A malicious virus known as Remote Administration Tools (RATs) can be used by hackers to switch on your webcam and control the machine without your knowledge. Andrew McMillen reports.
The 14-year-old couldn’t believe his eyes. The virtual currency he’d worked so hard to amass in the online role-playing game Runescape had vanished. He’d lost the equivalent of $700 in the blink of an eye, after investing his pocket money into the game’s economy for months. All that remained was an instant message dialogue box: “Haha, you got RATted!”
Sitting in his bedroom in Wauchope, on the mid-north coast of NSW, the teenager wrote back: “What does that mean?” He didn’t know at the time that his machine had been compromised by a Remote Administration Tool (RAT), an aggressive form of malware that allows hackers to access a victim’s entire computer. It was too late. The thief had disappeared. “He ran away with my money, like a girl,” laments Alex (not his real name).
When I started, it was hard to learn. I was confused. I helped others because I wanted them to feel how I felt when I first started RATting – that feeling of excitement. I wanted to empower them.
‘Alex’ the NSW hacker
Within a few clicks, the teenager had access to a stranger’s entire computer, without their knowledge. “I was the happiest kid in the whole entire world,” he says. “I could see their desktop, what they typed, the history of what they’d typed, stored passwords, files – everything.”
His victim didn’t have a webcam, so Alex wasn’t sure of their gender or their appearance, although he assumes they were male. But he knew that they played Runescape, so he got straight to work on what mattered: looting their gold, just as he’d recently experienced himself.
After emptying the stranger’s account, the teenager watched, intrigued, as his mark realised that he’d been hacked, and began trying to close the connection. Fifteen minutes later, Alex’s first “slave” – hacker shorthand for a compromised user – had disconnected himself.
The RATted had become the RATter. “I felt unstoppable,” says Alex, now 17 and studying Year 11. “I was really insecure about myself at the time. I felt like the most powerful person on Runescape.”
Know more? Email us
The senior security manager at antivirus software company Trend Micro has another name for RAT: Remote Access Trojan. “It’s a piece of software loaded onto somebody’s computer that allows it to be controlled or accessed from a third-party location,” says Adam Biviano in Sydney.
“They often arrive on a computer masquerading as something else,” he says. “Just like the mythological story, you open your gates up and you allow it inside your protected walls. All of a sudden, you think you’re getting one thing, but in reality you’re getting what they call a ‘RAT’. You’re giving access to your computer to … who knows who.”
A 14-year-old boy motivated by revenge is probably one of the last people you’d want to have unmitigated access to your computer. Especially if you’re female, given that one of the most commonly exploited features of RAT software is the ability to spy on a user’s webcam. Many modern laptops will display a green light when the webcam is in use; however, RAT developers have long since worked out how to disable that tell-tale sign on some computers.
The cumulative effect is a gross breach of privacy, often without the user’s knowledge. Think of where your computer’s webcam is positioned, and what someone might see if they watched you constantly: your bedroom antics, perhaps, or your daily nude stroll around the house. They might even see you take your laptop to the toilet with you.
Discussion threads in the Remote Administration Tools section of HackForums.net overflow with webcam screenshots, to celebrate both “hot female slaves” and “ugly slaves”.
Alex goes by a pseudonym on HackForums that Fairfax Media has chosen to keep secret in order to conceal his identity. He’s been a particularly active community member over the past 12 months, clocking more than 6000 posts – about 17 a day – while establishing himself as a helpful source of information for those new to RATs.
“When I started, it was hard to learn,” he says. “I was confused. I helped others because I wanted them to feel how I felt when I first started RATting – that feeling of excitement. I wanted to empower them.”
The teenager says he’s never had a job, yet he’s drawn a respectable income from his RAT activities for more than two years. His parents began asking questions when he connected his PayPal to his bank account, and sums of up to $500 at a time would flow in: profit from his Runescape thefts. “I sat down with them and told them what was going on,” says Alex.
“They understood. They said, ‘If you get caught, you’re in serious shit.’ My parents are laidback about it, because they knew I was smart with computers when I was younger. I’ve gotten way smarter since then.” Their son may not have been completely honest about the precise source of income, though: “They don’t really know what happens behind the scenes when I’m on the computer,” he admits.
Trend Micro’s Adam Biviano isn’t surprised by Alex’s exploits, nor his age. “I’ve been in the anti-malware industry for about 15 years,” he says. “A lot of these attacks start off with people who are quite young. It’s that younger element that probably doesn’t understand the legal implications of what they’re doing. They think that because it’s online, it’s simply a bit of harmless fun.
“We also see that those skills are put to far more malicious use these days, by moving on to target businesses, to target individuals by stealing their identities, even cross-border espionage using RATs,” he says, referring to a malware outbreak in the fractured state of Syria last year. “[Virtual goods theft] is one of the more benign uses of RATs, but it can certainly get nastier from there.”
The Attorney-General’s Department responded to questions with this statement: “The Commonwealth Criminal Code contains a range of offences that apply to the unauthorised access to or modification of data, as well as offences that relate to the possession, control or supply of data with an intent to commit a computer offence.”
Federal penalties for these offences range from two to 10 years’ imprisonment; the states and territories also have laws prohibiting the installation and use of surveillance devices, including listening, optical, tracking and data surveillance devices, which may also apply to those caught using RATs for malicious purposes.
The Department of Broadband, Communications and the Digital Economy says it does not have a position statement on the use of RATs among private citizens.
Remote access technology is not new – Windows has had this functionality in-built for many years – but the malware form of delivery is a constant headache for security companies such as Trend Micro, especially since some of these products are marketed as “FUD”: fully undetectable, by either software or user.
“That’s the unfortunate part of the business we’re in,” says Biviano. “For a malware writer, we’re part of their quality assurance process. A piece of malware will be sold for far more money than a competing product if it’s undetectable by current anti-malware products. That’s the sad reality of life right now.”
Trend Micro’s labs deal with RAT infections on a daily basis, not just on personal computers, but increasingly, mobile devices. “This year alone, we’re anticipating that we’ll see nearly one million forms of malware just on [the] Android [mobile operating system]. A lot of these will have RAT built in. It’s very rare these days that we see malware that doesn’t have some sort of remote access capabilities.”
RATs have a long history of legitimate, non-malicious uses: IT departments throughout the world benefit daily from the ability to view their colleagues’ screens when troubleshooting, as do workers who wish to access files on their home computer from the office.
Chris Gatford, director of Sydney security consultancy HackLabs, uses this type of software when performing penetration testing for clients on four continents. “We’re engaged by our customers to compromise their environment,” says Gatford. “We use social engineering as the mechanism to gain access to the organisation, using “RAT-like” functionality in commercial security testing tools to perform our work.
“In our experience, when performing this testing, we’re very rarely detected, and therefore most organisations aren’t able to detect it,” he says. “I would say the majority of Australian organisations certainly wouldn’t have the capability to detect whether they were infected by RATs, if [the software] was being used by attackers correctly.”
Using freely available RATs with names such as DarkComet and BlackShades, Alex was able to gain control of up to 1000 computers simultaneously. The dual monitors in his Wauchope bedroom became a window to the world. “I’ve had a guy in Vietnam working in a store,” he says of his “slaves”. “I’ve had a whole Asian family looking at the computer at once. I’ve had a lot of ugly people; one guy in his nineties or something, who looked like Santa Claus,” he says, laughing.
He has clicked onto people masturbating to child pornography. He didn’t like that one bit. “I basically destroy their computer if I see them looking at that shit, because that’s just wrong.” With a few commands, he’d delete their computer’s “system32″ folder; without those files, Windows operating systems won’t function.
But those days are behind Alex now. In mid-March, he posted a thread on HackForums saying goodbye to using Remote Administration Tools. The 17-year-old feels he’s learned all there is to know about RATs. He’s had some fun, made some money. Now he’s setting his sights on learning to code, while balancing his Year 11 workload. He’s fond of software design, IPT and English, but hates maths. He’s looking forward to studying at university – something to do with computers, naturally – and building a career in penetration and vulnerability testing.
The only thing that’s stopped the teenager from accessing strangers’ computers without their knowledge is boredom. That initial buzz – that feeling of being “the happiest kid in the world” – has long since worn off. Gross invasions of privacy have lost their lustre. Alex maintains that he never touched any bank accounts while RATting: “That shit’s lame,” he says. “I know people do it, but it’s a dog act.”
If he got caught by the police – not that he ever came close – he’d have justified his behaviour thus: “I know it was wrong to steal virtual goods, but I didn’t do it for bad reasons.
“I did it for educational purposes. Hacking isn’t just about ‘bad’ things. Most people hack to learn.”
Asked whether he’s proud of what he did, he laughs. “I kind of am! I felt bad when I got my stuff stolen, though.” But it was okay when you did it to others?
He pauses. “Now I’m confused … How do I say it? RATting is bad, and good. People do it for knowledge; people do it to steal shit; people do it to mess around. It’s a thing that hackers these days need to learn, before they move on.”