RATs Allow Hackers to Spy on Victims Through Webcams and Access All Computer Files

Ratters are people who use RATs — remote access tools — to take over people’s computers and spy on them through webcams. This screenshot shows what one ratter is seeing in his or her own spying activity. (Image: YouTube screenshot)

We’ve reported about webcam hacking and spying in the past, but a recent report by Ars Technica is giving an even more in-depth look into the scary world of people who can take control of a person’s computer, peering into his or her life via webcam all in the name of an unsettling game.

Ars Technica’s Nate Anderson begins his story about RATs (remote administration tools) with an eerie scene: a woman sits in front of her computer with a baby on her lap, voicing her frustration over unwanted content popping up to a man who is in the room but offscreen. The man presumes that someone has hacked their computer. But little do they know the extent of the hack. As Anderson wrote, the hacker has access to their screens, webcam, microphone, files and all other content on the device.

At one point, the hacker messing with the family pops up a message on their computer screen that read “achoo!”

Anderson writes that these “ratters,” as they’re called, might only be playing what they consider a game with their victims but others hope to spy on intimate moments or search computer files for erotic photos.

Here’s what Anderson reports a couple ratters saying about their activities online:

“Man I feel dirty looking at these pics,” wrote one forum poster at Hack Forums, one of the top “aboveground” hacking discussion sites on the Internet (it now has more than 23 million total posts). The poster was referencing a 134+ page thread filled with the images of female “slaves” surreptitiously snapped by hackers using the women’s own webcams. “Poor people think they are alone in their private homes, but have no idea they are the laughing stock on HackForums,” he continued. “It would be funny if one of these slaves venture into learning how to hack and comes across this thread.”

[...]

“I just use the file manager feature of my RAT in whatever one im using and in [a RAT called] cybergate I use the search feature to find those jpgs [JPEG image files] that are ‘hidden’ unless u dig and dig and dig,” wrote one poster. “A lot of times the slave will download pics from their phone or digital camera and I watch on the remote desktop to see where they save em to and that’s usually where you’ll find the jackpot!”

Here’s one example of a ratter spying and “playing” with their victim, who is working on her computer, by popping up sites that are shocking and confusing to her (Note: Some strong language):

What started as a hacking group’s exposure of Microsoft’s poor security in 1998 has become a small-scale industry for RATs that are as undetectable by protection software as possible. Anderson explains that people simply have to run a file from the ratter to become infected. Sometimes victims (slaves) are tricked through Facebook messages and others on file-sharing networks.

Anderson reports about several “handholding” tools that are available for aspiring ratters to pick up hundreds to thousands of slaves. Anderson also noted that many of them are coming up with methods to get around the webcam light that turns on with most computers when it’s in use.

“Calling most of these guys ‘hackers’ does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves,” Anderson wrote. “Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.”

Although many ratters are engaging in illegal activity, Anderson said they are rarely caught. He also wrote that there are some legal uses for RATs as well, like security companies using the technique to find stolen laptops.

Still, what is to be done to prevent such pervasive spying from happening to you? Anderson suggests people use an anti-malware program and keep operating systems and plug-ins (like Flash) up to date. Other common sense tips include avoiding questionable forums and clicking on attachments in emails that seem off-base.

“If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, ‘Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b,’” Anderson wrote. “At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection.”

As for removing a RAT from an infected computer, users on the forum Hack This Site suggest wiping the hard-drive completely clean and restoring the computer to its factory settings (the condition it was in when you received it).

Hack This Site’s users also pointed to Microsoft’s TechNet post on RATs. Here’s a portion regarding next steps:

After you detect and eradicate RATs, a larger question looms: Did the remote intruder collect information that could harm you in the future? Answering that question in the confines of this article is difficult, but consider the following information to determine risk. How long has the RAT been around? Although you can’t always rely on file-creation dates, use Windows Explorer to see when the RAT executables were created or last accessed. If the executable was created in the distant past and the last access was recent, an intruder could have been using the RAT over a long period. What type of activity did the intruder perform on the compromised machine? Did the intruder access confidential databases, send email, or access other remote networks or directory shares? Did the intruder have administrator rights? Look on the compromised machine for clues, such as files and programs with access dates and times outside the end user’s usual business hours. In low-risk environments, most end users eradicate the RAT and work hard to prevent the remote intruder from returning. Compromised users might want to consider changing all passwords and other potentially revealed information (e.g., credit card numbers, PIN).

Be sure to read Anderson’s full post on Ars Technica for more details about the nefarious activities of ratters and how the technology works here.

Related:

Other Must-Read Stories