Is there a way to detect whether visitors to a website are using Remote Desktop Connection (RDP) or have been compromised via a type of Remote Access Trojan(Tool)/RAT-in-the-Browser (RitB)? So a 3rd party has gained access to a PC and is using those resources (such as the installed browser) to navigate to a target website.
For this to be useful in a real-world solution, the test methods must not be intrusive or require the client to install or allow any special add-ons (such as Flash or ActiveX); so must be compatible with most modern browsers. It would therefore likely need to happen in JavaScript but could use some server-side assistance.
I suspect that multiple tests will need to be run to try to build a possible score on whether the user is using a remote connection on a PC to browse the target website. I also understand there's unlikely a sure way of identifying this, but hopefully can be used as supporting data in building an overall picture.
Some of the possible tests that could be done:
- Resolution - Usually the resolution is low during remote connections. However, will any variables take into account the remote connection's resolution? Or would it just use the compromised PC's resolution, meaning this is a pointless test?
- Mouse Cursor Latency - There might be quite a bit of cursor latency, or perhaps odd movements, due to the remote connection. Is there a way to measure cursor latency in a meaningful way?
- Biometrics - Potentially you could build up a profile on how a user normally interacts with a website, and use that to determine unusual behaviour. However, it can only be used where the user has been compromised after visiting the website a few times and could be an issue when there are multiple users using the same PC.
What other methods/tests could be used to build a better picture? Are any of the above useful in determining this kind of web visitor?
I understand this might be more theoretical, but hopefully, there is some kind of practical application that can be applied.
