Inside the awful world of RATters - the men who spy on people through their computers with "remote administration tools"

Discuss

83 Responses to “Inside the awful world of RATters - the men who spy on people through their computers with "remote administration tools"”

  1. Sarge Misfit says:

    I commented there on how this activity violates wire-tapping laws and the Right to Privacy (which got down-voted 5 to 2, btw)

    Not only is this activity illegal on those grounds, but it is also a cyber-crime. They are gathering your personal information, passwords, changing your files, everything that constitutes cyber-crime.

    Its disheartening to see how many people have such an accepting attitude to this, an attitude of “there’s nothing you can do, so stick a bit of tape over the cam and carry on”.

    • blearghhh says:

      I was interested in the downvoting you mentioned, since that seemed out of character for Ars, so I checked on the site. You were probably downvoted more because you said something about hoping the people who did it deserve to be tortured/abused in jail than because people don’t agree that it’s illegal.

      In fact, the tone of the comments on there is pretty emphatic about it being  illegal and that the RATters were scum, and discussing about how to combat it. So your comment didn’t add any new information, but did add some unnecessary vitriol. 

      Just thought I’d clarify that for you, since you seemed upset.

      • C W says:

        Yeesh, yes. Expect downvoting, not people slapping you on the back and telling you “good job!” if you’re advocating prison rape.

      • Sarge Misfit says:

        I’m not overly disturbed by the down-voting since I realize that its about the “Bubba” part that led to it. Heck, I’m not even sure why I mentioned it.

        If it came across as angry, then I succeeded. I can handle a lot of the crap that Life hands us, but there are some things that make me truly angry, and violating privacy is one of those things.

        • Tess says:

          Well, and even there, there are some unfortunate but mostly harmless ways that privacy gets violated. It’s still bad and it needs to be corrected, but it’s not like this. This is people being deliberately evil to other people, and it genuinely makes me sick to my stomach.

    • C W says:

      “an attitude of “there’s nothing you can do, so stick a bit of tape over the cam and carry on”.”

      I’ve also noticed the Google Glass fanboys (and they certainly are boys) yelling at anyone who doesn’t want to be in the same room as them.

      • Ronald Pottol says:

        I’d say you should read Brin’s The Transparent Society. The cameras are inevitable, what we do as a result is our choice.

        • wysinwyg says:

           Like break the cameras?

          The whole point of not wanting cameras everywhere is exactly that “what we do as a result is our choice.”  The ubiquity of surveillance forces us to change our behaviors and that is the very fucking problem with ubiquitous surveillance.

          Sounds like you don’t mind living in that world but be careful of the choices you make on behalf of your children.  They might just grow up not really knowing or caring what is that “liberty” stuff they talk about so much in history class.

          • Ronald Pottol says:

            You are assuming you can see and blind all of them. Brins point is that is going to get harder and harder, you can do it now, but not for much longer. 

            That fight cannot be won, how do we have a society we want to live in given that we are living in a panopticon?

          • wysinwyg says:

             I’m not actually assuming that I “can see and blind all of them”.  My initial sentence was a one-off glib reply to your comment. 

            If you’re willing to give up so easily then you’re right: the fight cannot be won.

        • Exactly.  Today any consumer with a couple hundred dollars can buy tiny HD-resolution cameras with apertures the size of a pinprick.  In other words, we can still see the aperture with the naked eye.  I don’t like to make grand predictions, but I’d bet that within 10 years there will be consumer-grade “spycams” (for lack of a better term) with apertures too small to see with the naked eye.  I’ll even go full-Herzog and eat my shoe (Adidas) if I’m wrong.  Any takers?

          To your point, we currently have the luxury of being able to spot a camera.  Let’s have sober discussion before we get to the point of “out of sight, out of mind.”

          • spejic says:

            I’m a taker. There are limits to how small you can make the hole because of the wave behavior of light. Beyond certain size apertures you get noticeable diffraction effects.

          • Game on!  The underlying assumption being that we are talking about the traditional camera concept.  There are lots of tricky things to try.

            I think the key will be found in small, independent photosensing arrays coupled with fast, low-current processing.  Lytro’s camera uses a single CCD array covered with many microlenses, covered by a main lens.  With a distributed array of tiny PFCAs, a high enough sampling rate, and a really powerful ASIC crunching everything, we might replace the single aperture with lots and lots of tiny ones.  

            But I could be horribly wrong and end up eating a shoe.  Mark this day on your calendar.

    • shay simmons says:

      The ability of the US justice system to find/prosecute these individuals is discouraging — and acting as one’s own vigilante is not legal/feasible, which leaves protective measures as the only resort of the wary.

      Which is why I refuse to get a webcam (or a personal Facebook account).

      • Sarge Misfit says:

        One of the problems is that the System usually cannot act on its own. It takes individuals to take the first steps. And not necessarily by hiring a lawyer. Letter writing actually does work. Write every elected representative. Every watchdog group. Every civil rights organization. Hell, start a White House petition (I can’t, I’m not American and I can’t find anything similar in Canada)

      • merreborn says:

        It might be wise for webcam owners to take some tips from the gun-owner community.

        “Always treat the gun as loaded. Always keep the gun pointed in a safe direction”.

        Similarly, always treat your webcam as if it’s on.

        • awjt says:

           I don’t know why people don’t click on the safety on their webcam… i.e. put a piece of tape over it.

          • bcsizemo says:

            When my wife bought her laptop I asked her if she’d ever use the webcam, probably not.  Well no drivers for that then.  (She added the tape for extra security.)

          • I’m a UX guy, so I see this as a UX problem.  If you have a hammer, everything looks like a nail, etc.

            What is the difference between users who cover their webcams and users who don’t?  IMO, the coverers are more accurately appraising the threat of the uncovered webcam and feel threatened enough to protect themselves.  I’m not saying that one group is smarter than the other or lazier or anything like that.  Superficially this looks like a user failure, but I think that users aren’t being given meaningful indicators or signs of the threat.

            If we focus on appraisal of threat, what are the factors that cause someone to feel threatened by a camera, and what are the factors that make someone less fearful or more dismissive of the threat?

            Humans use all sort of heuristics or rules of thumb to make judgments, and mostly without conscious awareness of doing so.  A little circle of glass in the top of your screen isn’t something that stands out as a threat – it isn’t jagged, large, moving, making sound, etc.  It is, by design, nondescript. Even though a user knows that it is a camera and that it takes pictures, it’s inert.  The only way of knowing whether it is active or inactive is if we are given some additional indicator, like an ON light.  

            Another heuristic involves control.  The only time that I’ve seen my webcam turn on is when I have commanded it to do so.  Pretty soon you start to believe that you are in control of its operation, since you’ve never experienced a situation where those two don’t go together.

            I don’t have a prescription for fixing this problem.  I just want people to understand that there’s more to this issue than user education or intelligence. 

          • I don’t have a prescription for fixing this problem.

            How about we start with secure operating systems?

          • awjt says:

             wtf, dude.  All I’m advocating is a piece of scotch tape if you’re uncomfortable.  You can peel it off when you need to use the cam.

          • chgoliz says:

             We use a small Post-It note….easier to take off when the camera is actually wanted.

  2. KevinRaposo says:

    This is sooo creepy!  I remember this happening to me one time, eventually I hid under the bed waiting for it to stop. It never did!

    • peregrinus says:

      What happened?

      • KevinRaposo says:

        They hid my start button and task bar. Kept opening and closing the CD/DVD tray and displaying these strange messages on my desktop!  I now have post it notes on my camera!

        •  Ummm.  Wny not just:
          1) Yank the Ethernet cable…
          2) Try a system restore
          3) If that fails, wipe the system and restore user files from a backup.
          Yes, a bit of work, but it sure beats hiding under a bed!

          • KevinRaposo says:

            Agreed! This happened 2 years ago and I didn’t have that knowledge. Now I know, because knowledge is power!

  3. Dlo Burns says:

    so will using an anti-virus stop this kind of thing?

    /edit: I mean what steps would you guys recommend to prevent/solve this? (inb4 buy a mac)

    • foobar says:

      I drove my car into a tree. What product can I buy to prevent this in the future?

    • wysinwyg says:

      Unix up whether or not it’s a mac.  There are reasons to believe Windows simply cannot be made secure and not just “security through obscurity”.  Back up your own files, preferably to an external hard drive so you can do a fresh OS reinstall if you have any reason to believe anything is screwy without losing anything.  Use a good root password and change it occasionally.  Don’t save internet form information — especially passwords — in your browser even though they so kindly offer to take care of that stuff for you.  (These last three bits apply even if you’re not ready to move on from Windows.)

      If you’re not already a techie/power user then that would probably be a good start.  There’s a lot of stuff you can do in unix-likes to flag user behavior that doesn’t look like your own (and thus is probably someone trying to crack your machine remotely) but it takes some know-how.

      edit: fuzzyfuzzyfungus basically made the same reply to ethicalcannibal a few comments down but in much more detail. Very worth reading.

      • Dlo Burns says:

        I dual boot with ubuntu, I’m not sure I could ever get my relatives to do the same.

      •  Thanks for the tips for users who are not techies. Any time I ask how to protect myself I either get unintelligible (to me) instructions or get put down for not being as tech-savvy as others. Also, I’d be embarrassed if I had to buy one of those ‘For Dummies” books.

    •  I run linux. My wife uses a mac.

    • Rod Sullivan says:

      One suggestion that someone else made in an earlier thread a while ago that I think is quite practical is this: disable your laptop (or desktop’s) built-in webcam in the BIOS, so that your operating system doesn’t even know it’s there. (You can then go ahead and cover the lens with a piece of black electrical tape if you want to go full paranoid.)

      Then, if a webcam is still a must for you, purchase an external USB-connected one so that when you’re not using the webcam, you can (a) angle the camera away from you [an okay solution], or (b) drape or otherwise cover the camera and microphone with a black cloth [better], or (c) unplug the camera from the USB connection [best].

      The reason an external webcam works better for this situation rather than a built-in one is the ease of disabling and enabling it.

      1. A built-in one cannot be angled away from you, as most of them are embedded in the monitor. 

      2. Nor can a built-in one be draped or otherwise quickly covered with an easily removable cover without usually affecting your visibility of your monitor (I prefer draping rather than taping over your webcam because with sticky tape it’s a nuisance to remove and reapply it, and sooner than later you’ll have to clean the glue’s film from off of your webcam lens.)

      3. And to software disable a built-in one, you’ll either have to reboot to get to the BIOS, or go into Windows device management and disable the device (which is a step that’s easily reversible by someone who already has remote administrative access to your machine.)

  4. Nadreck says:

    Most computer security features were thrown out in the 80s and 90s to get cheap mass produced computers sitting on people’s desks.  Memory used to be protected at the hardware level but that was an expense so the Wintel duopoly just got rid of memory protection.  Later it was feebly put back in in software: which runs in memory LOL!  Operating systems (eg. VMS) used to have fantastic security but that wasn’t “Ad friendly” so MicroSoft just got rid of security: it wouldn’t have fitted in the desktops of the day with all the rest of the bloatware anyway.  Security was originally not a design criterion for UNIX either.

    So now your computer does things without your knowledge or consent: partially through negligence and partially by design.

  5. Preston Sturges says:

    So often, peeping toms end up in a downward spiral of compulsive low level crime. They literally end up living in their parent’s basement because they have a bunch of arrests and complaints against them. 

  6. ando bobando says:

    This thing reads so perfectly creepy that I just want it to be fabricated/embellished. In fact, in order to continue living as a productive member of society, I think I will have to believe that it is. :(

  7. ethicalcannibal says:

    How do you check your computer for this kind of thing?

    • fuzzyfuzzyfungus says:

      I’m being honest here, not flippant, so please take this as sincere advice:

      If you have to ask, your best bet is probably reinstalling your OS from known-good media. It’s tedious; but far more effective per unit knowledge than any attempt at more sophisticated hunting. Take off and nuke the site from orbit and all that.

       If the attacker screws up, they may use an outdated control program that hasn’t been properly tested against your AV software, or they might trip up on a physical webcam LED indicator(and if you do see something like the webcam LED thing, assume the worst Right Now). If you care about your data, you should have backups in place to allow this anyway(in case your HDD dies or such); but it is also among the more reliable ways of cleaning a system.

      Any attempt to clean an infected, or possibly infected, system from within that system is analogous to trying to determine if one of your spies is actually a double agent by asking him questions: not impossible; but neither easy nor especially reliable.

      If you are inclined to a less fatalistic view, your best bet is probably at the network level. The easiest, and most basic, tool would be a firewall that watches for, and reports, outbound traffic. ‘Little Snitch’ is the big name on OSX, not sure on Windows.

      Safer(because it’s essentially impossible for an attacker to disable); but more of a nuisance is a monitoring system running on a different host than the one being monitored. For 10/100 ethernet, a simple passive tap can allow a monitoring host(running Snort or similar) to completely silently watch all incoming and outgoing traffic from your computer. That doesn’t work on GbE, so you’d have to use a switch with port mirroring or a monitoring host using active passthrough.

      On the host side, something like tripwire is also very useful, since it allows you to detect changes in state on your filesystem. Unfortunately, common desktop use cases often generate huge amounts of legitimate state churn, making this a bit less useful than it would be on, say, a fairly stable webserver or other single-purpose box.

      Further inconvenient-but-secure measures would include things like using a liveCD environment to perform banking and other secure operations(so that even if your persistent OS has a keylogger, that OS will be fully out of the picture and you’ll start with a known-clean environment. Pain in the ass; but still.

      Performing potentially risky operations inside throwaway VMs, or using a fully airgapped system for high-risk operations like storing salacious pictures is also a huge nuisance; but makes things harder.

      • ethicalcannibal says:

        Thank you for the reply. I appreciate the approach you took. I’m not computer savvy enough to do more than nuke and burn my OS. I hadn’t thought about it, but even if you told me how to detect anything today, two weeks from now when they update their methods, I’d be helpless WITH a false sense of security. 

        Sounds like it’s just another reason to back up my data a lot. 

        I do have a question. If you use something like Mac’s time machine, won’t that just reinstall all your spy’s crap all over again? With only a short blip in service, as you reinstall? Or would it be better to pick and choose your files off of there, leaving the bulk of the OS behind? 

        • fuzzyfuzzyfungus says:

          I don’t know the details of how Time Machine works, or how granular you can be in setting exclusions; but a backup that is capable of restoring your entire system will likely include the malware(this is why so much of the Windows malware would embed itself quite merrily in the ‘System Restore’ feature, so any attempt to roll back would be useless).

          A backup that does not include executable files(and, ideally, specifically excludes things like login hooks, which are all kinds of potentially dangerous despite looking pretty mundane) is less dangerous.

          You still have to worry about booby-trapped files(the classic ‘bugged flash object embedded in a Word or Excel document’ is a nasty one); and there have even been exploits against (seemingly) safe formats like TIFF images; but a backup consisting of ‘all my movies, music, pictures, and documents’ is still safer than a full-system backup.

        • foobar says:

          Your assumption is correct. Back up data, not executables.

        • chgoliz says:

           I am not an IT person…..

          Mac’s Time Machine hangs onto as many prior backups as space allows.  You can perform a restore from a time prior to the problem — if you know when it is — and/or restore just docs, photos, etc.

          “Sounds like it’s just another reason to back up my data a lot.”

          OMG….please tell me your Time Machine is backing up to an external drive!!

          • ethicalcannibal says:

            Yes, absolutely a separate drive. I backup between once a week to once a month. Depending on how lazy I am. 

          • chgoliz says:

            Set Time Machine to do it every few hours, or at least every day.  You don’t have to do it manually.

      • On the subject of LED indicators I wonder if you would even see the light come on if the camera is powered up once a second to grab a frame.

        • Which is why the indicator LED shouldn’t be software-controllable.  It should have a discrete controller that detects current flow and activates for some minimum period of time.

          It’s not foolproof, but it would require physical access to the machine to disable or modify.

  8. Sarge Misfit says:

    I got these links from the Ars comments, 4th page or so and post them here with the caveat that I do NOT know if they work or are reliable, so use your own discretion …

    http://jeff1down.blogspot.ca/2010/06/how-to-remove-remote-administrator-tool.html

    http://www.2-spyware.com/remote-administration-tools-removal

  9. Zhasu says:

    One guy says “I’ve had that a couple of times, it just makes me giggle, especially if it’s someone with an uber-weird-nasty habit.”
    Seems like they think their own habit is not weird or nasty, just perfectly normal. I always wondered how would it feel like to turn the tables around a bit. If someone providing those tools actually put a back-door to spy on these pervs. And then blackmail them. Probably they would think “Why me? I was just joking, wasn’t being serious.” 

    • Sekino says:

      People who lack empathy really think that all of their own characteristics are human and unique and awesome while other people are just gross and/or disposable accessories.

  10. chadmulligan says:

    Perhaps someone should create a suite of tools to track down and stop abuse of remote administration tools. It could be named Kill Access Tools Suite (or KATS).

    Seriously though, shouldn’t there be some software solution to help targeted users?

  11. knoxblox says:

    I was considering giving my laptop to my mom once I put a new computer together, but now this worries me, because she’s an avid “cut animal video” clicker and loves to shop online.

    If I understand this correctly, someone potentially could use these programs to turn on remote access to the computer when I have turned it off? Also, could a hardwired wi-fi access toggle switch be compromised (as I suspect it is still ultimately controlled by the operating system)?

    • Jardine says:

      There is such a thing as wake on LAN, which is designed to allow you to turn a computer on remotely by sending a special packet at it. Thankfully, it usually requires some kind of sacrifice to the Elder Gods if you want it to work, so I wouldn’t be too concerned about that. You can also check if it’s enabled in the BIOS. It’ll be called Wake-On-LAN or WOL or something similar.

      • fuzzyfuzzyfungus says:

        Not a major concern on consumer systems; but may the gods of a dozen dead pantheons save you if a black hat were able to provision a recent Intel AMT module out from under you, though…

        As for the wifi switch, it generally isn’t a true hard switch(there is often a BIOS option to enable or disable it from having any effect); but whether it is a mere cosmetic convenience that the OS can override at any time, or whether it yanks power to the RF side at a firmware level seems to vary by vendor and phase of moon.

    • I was a little confused about the “cut animal video” but I’m hoping you meant to type “cute”.  Really hoping.

    • Dlo Burns says:

      Do you think you could force your mom to use ubuntu or zorin?

      • knoxblox says:

         No way in hell.

        She’s allowed to use mine here at home, but still avoids it. Hardly even touches the Kindle she was given. I think she’d rather use the one at work because it’s right there in front of her.

        Also, the word “maintenance” doesn’t exist in her vocabulary. She knows how to use a computer, drive a car, or use a cellphone, but don’t ask her to look under the hood.

  12. chris jimson says:

    “Everything we do today involves computers and everything we do tomorrow will require computers.”

    Call me a Luddite, but I disagree.  I’ve become weirdly nostalgic for the days before constant online connectivity.  People take vacations from their computers, I can envision taking a permanent vacation from them if need be.

    Food, clothing and shelter.  It’s all we really need.

  13. blueelm says:

    “Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves.”
    It is.

  14. Sigmund_Jung says:

    There’s a great movie script in this story. It just needs to be unearthed.

    • Dlo Burns says:

      Sounds like a bad Lifetime movie to me though.

    • EeyoreX says:

      Didn’t they already shoot this in the 1990′s and call it “Sliver”?

      • Sigmund_Jung says:

        Ugh, THAT is a bad movie — this one could be more elaborated. First thing in my mind, is what if one of these guys sees a crime? That’s cliché, but could be well developed. Instead of going to the police (for many reasons, one being these guys are not the good guys and I wouldn’t want to see any kind of redemption in their acts…). Maybe he tracks the killer down and messes with the killers head. Still needs a hero somewhere.
        I see an Oscar in the future. The Mayer type. Sausage anyone?

  15. tlwest says:

    It’s articles like these that make me appreciate that the Internet’s ability to connect us with the entire world is very much a two-edged sword.  Pre-internet, many people were protected from somewhat sociopathic 14-year-olds (either physically or emotionally) by the simple expedient of lack of physical proximity.

    Now, as many people (especially the elderly) are finding to their displeasure, they’re living next door to the entire world, which also includes criminals who have very little compulsion about exploiting them in almost perfect safety for everything they can get away with.  A rather big shock for those used to living a fairly comfortable, safe, middle-class existence.

    • fuzzyfuzzyfungus says:

      At least for old people, phone-based hucksters and TV or radio televangelists arguably had them covered back when Arpanet was still something that you needed to live in academia to know about.

      The internet has certainly upped the game; but its real innovation seems to be bringing non-commercial sociopaths to the mix. Phone scamming is a lousy job, unless it pays really well, and Ma Bell doesn’t give those minutes away, so that keeps the people not running a profitable con (mostly) out of the picture.

      The internet, though, brings out the defective personalities who are willing to put a significant amount of effort into being awful people without any explicit payoff…

  16. James Penrose says:

    Long past time to require built-in cameras on monitors and laptops to have a manual shutter to close them.

    If yours lacks one and most do, a sticky tab like those used to flag a page in a book will do nicely and the greatest hacker in the world can’t do squat about it.

  17. Samuel Vanderwaal says:

    It sounds like most of these hack exploits are due to security problems in Windows. Wouldn’t the best solution to be to switch to something like Ubuntu? It wouldn’t be a guarantee of protection, but would cut out a lot of the security risks.

    The tape solution isn’t really a solution. Yes, it will stop them from seeing you, but if they can control your webcam they already have access to your computer files. It’s like:

    “Hahaha you can’t see me now, hacker.”
    “Yes, but I have stolen all your passwords and usernames, oh and that nude picture of your wife in the folder you thought was hidden.”

  18. Memmmmorieeeeees.  First year at uni, 1998, living in the dorms.  The fun we had with Back Orifice.  Oh man.  

    Of course, none of us had webcams or microphones.  I don’t think we really grokked the power and possibilities that this tool afforded us.  It never occurred to us, for example, to infect people who didn’t live on our rez floor.  After all, why would you bother opening and closing someone’s CD-ROM drive if you weren’t close enough to hear them yell profanity at you?  Such a simple time.

  19. Heevee Lister says:

    A few years ago, I ran a scan and found files from a Windows exploit on my computer.  It was my first malware infection ever.  Seriously. 

    Fortunately, the exploit was for Win XP, and the computer was running Win98 at the time.  “Keep your system fully updated” isn’t always the best advice. :)

    Today that computer runs Linux.  I suppose that someday the “minority OS” strategy won’t work any more, but Linux is likely to remain relatively secure as long as (1) it’s open source, and (2) there are many more millions of easily cracked computers running Windows.  Thank you Bill Gates!

    Maybe I’m naive, but it seems to me that that one way you can help older or less sophisticated friends and relatives is to give them, or sell them very cheaply, what they need to be reasonably secure.  Buy an old IBM or Toshiba P3 or P4 laptop (no built in webcam) cheaply on eBay, re-cell the battery (check Youtube for help), drop in a new disk drive for stability and speed, load a copy of Linux Lite or Puppy, tweak a few settings, maybe add ClamAV, and hand it to your friend.  You might have to spend an evening showing him or her the slight differences.

    If your relative or friend really needs Windows programs, have a look at Wine.  It’s improved by leaps and bounds in the last year or two.  Be careful what you load and how you load it, of course.  Programs that need security risks like IE should be loaded in their own Wine prefixes. 

    I’m not a security expert, but it seems to me that you’re pretty safe if you set up risky programs to start with shell scripts that shut down the WiFi, or simply redirect everything to 127.0.0.1 as long as those programs are loaded.  Don’t load Java at all unless programs need it, and in that case, make sure it’s disabled in the browser.  Noscript is a good idea, but can be annoying to unsophisticated users.

    Some folks will say “my MIL would never use Linux,” but I’ve been surprised at how easily low-power users who do mostly email and web browsing can be switched from Windows to a thoughtfully configured Linux system.

Leave a Reply