Meet the men who spy on women through their webcams | Ars Technica

Some of the problems with your PC might have something to do with a real ghost in the shell who is watching everything you do. It isn’t “Big Brother” though, it’s more like “Little Brother.”  The next time your PC starts showing any of these behaviors, just imagine that there is someone is at a control panel like this and is taking snapshots of your “Technology is Fucking with Me” face.

For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it’s apparently no big deal to invade someone’s machine, rifle through the personal files, and watch them silently from behind their own screens. “Most of my slaves are boring,” wrote one aspiring ratter. “Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren’t getting undressed!

One poster said he had already archived 200GB of webcam material from his slaves. “Mostly I pick up the best bits (funny parts, the ‘good’ [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake,” he wrote. “For me I don’t have the feeling of doing something perverted, it’s more or less a game, cat and mouse game, with all the bonuses included. The weirdest thing is, when I see the person you’ve been spying on in real life, I’ve had that a couple of times, it just makes me giggle, especially if it’s someone with an uber-weird-nasty habit.”

By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. “lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit,” one poster wrote. “Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves.”

How it’s done

RAT tools aren’t new; the hacker group Cult of the Dead Cow famously released an early one called BackOrifice at the Defcon hacker convention in 1998. The lead author, who went by the alias Sir Dystic, called BackOrifice a tool designed for “remote tech support aid and employee monitoring and administering [of a Windows network].” But the Cult of the Dead Cow press release made clear that BackOrifice was meant to expose “Microsoft’s Swiss cheese approach to security.” Compared to today’s tools, BackOrifice was primitive. It could handle the basics, though: logging keystrokes, restarting the target machine, transferring files between computers, and snapping screenshots of the target computer.

Today, a cottage industry exists to build sophisticated RAT tools with names like DarkComet and BlackShades and to install and administer them on dozens or even hundreds of remote computers. When anti-malware vendors began to detect and clean these programs from infected computers, the RAT community built “crypters” to disguise the target code further. Today, serious ratters seek software that is currently “FUD”—fully undetectable.

Building an army of slaves isn’t particularly complicated; ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files and naming them after popular songs or movies, or through even more creative methods. “I seem to get a lot of female slaves by spreading Sims 3 with a [RAT] server on torrent sites,” wrote one poster. Another turned to social media, where “I’ve been able to message random hot girls on facebook (0 mutual friends) and infect (usually become friends with them too); with the right words anything is possible.”

Calling most of these guys “hackers” does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves. Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.

The process is now simple enough that some ratters engage in it without knowing how RATs really work or even how vulnerable they are to being caught. Back in 2010, one Hack Forums member entered the RAT subforum worried about going to jail. He had hacked a Danish family’s computer in order to get a child’s Steam account credentials, but the Danish kid realized that something was wrong and called in his mother and older brother. The hacker included a picture of all three of them looking down at the computer, the younger kid crying, the mother stern.

Another described testing DarkComet on a male slave and activating the man’s webcam. “A man came up and saw that his webcam was on, he then put the middle finger up to me lmao [laughing my ass off],” wrote the hacker. “I then went to remote desktop and he had lots of pr0nz [pornography] up, but he was also freaking out and scanning his computer with two different anti-virus [programs]. It was pretty funny, but he actually managed to remove the infected server from his PC, he used some ‘ad-ware’ software which managed to remove it.”

Others trade pictures of victims taking action to secure their computers. “ive had this girl since i started ratting but she has a light on her cam,” wrote one RAT user, “shame coz shes really pretty with her hair down. see her busting me lol.”

To combat detection, the RAT controllers have devised various workarounds. One involves compiling lists of laptop models which don’t have webcam lights and then taking special pains to verify the make and model of slave laptops to see if they are on the list.

“You may need to do some remote desktop action when you’re pretty certain they’re not looking and find an OEM tag in system properties but the surest way is to look for OEM bloatware like wireless utilities and such,” wrote one RAT users. “Once you figure that out, if it’s an Acer, you’re golden. Some other laptops are good too and using specs and some other information you can often determine a model.

Others rely on a little bit of social engineering. “The first time I use a slaves cam tho I send a fake message saying something like the cams software is updating and the light may come on and go off periodicially ,” wrote a RAT user, “but obviously in a more windows-like way of saying it!”

But morals generally take a back seat to mockery. One popular thread, running for more than a year, with 59 pages of comments, asks people to “Post your ugly slaves here.” One of the most popular responses involves people caught picking their noses.

RATs can be entirely legitimate. Security companies have used them to help find and retrieve stolen laptops, for instance, and no one objects to similar remote login software such as LogMeIn. The developers behind RAT software generally describe their products as nothing more than tools which can be used for good and ill. And yet some tools have features that make them look a lot like they’re built with lawlessness in mind.

Adam Kujawa, a researcher at security firm MalwareBytes, compiled a list last summer of everything that popular RAT DarkComet could do. It included:

  • Find out all system information, including hardware being used and the exact version of your operating system, including security patches
  • Control all the processes currently running on your system
  • View and modify your registry
  • Modify your Hosts file
  • Control your computer from a remote shell
  • Modify your startup processes and services, including adding a few of its own
  • Execute various types of scripts on your system
  • Modify/View/Steal your files
  • Put files of its own on your system
  • Steal your stored password
  • Listen to your microphone
  • Log your keystrokes (duh)
  • Scan your network
  • View your network shares
  • Mess with your MSN Messenger / Steal your contacts / Add new contacts!
  • Steal from your clipboard (things you’ve copied)
  • Control your printer
  • Lock/Restart/Shutdown your computer
  • Update the implant with a new address to beacon to or new functionality
  • Watch your webcam
  • Use your computer in a denial of service (DOS) attack

And that’s not all. DarkComet includes a “Fun Manager” that can perform all sorts of tricks on the target system, including:

  • Hiding the Desktop—Hiding all the icons and making it impossible to right click on the desktop.
  • Hide the Clock—Self Explanatory
  • Hide Task Icons—In the little box on the right side of your start bar
  • Hide Sys Tray Icons—Hide icons and open application buttons on the taskbar
  • Hide Taskbar—Self Explanatory
  • Hide the Start Button—Only works in Win XP
  • Disable the Start Button (XP Only)—Gray out the start button, disabling it.
  • Disable TaskMgr—Disables the Windows Task Manager (When you hit Ctrl+Alt+Del)
  • Open/Close CD Tray—Self Explanatory

Even that isn’t all. The RAT can also activate Microsoft’s text-to-speech software on the remote system so that it reads strings of text out loud—an effective startle tactic. It can open a chat window. And it can play notes from a piano or a specific frequency for as long as desired. (As Kujawa notes, “The purpose of this feature [as far as I can tell] is just to annoy people.”)

Does such software cross the line into illegality? Perhaps. In June 2012, the FBI arrested Michael “xVisceral” Hogue at his home in Tucson, Arizona and charged him with selling “malware that allows cybercriminals to take over and control, remotely, the operations of an infected computer.” Hogue had created Blackshades, which the government described as “a sophisticated piece of malware.”

Blackshades went beyond DarkComet in its support for features that were likely to result in illegality, such as the “File Hijacker” that could encrypt a victim’s key files and then pop up a “ransomware” message demanding payment into a remote bank account in order to free the files. (A note attached to this feature said: “However, one thing to put in mind: This feature was made for educational purposes only.“)

In further MSN chats with the FBI, the person alleged to be Hogue answered a question about whether the Blackshades software would automatically conduct key logging or whether it had to be initiated manually.”It auto does, and you can download from all at once, or scan for keywords or digits,” came the reply. “And if it detects a credit card is being entered, it can send screenshots to FTP and you can scan for digits that are 16 in a row 😛

via Meet the men who spy on women through their webcams | Ars Technica.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: