The Remote Administration Tool is the revolver of the Internet's Wild West.
http://arstechnica.com/tech-policy/2013 ... r-webcams/"See! That shit keeps popping up on my f***ing computer!" says a blond woman as she leans back on a couch, bottle-feeding a baby on her lap.
The woman is visible from thousands of miles away on a hacker's computer. The hacker has infected her machine with a remote administration tool (RAT) that gives him access to the woman's screen, to her webcam, to her files, to her microphone. He watches her and the baby through a small control window open on his Windows PC, then he decides to have a little fun. He enters a series of shock and pornographic websites and watches them appear on the woman's computer.
The woman is startled. "Did it scare you?" she asks someone off camera. A young man steps into the webcam frame. "Yes," he says. Both stare at the computer in horrified fascination. A picture of old naked men appears in their Web browser, then vanishes as a McAfee security product blocks a "dangerous site."
"I think someone hacked into our computer," says the young man.
Far away, the hacker opens his "Fun Manager" control panel, which provides a host of tools for messing with his RAT victims. He can hide their Windows "Start" button or the taskbar or the clock or the desktop, badly confusing many casual Windows users. He can have their computer speak to them. Instead, he settles for popping open the remote computer's optical drive.
Even over the webcam, the sound of shock is clear. "Stay right here," says the woman.
"Whoa!... the DVD thing just opened," says the young man.
The hacker sends the pair a message that reads "achoo!" and the young man laughs in astonishment. "Disconnect from the Internet," he says. "Your laptop's going to go kaboom next."
The video freezes, the mayhem lasting for slightly more than one minute. Copies of the incident aren't hard to find. They're on YouTube, along with thousands of other videos showing RAT controller (or "ratters," as they will be called here) taunting, pranking, or toying with victims. But, of course, the kinds of people who watch others through their own webcams aren't likely to limit themselves to these sorts of mere hijinks—not when computers store and webcams record far more intimate material.
Using a RAT to scare victims.
“i enjoy messing with my girl slaves”
"Man I feel dirty looking at these pics," wrote one forum poster at Hack Forums, one of the top "aboveground" hacking discussion sites on the Internet (it now has more than 23 million total posts). The poster was referencing a 134+ page thread filled with the images of female "slaves" surreptitiously snapped by hackers using the women's own webcams. "Poor people think they are alone in their private homes, but have no idea they are the laughing stock on HackForums," he continued. "It would be funny if one of these slaves venture into learning how to hack and comes across this thread."
Whether this would in fact be "funny" is unlikely. RAT operators have nearly complete control over the computers they infect; they can (and do) browse people's private pictures in search of erotic images to share with each other online. They even have strategies for watching where women store the photos most likely to be compromising.
"I just use the file manager feature of my RAT in whatever one im using and in [a RAT called] cybergate I use the search feature to find those jpgs [JPEG image files] that are 'hidden' unless u dig and dig and dig," wrote one poster. "A lot of times the slave will download pics from their phone or digital camera and I watch on the remote desktop to see where they save em to and that's usually where you'll find the jackpot!"
Women who have this done to them, especially when the spying escalates into blackmail, report feeling paranoia. One woman targeted by the California "sextortionist" Luis Mijangos wouldn't leave her dorm room for a week after Mijangos turned her laptop into a sophisticated bugging device. Mijangos began taunting her with information gleaned from offline conversations.
Watching a young girl in Malaysia. Note RAT control center running in background.
For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!"
One poster said he had already archived 200GB of webcam material from his slaves. "Mostly I pick up the best bits (funny parts, the 'good' [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake," he wrote. "For me I don't have the feeling of doing something perverted, it's more or less a game, cat and mouse game, with all the bonuses included. The weirdest thing is, when I see the person you've been spying on in real life, I've had that a couple of times, it just makes me giggle, especially if it's someone with an uber-weird-nasty habit."
By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. "lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit," one poster wrote. "Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves."
As another poster put it in a thread called ☆ ShowCase ☆ Girl Slaves On Your RAT, "We are all going to hell for this..." But he followed it with a smiley face.
Welcome to the weird world of the ratters. They operate quite openly online, sharing the best techniques for picking up new female slaves (and avoiding that most unwanted of creatures, "old perverted men") in public forums. Even when their activities trip a victim's webcam light and the unsettled victim reaches forward to put a piece of tape over the webcam, the basic attitude is humorous—Ha! You got us! On to the next slave!
And there are plenty of slaves.
A woman unknowingly captured by her own webcam.
How it’s done
RAT tools aren't new; the hacker group Cult of the Dead Cow famously released an early one called BackOrifice at the Defcon hacker convention in 1998. The lead author, who went by the alias Sir Dystic, called BackOrifice a tool designed for "remote tech support aid and employee monitoring and administering [of a Windows network]." But the Cult of the Dead Cow press release made clear that BackOrifice was meant to expose "Microsoft's Swiss cheese approach to security." Compared to today's tools, BackOrifice was primitive. It could handle the basics, though: logging keystrokes, restarting the target machine, transferring files between computers, and snapping screenshots of the target computer.
Today, a cottage industry exists to build sophisticated RAT tools with names like DarkComet and BlackShades and to install and administer them on dozens or even hundreds of remote computers. When anti-malware vendors began to detect and clean these programs from infected computers, the RAT community built "crypters" to disguise the target code further. Today, serious ratters seek software that is currently "FUD"—fully undetectable.
Enlarge
Enlarge
Enlarge
Building an army of slaves isn't particularly complicated; ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files and naming them after popular songs or movies, or through even more creative methods. "I seem to get a lot of female slaves by spreading Sims 3 with a [RAT] server on torrent sites," wrote one poster. Another turned to social media, where "I've been able to message random hot girls on facebook (0 mutual friends) and infect (usually become friends with them too); with the right words anything is possible."
For those who can't even manage this on their own, RAT experts hawk their slave-infecting expertise in e-books such as Rusty_v's Spreading Guide v 7.0, a 22-page tome that goes for $14.95 (and which claims to be the best-selling book on Hack Forums). "Ever faced a situation where you have FUD server but cannot get victims?" goes the sales pitch. "Or maybe you're getting a lot less installs compared to the amount of work you are putting in?" Followers of Rusty_v's methods are told they can pick up 500-3,000 slaves per day. The book is "noob friendly" and features "many screenshots."
And if even this handholding isn't enough, more successful ratters sometimes rent out slaves they have already infected. In other cases, they simply hand them off to others in a "Free Girl Slave Giveaway."
Calling most of these guys "hackers" does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves. Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.
The process is now simple enough that some ratters engage in it without knowing how RATs really work or even how vulnerable they are to being caught. Back in 2010, one Hack Forums member entered the RAT subforum worried about going to jail. He had hacked a Danish family's computer in order to get a child's Steam account credentials, but the Danish kid realized that something was wrong and called in his mother and older brother. The hacker included a picture of all three of them looking down at the computer, the younger kid crying, the mother stern.
"They told me they would call the cops, etc and im going to jail?!" said the hacker. "WHAT DO I DO!? DO I GIVE THEM THE SHIT BACK OR UNINSTALL THEM FROM MY RAT!?"
Then, a few minutes later, when the hacker saw the mother with a phone in her hand, he returned to say, "im shaking irl [in real life]... I hope I won't get caught... hes mom & dad was at the phone calling the cops, while him & his brother was MAD crying, i already laughed for 30mins+ until it got serious about his mom & dad."
"LOL, don't worry you ain't going to jail," another member responded.
This is probably true; few such ratters are ever found.
That pesky light
One of the biggest problems ratters face is the increasing prevalence of webcam lights that indicate when the camera is in use. Entire threads are devoted to bypassing the lights, which routinely worry RAT victims and often lead to the loss of slaves.
"Unfortunately she asked her boyfriend why the light on her cam kept coming on," one RAT controller wrote. "And he knew, she never came back
"
Another described testing DarkComet on a male slave and activating the man's webcam. "A man came up and saw that his webcam was on, he then put the middle finger up to me lmao [laughing my ass off]," wrote the hacker. "I then went to remote desktop and he had lots of pr0nz [pornography] up, but he was also freaking out and scanning his computer with two different anti-virus [programs]. It was pretty funny, but he actually managed to remove the infected server from his PC, he used some 'ad-ware' software which managed to remove it."
Others trade pictures of victims taking action to secure their computers. "ive had this girl since i started ratting but she has a light on her cam," wrote one RAT user, "shame coz shes really pretty with her hair down. see her busting me lol."
To combat detection, the RAT controllers have devised various workarounds. One involves compiling lists of laptop models which don't have webcam lights and then taking special pains to verify the make and model of slave laptops to see if they are on the list.
"You may need to do some remote desktop action when you're pretty certain they're not looking and find an OEM tag in system properties but the surest way is to look for OEM bloatware like wireless utilities and such," wrote one RAT users. "Once you figure that out, if it's an Acer, you're golden. Some other laptops are good too and using specs and some other information you can often determine a model."
Others rely on a little bit of social engineering. "The first time I use a slaves cam tho I send a fake message saying something like the cams software is updating and the light may come on and go off periodicially ," wrote a RAT user, "but obviously in a more windows-like way of saying it!"
But no solution has been foolproof—and not for lack of a market. As one eager user wrote, "If someone release[s] soft[ware] which will disable the led cam light he will be the richest man in HF [Hack Forums]!!!"
A young woman covers her webcam as someone watches her with a RAT.
“Damn morals”
RAT forum denizens aren't wholly lacking in moral reflection, though most is of a peculiar kind. "Imagine your sister is being posted right here, how would you feel?" wrote one poster, which sounds like an exhortation to stop ratting. But the poster immediately concluded that the only real rule is not to hack "nice gurls." And even if one does hack "nice gurls," just "dont post them online, Keep em for yourself."
Posters do show up once in a while to rage against the fairly shocking privacy violations casually shared in these forums. "Everyone who is spying on girls does deserve the jail!" one wrote. "Most of you have no girlfriend or are perverts or are 12 years old. Man get older and don't do this.... I hope all of you die... It is the worst thing a Hacker could do ! THE WORST ! Learn something more complictaed then Ratting."
But to the regulars this is just the talk of "some jelous peeps out there who probably cant find any girls to take there servers. its nothing compared to people stealing accounts and shit like that and its doing no harm as long as there not aware of it what the problem? if you dont like dont look."
The actual moral discussions in the forums tend to accept ratting as a bit of legitimate fun, but one that may have its own rules of "fair play." These rules are few, however, and even bringing them up irritates those who just want to see pictures of female slaves. "Here is not an ethical forum... and everyone does what he wants," wrote one poster. More often, the concerns are simply pragmatic ones about jail, lawsuits, and retaliation. Consider the following bizarre exchange:
POSTER 1:
Can't wait to get my RAT setup, some pretty hot chicks in here
Also, do you all think it would be wrong to RAT chicks you know? I know some VERY hot ones that would be easy as shit to infect. Damn morals.
POSTER 2:
well the moral part is one thing
but infecting a known person can be a risk
if they found out you infected them, you can loose the friendship, be marked as a pervert in your friendships and even worse she could sue you
i did it once and found some lucky things (so i want to du it again like the perv am i ^^ )
I rat one of the hottest classmate i had and was lucky
i found some topless pics and even some blowjob picture
too bad the girl died by an illness :'(
i'm sad for 2 reasons
first i liked her, she was not a best friend, but a classmate i often speak with...
second, i did not get all the stuff she had, her damn internet was slow like hell .... i get about a dozen pictures from her external harddrive (well hidden)
i saw her online in the RAT a couple of times, but never with the external harddrive and i never found something on her desktop...
Then i never saw her online again, i throught : shit i loose her, need to find a way to install a new FUD version ...
but about 2-3 month later i learned she died by a illness
Other ratters have a soft spot for certain scenarios. Taking over other people's computers might not be bad, spying on them might be OK, but making young children cry might cross a line. "Give him back his account," wrote one poster in reference to the Danish kid who had his Steam account hacked (see above). "Christ the kid is in tears."
But morals generally take a back seat to mockery. One popular thread, running for more than a year, with 59 pages of comments, asks people to "Post your ugly slaves here." One of the most popular responses involves people caught picking their noses.
All Most information is good information
Regardless of legality—and online forums are strongly protected by Section 230 of the Communications Decency Act for all manner of offensive user-posted material—why would anyone want to host such content? I put the question to Jesse LaBrocca, the Las Vegas-based creator and operator of Hack Forums.
He responded with a strong defense of the idea that information should be open to all and he pointed to the Wikipedia entry on keyloggers to illustrate his point. "It's a fair amount of information including functions in Windows you would hook into to use a keylogger," he told me by e-mail. "At what point does Wikipedia and the Internet community decide it's too much information? And is there actually such a thing as 'too much information?'"
Possibly not, but my question wasn't about the existence of a forum devoted to RATs or to technical discussion about them. It was about the fact that the RAT subforum is filled with posts in which people explicitly show that they have illegally invaded other people's computers, that they are spying on them—sometimes while naked—and that they buy, sell, and trade slaves openly.
Enlarge / No doubt this is intended for entirely lawful purposes.
"My personal morals and ethics I try not to ram down the throats of members," LaBrocca responded when I followed up. "No doubt I've seen and read some very appalling posts over the years. Things I would never participate in or encourage. But I'm not the moral compass for complete strangers and I won't put myself into that position."
And yet he has, with remarkable specificity. Hack Forums is one of the largest public hacker-focused sites anywhere. (Serious criminals, of course, prefer private forums that require vetting to enter—which is one reason that law enforcement creates such sites when it wants to catch them.) It has its own 18-point code of behavior that prohibits even discussion of remarkably specific "blackhat hacking activities" like phishing, eBay partnerships, e-mail dumps, credit card fraud, identity theft, conversations about two specific botnets (Zeus and SpyEye), extortion, the "deepweb" (sites available only through services like Tor), keygens, warez, the sale of Apple products—even unauthorized movie torrents.
But the list is quite idiosyncratic. Hack Forums warns that members are often hack targets themselves, "whether by an outsider or a rogue member." A member who hacks another member will be "warned or banned" from the site. On the other hand, members who sell botnet access or who buy slaves or who "need an e-mail account hacked" can apparently remain in good standing.
Which brought me back to my original question. The site enforces all sorts of behavior codes, so why is apparently illegal and invasive conduct—not simply "information" or "discussion"—accepted? LaBrocca politely declined to respond further. Instead, he pointed me to a site statement announcing, "We don't explain the logic behind each forbidden activity, but it's somewhere between morality, ethics, and legality for each one."
Too often, he said, those with questions about the site "find a thread you don't like and use it to throw the site under the bus. I can give you countless examples how HF has positively changed people's lives."
I fought the law
Enlarge / On finding a photo called "me.jpg," one ratter discovers that he has infected a cop's computer.
RATs can be entirely legitimate. Security companies have used them to help find and retrieve stolen laptops, for instance, and no one objects to similar remote login software such as LogMeIn. The developers behind RAT software generally describe their products as nothing more than tools which can be used for good and ill. And yet some tools have features that make them look a lot like they're built with lawlessness in mind.
Adam Kujawa, a researcher at security firm MalwareBytes, compiled a list last summer of everything that popular RAT DarkComet could do. It included:
Find out all system information, including hardware being used and the exact version of your operating system, including security patches
Control all the processes currently running on your system
View and modify your registry
Modify your Hosts file
Control your computer from a remote shell
Modify your startup processes and services, including adding a few of its own
Execute various types of scripts on your system
Modify/View/Steal your files
Put files of its own on your system
Steal your stored password
Listen to your microphone
Log your keystrokes (duh)
Scan your network
View your network shares
Mess with your MSN Messenger / Steal your contacts / Add new contacts!
Steal from your clipboard (things you’ve copied)
Control your printer
Lock/Restart/Shutdown your computer
Update the implant with a new address to beacon to or new functionality
Watch your webcam
Use your computer in a denial of service (DOS) attack
And that's not all. DarkComet includes a "Fun Manager" that can perform all sorts of tricks on the target system, including:
Hiding the Desktop—Hiding all the icons and making it impossible to right click on the desktop.
Hide the Clock—Self Explanatory
Hide Task Icons—In the little box on the right side of your start bar
Hide Sys Tray Icons—Hide icons and open application buttons on the taskbar
Hide Taskbar—Self Explanatory
Hide the Start Button—Only works in Win XP
Disable the Start Button (XP Only)—Gray out the start button, disabling it.
Disable TaskMgr—Disables the Windows Task Manager (When you hit Ctrl+Alt+Del)
Open/Close CD Tray—Self Explanatory
Even that isn't all. The RAT can also activate Microsoft's text-to-speech software on the remote system so that it reads strings of text out loud—an effective startle tactic. It can open a chat window. And it can play notes from a piano or a specific frequency for as long as desired. (As Kujawa notes, "The purpose of this feature [as far as I can tell] is just to annoy people.")
Enlarge / The DarkComet "Fun Manager."
Malwarebytes
Enlarge / DarkComet's piano player.
Malwarebytes
Does such software cross the line into illegality? Perhaps. In June 2012, the FBI arrested Michael "xVisceral" Hogue at his home in Tucson, Arizona and charged him with selling "malware that allows cybercriminals to take over and control, remotely, the operations of an infected computer." Hogue had created Blackshades, which the government described as "a sophisticated piece of malware."
Blackshades went beyond DarkComet in its support for features that were likely to result in illegality, such as the "File Hijacker" that could encrypt a victim's key files and then pop up a "ransomware" message demanding payment into a remote bank account in order to free the files. (A note attached to this feature said: "However, one thing to put in mind: This feature was made for educational purposes only.")
In June 2010, Hogue allegedly joined a private "carder" website catering to online criminals dealing in the theft, sale, and malicious use of credit card numbers. The site was actually a honeypot run by the FBI, however; the government says that Hogue sought admin approval to sell Blackshades there and ended up chatting with an FBI Special Agent. According to the complaint against Hogue, he then showed the FBI his personal RAT dashboard. An agent described the moment this way:
When I logged into the Blackshades Net service (that is, the interface that is a component of the RAT), I was able to see the names of nine computers that had been infected with the malware component of the RAT. Those computers were located in Germany, the United States, Denmark, Poland, and Canada. (The FBI has taken steps to identify and locate these victims.) By clicking on the name of an infected computer, I was presented with a menu of options including the ability to initiate key logging on the infected computer—that is, I was able to remotely turn on a service that would record every keystroke of the user of the infected computer. So, for instance, if the victim visited a banking website and entered his or her username and password, the key logging program could record that information, which could then be used to access the victim's bank account.
In further MSN chats with the FBI, the person alleged to be Hogue answered a question about whether the Blackshades software would automatically conduct key logging or whether it had to be initiated manually. "It auto does, and you can download from all at once, or scan for keywords or digits," came the reply. "And if it detects a credit card is being entered, it can send screenshots to FTP and you can scan for digits that are 16 in a row
"
A man awakened by the sounds of "screaming" porn a ratter has played through his computer.
This isn't the sort of thing that legitimate security firms generally tell potential clients, and the description of the software on the Blackshades website didn't help matters. It advertised the program's ability to "automatically map your ports, seed your torrent for you, and spread through AIM, MSN, ICQ, and USB devices." The software, sold for $50 per copy, does not appear to have netted its creator that much cash. According to a court filing from January 2013, the government is seeking forfeiture of only about $40,000 from Hogue. (The Blackshades software remains available for sale, the codebase apparently administered by at least one other person. The sales site currently suggests that Blackshades be used by those who have "ever questioned what your spouse, kids or employees have been doing on the computer" or anyone who want to know, "Are your employees mailing your business data to your competitors?")
A few weeks after Hogue's arrest, another prominent RAT author announced his retirement from such work. Jean-Pierre Lesueur shut down DarkComet with a message blaming his users. "I have devoted years with a nonprofit philosophy for you to enjoy without asking anything in return other than respect of the rules, unfortunately some of you couldn't respect the terms," he wrote. "Why did I take such a decision? Like it was said above because of the misuse of the tool, and unlike so many of you seem to believe, I can be held responsible of your actions, and if there is something I will not tolerate it is having to pay the consequences for your mistakes and I will not cover for you." He then added, "Without mentioning what happened in Syria..."
The last line is a reference to the fact that the Syrian government used tools like Blackshades and DarkComet in 2012 as part of its war with Syrian rebels. The conclusion drawn by the researchers at Malwarebytes was that RAT creators had unwittingly become low-cost arms dealers to repressive regimes that couldn't afford to develop such tools themselves.
"Over the past few weeks," Malwarebytes concluded in mid-2012, "we have seen the most intricate piece of spy malware ever developed (Flame) and being used for cyber espionage purposes against the infrastructure of developed countries, and then we look at the poverty stricken government of Syria and see over-the-counter RATs being used. It is clear that even in cyber war, the more developed countries have better weapons while the poorer countries use whatever they can get their hands on."
RAT control
RATs aren't going away, despite the occasional intervention of the authorities. Too many exist, plenty of them are entirely legal, and source code is in the wild (a version of the Blackshades source leaked in 2010). Those who don't want to end up being toyed with in a YouTube video are advised to take the same precautions that apply to most malware: use a solid anti-malware program, keep your operating system updated, and make sure plugins (especially Flash and Java) aren't out of date. Don't visit dodgy forums or buy dodgy items, don't click dodgy attachments in e-mail, and don't download dodgy torrents. Such steps won't stop every attack, but they will foil many casual users looking to add a few more slaves to their collections.
If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, "Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b" At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection.
by Wayne » Tue Mar 12, 2013 2:06 am 
