Is Popular Remote Admin Tool Actually a Remote Access Trojan


Security expert and leading investigative journalist Brian Krebs, in collaboration with security professional Daniel Gallagher, has recently discovered that a popular remote administration tool known as “Orcus RAT” is actually exhibiting the sort of behavior which is generally associated with a remote access trojan – a nasty piece of malware. [RAT: Wikipedia]

Brian tells the story of suspicions surrounding the Orcus RAT software and how he uncovered the identity of the developer –  trust me, it is an enlightening read:

krebs on security

Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.

Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don’t belong to them.

The author of Orcus — a person going by the nickname “Ciriis Mcgraw” a.k.a. “Armada” on Twitter and other social networks — claimed that his RAT was in fact a benign “remote administration tool” designed for use by network administrators and not a “remote access Trojan” as critics charged. Gallagher and others took issue with that claim, pointing out that they were increasingly encountering computers that had been infected with Orcus unbeknownst to the legitimate owners of those machines.

Posted in:
About the Author

Brian Krebs

Brian became a world renowned security researcher while working for The Washington Post from 1995 to 2009 as the author of The Security Fix column. Since leaving The Washington Post in 2009 Brian has continued his research at Krebs on Security where he continues to investigate cyber criminal gangs, skimmers, software exploits, and the dark underbelly of the web .

There are no comments

Your email address will not be published. Required fields are marked *