Defending against RATs
Depending on the complexity of their implementation, the amount of stealth features and outside communication methods, some remote access Trojans may be detected by the normal antivirus solutions. However, a better way to detect them, is to look for the backdoor they open. This door is essential for the functionality of the RAT, so using it as the primary mean of detection grants adequate accuracy, better than the one offered by antivirus engines. In essence, running port scans against internet facing machines, or even machines inside the DMZ would yield the best results. Since some RATs may not keep the ports open persistently, running such scans often, based on a schedule, would increase the chances of detection. For best results, you would need a tool capable of scanning for open ports regularly, detect the applications / services that are listening on the open ports, and point out the ports used by unsafe applications, or unknown services. Once suspicious ports are identified, they can be closed from the firewall, the executable opening the ports can be quarantined, and a new port scan can be triggered, to confirm that the backdoor is gone. Read more to find out the importance of port scanning.