Blackshades and its RAT Relatives: The Most Dangerous Malware on the Planet

RAT: Remote Access Tool, Remote Administration Tool, Remote Access Trojan; whatever you call them, all RATs are basically the same. They all allow a user to control one or more computers remotely.

Sometimes this is important. Programs like StaffCop allow administrators to keep an eye on everything employees do on their computers. It allows administrators to capture keystrokes, watch employee internet activity, and even look at their email. Now, I’m not sure how popular this would be with employees. I’ve had some experience with being monitored at work. When I was working in Korea, there were cameras everywhere and you could be, and were, watched at all times. For some reason, this didn’t bother the Koreans, but the foreign staff found it intrusive. We eventually learned where the blind spots were. The use of StaffCop may produce similar problems. Besides, it doesn’t really stop employees from doing anything. If they are caught playing solitaire, for example, the administrator can warn them and that’s about it. The other problem is the legal one. The maker of StaffCop warns those who want to use it to tell employees up front about it and even have them sign off on this monitoring. Any secret monitoring would not hold up if the company was taken to court. However, StaffCop says there is no need for such precautions if one wants to do such monitoring privately, like, for example, monitoring your teenager’s use of the internet. Still, it seems a little creepy.

And that’s the thing about most of these RAT programs. They may present themselves as being honest software, but they always seem to have a darker side. Galileo is such a program. As the makers note on their web site, “… encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security.” So they’re trying to prevent bad guys from undermining the government, right? Well, in theory, yes. However, what if the government is the bad guy? The University of Toronto’s Citizen’s Lab found that the software “was reportedly used against a group of citizen journalists who are critical of Morocco’s government, as well as against a pro-democracy activist in the United Arab Emirates. More recently, journalists in the U.S. and Europe have reportedly been targeted, possibly by the Ethiopian government.” HackingTeam, the makers of the software, have a disclaimer that they only sell their software to acceptable governments. However, when I watch the video on their homepage, I can’t help feeling uneasy. But don’t take my word for it, watch the video and come to your own conclusions.

Many RATs try to position themselves as legitimate software. Darkcomet is one of these. But you have to be suspicious of any web site that opens with a disclaimer. In fact, you have to be pretty resourceful just to navigate the site. Honestly, I can’t see a lot of difference between Darkcomet and its more newsworthy RAT cohort, Blackshades. Both were apparently used by the ‘sextortionist’, Jared James Abrahams, to take nude photos of Miss Teen America and 150 other women.  So what exactly does Darkcomet do? Here’s the list, and it applies to most evil RATs:

  •  Find out all system information, including hardware being used and the exact version of the operating system, including security patches.
  • Control all the processes currently running on the system
  • View and modify the registry
  • Modify the Hosts file
  • Control a computer from a remote shell
  • Modify startup processes and services, including adding a few of its own
  • Execute various types of scripts
  • Modify, view, or steal  files
  • Put files of its own on other computers
  • Steal stored passwords
  • Listen to the microphone/ control the web cam
  • Log keystrokes
  • Scan the computer’s network
  • View network shares
  • Steal MSN Messenger contacts, and add new contacts
  • Steal anything on a clipboard (anything being copied)
  • Control a printer
  • Lock/Restart/Shutdown a computer

Darkcomet also has the ability to launch a DDoS (Distributive Denial of Service) attack. Why? Well, that’s a good question. Why would you want to bring down a server as a network administrator?

Believe it or not, Blackshades also once marketed itself as legitimate software. It also has a DDoS function. However, it offers some additional features that probably attracted a little too much attention and likely led to it and its users getting busted. For one thing, it offered a ransomware program. That’s right, you could send the following message to someone whose computer you controlled. “Your computer has basically been hijacked, and your private files stored on your computer has now been encrypted, which means that they are impossible to access, and can only be decrypted/restored by us.” In other words, if those attacked agreed to send the RAT Master money, he/she would release their files. Now, why would administrators need such a function? Are they going to hold their employee files for ransom? Blackshades said that this function was only for “educational purposes”. They hoped such a disclaimer would protect them from prosecution. It didn’t. If you go to their web site now, you’ll see this:

fbi

Another function Blackshades has is something called Facebook Controller. This functionality was likely used by Abrahams to install the malware on his victim’s computers. Basically, it allows the user to post a message or link on a victim’s wall. Messages of a status change will then be sent to all the user’s friends. Obviously, these links could be used to install malware on an unsuspecting victim’s computer.

Blackshades has a number of other questionable functions which finally pushed it into the illegal zone and into the arms of the FBI. Many users of the program reported, on deep web bulletin boards, that they were surprised to find police at their doors. They wondered how their purchase of the program could have been traced. Many claimed that they had, indeed, purchased the software, but had never put it to use. Could they be arrested for only owning the software? Didn’t it have legal uses? Others speculated that those traced probably paid using PayPal or credit cards.  They claimed that these people would have been safe if they had used bitcoins. Some buyers of Blackshades just had their computers and mobile devices seized without knowing when, or if, they would be returned. The purpose behind all of this seemed to be to create nervousness about purchasing any RATs. The FBI is well-aware of how dangerous these programs can be.

Yet, there is one more RAT that the FBI itself may use. This is a Super RAT known as Flame. As those who discovered it in 2012 stated, Flame was “the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.” According to the Budapest University of Technology and Economics, one of those who discovered it, Flame most likely was “developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.” Kaspersky Labs, another one of the discoverers of Flame, stated that, “due to the size and complexity of the program (described as ‘twenty times’ more complicated than Stuxnet) … a full analysis could require as long as ten years.” It’s similarity to the Stuxnet virus and the fact that it seemed to target Middle Eastern sites, especially in Iran, leads some investigators to conclude that Israel and the U.S. were behind its development. In action, it does everything that any RAT can do but with more sophistication. “Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons.” This bluetooth functionality allows it to control other devices in the area. In addition, “the operators have the ability to send a kill module to it if needed. The kill module, named browse32, searches for every trace of the malware on the system, including stored files full of screenshots and data stolen by the malware, and eliminates them, picking up any breadcrumbs that might be left behind.” Flame existed for 3 to 4 years before it was detected. Flame has not, however, truly been extinguished. It is suspected that there are other varieties of it operating, undiscovered, somewhere in the world.

The good news for the average user is that they are unlikely to be infected by Flame. The bad news is that there are plenty of other RATs waiting to pounce. RATs are easily detected by most anti malware programs. This is why the first thing a RAT will do is disable the antivirus program but, to do this, a RAT must trick you into installing it. How is this done? Normally, by getting the unsuspecting user to click on some link. Abrahams probably got women hooked by using Facebook. He even asked someone to help him with a social engineering attack. That’s another bit of good news to average users. The people who use such programs either lack social skills or are nonnative English speakers. Look at the ransom note in Blackshades and you can see that its grammatical errors should make you suspicious. The bad news, Blackshades allows you to send your own written message.

In my opinion, the destructive potential of RATs has not been fully exploited. Their use has, so far, been limited by the imagination of their users. But there is no way of knowing this for sure. A good RAT will gather the information it needs and leave before it is ever detected. Nonetheless, if such attacks begin to be more sophisticated, especially in their spear phishing techniques, they could be devastating in their severity. RATs will always be with us. They are difficult to exterminate completely. The best advice is to be vigilant to avoid being caught in the traps the RATs will set to catch you.

______________________________________________________

_______________________________________________________

One infected computer, smartphone, or tablet can bring down your entire network. To avoid this, contact InZero Systems to construct a hardware-based security system for you that will not allow even the most RAT infested computer to gain access to your corporate data.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s