RAT-catching: Smooth cyber-criminals give themselves away during banking transactions
Thu 5 Mar 2015
A security company claims that the actors behind malware derivatives of Remote Administration Tools (RATs) can be identified by hesitations and cursor movement. An article by Dr. Itai Novick of Biocatch outlines a system of behavioural analysis which is claimed to accurately individuate the minor deviations from normal keyboard-and-mouse user behaviour that characterise a RAT actor.
“Simply put,” says Dr. Novick, “a RAT’s keyboard typing or cursor movement will often cause delayed visual feedback which in turn results in delayed response time; the data is simply not as fluent as would be expected from standard human behavior data.”
The graph below indicates three factors registered in two genuine cases of RAT-actor online fraud: movement fluency, typing fluency and clicking fluency.
Israeli company Biocatch, formed in 2011 by a group of neural research scientists, uses a Cognitive Behavioural Analysis technique which challenges the potential RAT, triggering the hesitations and ‘deviant’ input behaviour.
The company’s own commercial solution to the problem claims to only engage with genuine RAT interactions, which can be identified by latency issues over the inevitable proxy server involved in the attack, triggering a screen refresh – a signature of RAT trojan interception.
The anomalies identified by Biocatch are based on datasets of regular and genuine equivalent online banking activity.
RAT malware, the ironic name of which sprung from very business-like roots as helpdesk software, is typically diffused via indiscriminate ‘Drive-By-Download’ techniques, wherein out-of-date software combines with infected web pages to make users vulnerable. Infections can also be targeted or induced via ‘spear-phishing’ mails or ‘waterhole’ locations likely to produce abundant victims.
Among the most famous RAT trojans was Back Orifice, developed by a hacker in the late 1990s with the supposed intention of demonstrating to Microsoft the extent of the security vulnerabilities in its suite of popular Office software.
The extent of power granted to the successful RAT entrant is of the highest level, allowing registry edits, screenshotting, file operations, mouse takeovers and task control, among other privileges.