0

Is there a guaranteed way to:

  1. Know there is a Remote Access Trojan in my PC?

  2. Remove it completely and successfully from my PC?

Note: Assume that the hacker doesn't leave any hint of their activity (like moving the cursor).

  1. If there is no way to detect or remove RAT with 100% guarantee, what other ways could guarantee that my computer is out of danger (is not compromised)?
schroeder
  • 123,438
  • 55
  • 284
  • 319
Jay Shah
  • 339
  • 2
  • 4
  • 10
  • 2
    A 100% does not exist in security. You could scan for known RATs, and you could try and actively found the type of bugs RATs exploit, that’s about it. – LvB Nov 09 '20 at 14:07
  • I've heard about formatting , or other things like re-*something* the OS. Not a tech-savvy person. Any idea what these things are and do they help in a 100% guarantee in being safe from RAT? – Jay Shah Nov 09 '20 at 14:13
  • If you want to "100%" be completely safe you'll have to design and manufacture your own processor, write your own OS for it, write your own compiler (though I guess you could just make your OS in machine code), etc. If you use preexisting solutions there is some non-zero amount of trust you need to have, which makes it impossible to be 100% sure that there's no rootkit/RAT/malware that people inserted into their software. I'm not sure if anyone on the planet has read through every line of code in Linux or similar. – user Nov 09 '20 at 14:18
  • Oh, that just scared me..I am not tech-savvy haha.. But I see what you mean. – Jay Shah Nov 09 '20 at 14:24
  • The [linked question](https://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now) is *not* a duplicate. It starts with “Let's say that I have determined beyond doubt that my home PC is infected by a virus.” That is, it does not cover detection. This question asks about both detection and removal. It’s lucky someone slipped an answer in just before the question was closed. – Brian Drake Nov 10 '20 at 11:40

1 Answers1

2

There are no 100% guarantees.

Proving a negative is basically impossible. It's like saying "How can I prove that nobody owns a key to my apartment?" - you simply can't.

However, you can detect certain remote access kits through a variety of techniques. Keep in mind that these techniques require some level of expertise. People often say "Look at your network traffic", and then they go buy a tap, have a look in Wireshark and see lots of network traffic to various domains and IP addresses they cannot explain and then end up believing they must have been compromised. I personally label this the "Wireshark Syndrome". However, the underlying idea is correct - look for suspicious traffic and investigate further. This requires you to be able to tell suspicious traffic apart from benign traffic, which is very difficult.

Another possibility is to use a ready-made tool for RAT detection. These tools look for traces of know RATs and give you a warning should it find some. The upside of these is that they are a lot more user-friendly, but with the downside that they also cannot 100% detect every RAT out there. "I couldn't find anything" does not mean "There is nothing", after all.

How can it be removed from my PC?

The question Help! My home PC has been infected by a virus! What do I do now? goes into detail on how to deal with a compromised home machine.

tl;dr: Nuke it from orbit!

How can I make sure my PC is safe?

As mentioned above, you can't. What you can is follow best practices, that are repeated over and over again by security experts:

  • Keep your system up-to-date
  • Don't install software from untrustworthy sources
  • Use a password manager
  • Make backups on an external device
  • Don't click on links in phishing emails and don't answer them.

Of course, this list isn't exhaustive, but if you follow these guidelines, you will likely not be "low-hanging fruit", and that already gets you out of a lot of trouble.

  • So Nuke It From orbit IS the only way to make sure that a compromised PC is no longer compromised anymore? – Jay Shah Nov 09 '20 at 14:57
  • @JayShah If an attacker can stick a malicious firmware on your device then trying to format all your storage could potentially not be good enough. Additionally, it may be possible for a sophisticated enough attacker to block firmware updates that would clear out the malicious firmware. – user Nov 09 '20 at 15:19
  • @JayShah Even worse, nuking it from orbit isn't even 100% guaranteed to eliminate the problem. It is the most effective method that doesn't involve replacing everything. –  Nov 09 '20 at 16:23