing the point here?

A "trojan" is a program that does something unexpected or unintended by the person who runs it. Trojans have to be run by the victim, or they are not trojans

That leaves us with what the "payload" of the trojan is?

In this case we are talking about a program that allows remote access, which is a "back door" It is not a "trojan". I could load the thing physically, or send it as the payload of a virus or internet worm................no trojan would be involved.

Or, I could take the same "back door" and write a bit of malware to attach it to a "fun new game", "smilies for your IM application", "real funny animation" and so on. I give this to my victim on a floppy, CD, or e-mail, and they run it. OK, it does what they expect so they are not suspicious; but at the same time it loads the back door .

Now, in that example you can see that the "trojan" is the software I socially engineered the victim to run, and the payload is the back door. The payload is an application in its own right, quite independent of the method of delivery, and it is that application that I access remotely.

The trojan is only ever accessed by the victim, it is the payload that is accessed by the attacker.

Just as I have demonstrated that the backdoor is an independent application, so is the trojan. I could use the same program to deliver all sorts of payloads...........birthday greetings pop-up?, practical joke, or another malicious program.

My final complaint about "RAT" is why don't we have RAW (remote access worm) or RAV (remote access virus)? It is inconsistent to include the payload in the description of the malware, and it does not make sense, as the payload can vary whilst the carrier remains the same.

Just my thoughts on it :)

Hey Hey,

Everyone's thrown their opinions in here, so I'll do the same..

RAT = Remote Acccess Trojan / Remote Access Tool / Remote Admin Tool / Really Anything Trojan-Like (I just created this one)..

The problem is that it's not just Trojan remember... It's Trojan Horse... and I'm sure we all know the history of where that comes..

Regardless of if RAT means Remote Access Trojan or something else... the key is remembering that Trojan is a shortened version of Trojan Horse.

Generally when you're refering to a RAT you're looking at, as mentioned, a legit program... netcat told to execute cmd.exe or /bin/bash could be considered a simple RAT... however it's not a Trojan Horse.. patch.exe from BO or the whack-a-mole game that masked it that came later.. those are considered Trojan Horses... they disguise themselves, throw off the user and hide as best they can.

Now you also have Root Kits... which are really no different than Trojan Horses and RATs, except that generally you leave it behind yourself (or did in the past).

Let's look at Hacker Defender or Golden (it's seen it called either or both) by Holy Father -- http://hxdef.czweb.org/

Is it a Root Kit, a Trojan or a RAT... It doesn't really matter... They're all the same thing..

Even if the RAT isn't remote access.... For example... if it's a phone home trojan.. you aren't technically remotely accessing it, not initially.. it's accessing you..
There are Trojan's that take commands through IRC you aren't remotely accessing that.. It's not always remote access... so it doesn't make sense... but it doesn't really need to... You understand it.. It's multiple terms for the same item... It happens a lot..

Just keep in your mind that all three mean the same thing in the end.. a way to remotely control or manipulate another computer.

Now for origins:

RAT -- I believe this came first... You had Remote Administration Tools.. SMS, Remote Desktop, Terminal Services, Telnet, SSH, etc.

Trojan Horse -- derived from the story of the Trojan War.... Sneaky and malicious... just like original Trojan Horse software...so the name made sense... Also most people knew the term and they knew it wasn't a good term...

RAT V2 -- Remote Access Trojan... someone combined the two at some point... and we had this version of the term.... It stuck because people just accepted it.

Trojan -- People dropped Horse... it was too long to say and we're lazy... Just like Voice over IP became VoiP we tend to shorten things... and TH doesn't roll off the tongue or seem to work... dropping a word does..

Root Kit -- Originally a self installed Trojan Horse... instead of deceiving the user into infecting themselves... you, after cracking/hacking/violating their system, installed it to provide simple access at a later date..

Root Kit V2 -- A Trojan with a new name... Designed to scare people now that they know they can simply clean a Trojan.. Root Kits are "harder" to deal with.. time to buy new software to protect yourself

You have to remember that half the time these terms go into use because of marketing (just like Vonage did with VoiP (which by the way I hate.. it sounds wrong)... Marketing takes these known computer terms and twists them ever so slighly to portray a threat to the end user...

That's my take anyways.

Peace,
HT

Here's my point of view: -

Well starting with Trojan, as HTRegz said initially we used to call it Trojan Horse, people started calling trojan just to shorten the length.

What Trojan/Trojan Horse is a program consist of two parts a client and a server, from its original definition we can see that its a backdoor, now from where that backdoor comes is the SERVER part. This server leaves that backdoor for the client to access it, and normally it is Remote accessing.

So a Trojan/Torjan Horse/Backdoor Trojan (I have heard people using this name too) can be called as Remote Access Tool (RAT).

If you take RAT as Remote Admin Tool, a Trojan can still be a RAT, as i know administrators running Trojans on clients to keep an eye on there activities (I was among those :-) ), obviously thats not the right way but still its a way of doing it.

So Initially it was Trojan Horse, than named as Trojan now Remote Access Trojan. Its just changing the name and making the fuzz.

I haven't even heard of them and I work for tech support of an AV company

tbh it sounds like another unnecessary acronym to me. Acronyms are just a way for people to try and sound knowledgeable. They seem to be popular in techie circles, and also in the military - just read a military-related book like Bravo Two Zero and you'll see what I mean

there may be a genuine distinction between 'RAT's' and trojans but it isn't obvious to me. :-/

*head starts spinning - grabs a glass of Sharkleberry Fin kool aid*

Ahhhh

HT- you said it best:

Quote:

---

You have to remember that half the time these terms go into use because of marketing (just like Vonage did with VoiP (which by the way I hate.. it sounds wrong)... Marketing takes these known computer terms and twists them ever so slighly to portray a threat to the end user...

---