Big or Little brother?

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at blog at and can be found on twitter as @enextestlab.

It used to be the fear of 1984 and Big Brother—watching and controlling citizens’ every move. These days the writing is on the wall, while Big Brother is watching via the CCTV networks, little brother is insidiously infiltrating our computers and smart devices to build a cache of information—and it is no longer simply making off with corporate/personal data/information. Enter the RAT.

In reality, RATs have been with us since the inception of computer networking systems. Essentially they are a bastardisation of Remote Assistance Tools and Remote Administration Tools (umm, RATs, and err, RATs). Good RATs enable legitimate remote access and administration of a computer so that a helpdesk can work out the issue without having to despatch a technician from their dark basement to tinker with the machine. It also enables administrators to remotely log in to servers in Data Centres from the comfort of their sofa to perform routine tasks.

Bad RATs (Remote Access Trojans) are there without the owner or operator being aware of it, and allow the same tasks to be performed as the good RATs, without their knowledge.

Recent media attention has shone a spotlight on the prospect of others taking control of a device’s camera using a bad RAT to take images or video of the user and transmit it in real-time (or store it for later retrieval and review).

The majority of paranoid security practitioners have a creative solution for this… a piece of insulation tape across the lens—coming soon to a security-vendor near you.

Of greater concern, however, is that once a malicious RAT has been installed on a system, and don't forget smart-phones are computers too—the remote operator essentially has command and control capabilities over most features on the device. This ranges from controlling the camera, the microphone, all the information stored on the device and any peripherals connected to it, including network resources, printers, scanners and more. It grants them exactly the same access as if they are seated at that computer or have the device in the palm of their hand.

So ultimately, an image or a video would be the least of an owner’s concerns. Imagine, for example, the conversations that take place within earshot of your mobile device or computer. Boardroom meetings, tender evaluations, contract negotiations and let’s not forget private chats in a bar. A lot of this could can cause significant personal, corporate and financial damage if it falls into the wrong hands..

A significant number of our gadgets also have integrated GPS capabilities. So once compromised, the bad guys can turn on and track the owners movements too. You can imagine how this might be used. Monitoring the home owner in order to rob their house while they’re out, or tracking them to a dark alley where they are vulnerable.

I personally like the idea it poses as a new form of social engineering and information gathering—a six-step tool-kit for the professional crook to drive legitimate sales.

• Step one: insert a bad RAT into a targets mobile device. • Step two: use the audio information collected from eavesdropping on the device to develop a convincing and customised “sales” pitch. • Step three: use the camera or images stored on the device and from their social media to get to know the target, what they look like, friends etc. • Step four: use GPS location data build a profile of the targets movements. • Step five: create a chance meeting, “bump” into the target. • Step six: deliver the perfect pitch/conversation, including the exact solution to their problems.

And if that doesn't convince them to buy, simply resort to blackmail or sell the stolen secrets.

Kids, don't try this at home.

Tags: rats

Show Comments