Inside the awful world of RATters - the men who spy on people through their computers with "remote administration tools"

Nate Anderson's long Ars Technica piece on RATters -- men who use "Remote Administration Tools" to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords -- is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this "game." Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims "slaves"); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.

For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!"

One poster said he had already archived 200GB of webcam material from his slaves. "Mostly I pick up the best bits (funny parts, the 'good' [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake," he wrote. "For me I don't have the feeling of doing something perverted, it's more or less a game, cat and mouse game, with all the bonuses included. The weirdest thing is, when I see the person you've been spying on in real life, I've had that a couple of times, it just makes me giggle, especially if it's someone with an uber-weird-nasty habit."

By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. "lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit," one poster wrote. "Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves."

Everything we do today involves computers and everything we do tomorrow will require computers. It's imperative that computers be designed to reveal themselves to their users and owners -- every program and process accessible to users and owners by design. But we continue to erode this fundamental through bans on jailbreaking and unlocking, and through the governmental trade in "zero-day" exploits intended for use in so-called cyberwar.

Meet the men who spy on women through their webcams [Nate Anderson/Ars Technica]


  1. I commented there on how this activity violates wire-tapping laws and the Right to Privacy (which got down-voted 5 to 2, btw)

    Not only is this activity illegal on those grounds, but it is also a cyber-crime. They are gathering your personal information, passwords, changing your files, everything that constitutes cyber-crime.

    Its disheartening to see how many people have such an accepting attitude to this, an attitude of “there’s nothing you can do, so stick a bit of tape over the cam and carry on”.

    1. I was interested in the downvoting you mentioned, since that seemed out of character for Ars, so I checked on the site. You were probably downvoted more because you said something about hoping the people who did it deserve to be tortured/abused in jail than because people don’t agree that it’s illegal.

      In fact, the tone of the comments on there is pretty emphatic about it being  illegal and that the RATters were scum, and discussing about how to combat it. So your comment didn’t add any new information, but did add some unnecessary vitriol. 

      Just thought I’d clarify that for you, since you seemed upset.

      1. Yeesh, yes. Expect downvoting, not people slapping you on the back and telling you “good job!” if you’re advocating prison rape.

      2. I’m not overly disturbed by the down-voting since I realize that its about the “Bubba” part that led to it. Heck, I’m not even sure why I mentioned it.

        If it came across as angry, then I succeeded. I can handle a lot of the crap that Life hands us, but there are some things that make me truly angry, and violating privacy is one of those things.

        1. Well, and even there, there are some unfortunate but mostly harmless ways that privacy gets violated. It’s still bad and it needs to be corrected, but it’s not like this. This is people being deliberately evil to other people, and it genuinely makes me sick to my stomach.

    2. “an attitude of “there’s nothing you can do, so stick a bit of tape over the cam and carry on”.”

      I’ve also noticed the Google Glass fanboys (and they certainly are boys) yelling at anyone who doesn’t want to be in the same room as them.

      1. I’d say you should read Brin’s The Transparent Society. The cameras are inevitable, what we do as a result is our choice.

        1.  Like break the cameras?

          The whole point of not wanting cameras everywhere is exactly that “what we do as a result is our choice.”  The ubiquity of surveillance forces us to change our behaviors and that is the very fucking problem with ubiquitous surveillance.

          Sounds like you don’t mind living in that world but be careful of the choices you make on behalf of your children.  They might just grow up not really knowing or caring what is that “liberty” stuff they talk about so much in history class.

          1. You are assuming you can see and blind all of them. Brins point is that is going to get harder and harder, you can do it now, but not for much longer. 

            That fight cannot be won, how do we have a society we want to live in given that we are living in a panopticon?

          2.  I’m not actually assuming that I “can see and blind all of them”.  My initial sentence was a one-off glib reply to your comment. 

            If you’re willing to give up so easily then you’re right: the fight cannot be won.

        2. Exactly.  Today any consumer with a couple hundred dollars can buy tiny HD-resolution cameras with apertures the size of a pinprick.  In other words, we can still see the aperture with the naked eye.  I don’t like to make grand predictions, but I’d bet that within 10 years there will be consumer-grade “spycams” (for lack of a better term) with apertures too small to see with the naked eye.  I’ll even go full-Herzog and eat my shoe (Adidas) if I’m wrong.  Any takers?

          To your point, we currently have the luxury of being able to spot a camera.  Let’s have sober discussion before we get to the point of “out of sight, out of mind.”

          1. I’m a taker. There are limits to how small you can make the hole because of the wave behavior of light. Beyond certain size apertures you get noticeable diffraction effects.

          2. Game on!  The underlying assumption being that we are talking about the traditional camera concept.  There are lots of tricky things to try.

            I think the key will be found in small, independent photosensing arrays coupled with fast, low-current processing.  Lytro’s camera uses a single CCD array covered with many microlenses, covered by a main lens.  With a distributed array of tiny PFCAs, a high enough sampling rate, and a really powerful ASIC crunching everything, we might replace the single aperture with lots and lots of tiny ones.  

            But I could be horribly wrong and end up eating a shoe.  Mark this day on your calendar.

    3. The ability of the US justice system to find/prosecute these individuals is discouraging — and acting as one’s own vigilante is not legal/feasible, which leaves protective measures as the only resort of the wary.

      Which is why I refuse to get a webcam (or a personal Facebook account).

      1. One of the problems is that the System usually cannot act on its own. It takes individuals to take the first steps. And not necessarily by hiring a lawyer. Letter writing actually does work. Write every elected representative. Every watchdog group. Every civil rights organization. Hell, start a White House petition (I can’t, I’m not American and I can’t find anything similar in Canada)

      2. It might be wise for webcam owners to take some tips from the gun-owner community.

        “Always treat the gun as loaded. Always keep the gun pointed in a safe direction”.

        Similarly, always treat your webcam as if it’s on.

        1.  I don’t know why people don’t click on the safety on their webcam… i.e. put a piece of tape over it.

          1. When my wife bought her laptop I asked her if she’d ever use the webcam, probably not.  Well no drivers for that then.  (She added the tape for extra security.)

          2. I’m a UX guy, so I see this as a UX problem.  If you have a hammer, everything looks like a nail, etc.

            What is the difference between users who cover their webcams and users who don’t?  IMO, the coverers are more accurately appraising the threat of the uncovered webcam and feel threatened enough to protect themselves.  I’m not saying that one group is smarter than the other or lazier or anything like that.  Superficially this looks like a user failure, but I think that users aren’t being given meaningful indicators or signs of the threat.

            If we focus on appraisal of threat, what are the factors that cause someone to feel threatened by a camera, and what are the factors that make someone less fearful or more dismissive of the threat?

            Humans use all sort of heuristics or rules of thumb to make judgments, and mostly without conscious awareness of doing so.  A little circle of glass in the top of your screen isn’t something that stands out as a threat – it isn’t jagged, large, moving, making sound, etc.  It is, by design, nondescript. Even though a user knows that it is a camera and that it takes pictures, it’s inert.  The only way of knowing whether it is active or inactive is if we are given some additional indicator, like an ON light.  

            Another heuristic involves control.  The only time that I’ve seen my webcam turn on is when I have commanded it to do so.  Pretty soon you start to believe that you are in control of its operation, since you’ve never experienced a situation where those two don’t go together.

            I don’t have a prescription for fixing this problem.  I just want people to understand that there’s more to this issue than user education or intelligence. 

          3.  wtf, dude.  All I’m advocating is a piece of scotch tape if you’re uncomfortable.  You can peel it off when you need to use the cam.

  2. This is sooo creepy!  I remember this happening to me one time, eventually I hid under the bed waiting for it to stop. It never did!

      1. They hid my start button and task bar. Kept opening and closing the CD/DVD tray and displaying these strange messages on my desktop!  I now have post it notes on my camera!

        1.  Ummm.  Wny not just:
          1) Yank the Ethernet cable…
          2) Try a system restore
          3) If that fails, wipe the system and restore user files from a backup.
          Yes, a bit of work, but it sure beats hiding under a bed!

          1. Agreed! This happened 2 years ago and I didn’t have that knowledge. Now I know, because knowledge is power!

  3. so will using an anti-virus stop this kind of thing?

    /edit: I mean what steps would you guys recommend to prevent/solve this? (inb4 buy a mac)

      1. Since you’re already brain-damaged, there’s really nothing you can do to prevent this.  

    1. Unix up whether or not it’s a mac.  There are reasons to believe Windows simply cannot be made secure and not just “security through obscurity”.  Back up your own files, preferably to an external hard drive so you can do a fresh OS reinstall if you have any reason to believe anything is screwy without losing anything.  Use a good root password and change it occasionally.  Don’t save internet form information — especially passwords — in your browser even though they so kindly offer to take care of that stuff for you.  (These last three bits apply even if you’re not ready to move on from Windows.)

      If you’re not already a techie/power user then that would probably be a good start.  There’s a lot of stuff you can do in unix-likes to flag user behavior that doesn’t look like your own (and thus is probably someone trying to crack your machine remotely) but it takes some know-how.

      edit: fuzzyfuzzyfungus basically made the same reply to ethicalcannibal a few comments down but in much more detail. Very worth reading.

      1.  Thanks for the tips for users who are not techies. Any time I ask how to protect myself I either get unintelligible (to me) instructions or get put down for not being as tech-savvy as others. Also, I’d be embarrassed if I had to buy one of those ‘For Dummies” books.

    2. One suggestion that someone else made in an earlier thread a while ago that I think is quite practical is this: disable your laptop (or desktop’s) built-in webcam in the BIOS, so that your operating system doesn’t even know it’s there. (You can then go ahead and cover the lens with a piece of black electrical tape if you want to go full paranoid.)

      Then, if a webcam is still a must for you, purchase an external USB-connected one so that when you’re not using the webcam, you can (a) angle the camera away from you [an okay solution], or (b) drape or otherwise cover the camera and microphone with a black cloth [better], or (c) unplug the camera from the USB connection [best].

      The reason an external webcam works better for this situation rather than a built-in one is the ease of disabling and enabling it.

      1. A built-in one cannot be angled away from you, as most of them are embedded in the monitor. 

      2. Nor can a built-in one be draped or otherwise quickly covered with an easily removable cover without usually affecting your visibility of your monitor (I prefer draping rather than taping over your webcam because with sticky tape it’s a nuisance to remove and reapply it, and sooner than later you’ll have to clean the glue’s film from off of your webcam lens.)

      3. And to software disable a built-in one, you’ll either have to reboot to get to the BIOS, or go into Windows device management and disable the device (which is a step that’s easily reversible by someone who already has remote administrative access to your machine.)

      1. Also the external ones are typically higher resolution and you can put them at a better angle so you don’t look like a double chin monster.

  4. Most computer security features were thrown out in the 80s and 90s to get cheap mass produced computers sitting on people’s desks.  Memory used to be protected at the hardware level but that was an expense so the Wintel duopoly just got rid of memory protection.  Later it was feebly put back in in software: which runs in memory LOL!  Operating systems (eg. VMS) used to have fantastic security but that wasn’t “Ad friendly” so MicroSoft just got rid of security: it wouldn’t have fitted in the desktops of the day with all the rest of the bloatware anyway.  Security was originally not a design criterion for UNIX either.

    So now your computer does things without your knowledge or consent: partially through negligence and partially by design.

  5. So often, peeping toms end up in a downward spiral of compulsive low level crime. They literally end up living in their parent’s basement because they have a bunch of arrests and complaints against them. 

  6. This thing reads so perfectly creepy that I just want it to be fabricated/embellished. In fact, in order to continue living as a productive member of society, I think I will have to believe that it is. :(

    1. I’m being honest here, not flippant, so please take this as sincere advice:

      If you have to ask, your best bet is probably reinstalling your OS from known-good media. It’s tedious; but far more effective per unit knowledge than any attempt at more sophisticated hunting. Take off and nuke the site from orbit and all that.

       If the attacker screws up, they may use an outdated control program that hasn’t been properly tested against your AV software, or they might trip up on a physical webcam LED indicator(and if you do see something like the webcam LED thing, assume the worst Right Now). If you care about your data, you should have backups in place to allow this anyway(in case your HDD dies or such); but it is also among the more reliable ways of cleaning a system.

      Any attempt to clean an infected, or possibly infected, system from within that system is analogous to trying to determine if one of your spies is actually a double agent by asking him questions: not impossible; but neither easy nor especially reliable.

      If you are inclined to a less fatalistic view, your best bet is probably at the network level. The easiest, and most basic, tool would be a firewall that watches for, and reports, outbound traffic. ‘Little Snitch’ is the big name on OSX, not sure on Windows.

      Safer(because it’s essentially impossible for an attacker to disable); but more of a nuisance is a monitoring system running on a different host than the one being monitored. For 10/100 ethernet, a simple passive tap can allow a monitoring host(running Snort or similar) to completely silently watch all incoming and outgoing traffic from your computer. That doesn’t work on GbE, so you’d have to use a switch with port mirroring or a monitoring host using active passthrough.

      On the host side, something like tripwire is also very useful, since it allows you to detect changes in state on your filesystem. Unfortunately, common desktop use cases often generate huge amounts of legitimate state churn, making this a bit less useful than it would be on, say, a fairly stable webserver or other single-purpose box.

      Further inconvenient-but-secure measures would include things like using a liveCD environment to perform banking and other secure operations(so that even if your persistent OS has a keylogger, that OS will be fully out of the picture and you’ll start with a known-clean environment. Pain in the ass; but still.

      Performing potentially risky operations inside throwaway VMs, or using a fully airgapped system for high-risk operations like storing salacious pictures is also a huge nuisance; but makes things harder.

      1. Thank you for the reply. I appreciate the approach you took. I’m not computer savvy enough to do more than nuke and burn my OS. I hadn’t thought about it, but even if you told me how to detect anything today, two weeks from now when they update their methods, I’d be helpless WITH a false sense of security. 

        Sounds like it’s just another reason to back up my data a lot. 

        I do have a question. If you use something like Mac’s time machine, won’t that just reinstall all your spy’s crap all over again? With only a short blip in service, as you reinstall? Or would it be better to pick and choose your files off of there, leaving the bulk of the OS behind? 

        1. I don’t know the details of how Time Machine works, or how granular you can be in setting exclusions; but a backup that is capable of restoring your entire system will likely include the malware(this is why so much of the Windows malware would embed itself quite merrily in the ‘System Restore’ feature, so any attempt to roll back would be useless).

          A backup that does not include executable files(and, ideally, specifically excludes things like login hooks, which are all kinds of potentially dangerous despite looking pretty mundane) is less dangerous.

          You still have to worry about booby-trapped files(the classic ‘bugged flash object embedded in a Word or Excel document’ is a nasty one); and there have even been exploits against (seemingly) safe formats like TIFF images; but a backup consisting of ‘all my movies, music, pictures, and documents’ is still safer than a full-system backup.

        2.  I am not an IT person…..

          Mac’s Time Machine hangs onto as many prior backups as space allows.  You can perform a restore from a time prior to the problem — if you know when it is — and/or restore just docs, photos, etc.

          “Sounds like it’s just another reason to back up my data a lot.”

          OMG….please tell me your Time Machine is backing up to an external drive!!

          1. Yes, absolutely a separate drive. I backup between once a week to once a month. Depending on how lazy I am. 

          2. Set Time Machine to do it every few hours, or at least every day.  You don’t have to do it manually.

        1. Which is why the indicator LED shouldn’t be software-controllable.  It should have a discrete controller that detects current flow and activates for some minimum period of time.

          It’s not foolproof, but it would require physical access to the machine to disable or modify.

  7. One guy says “I’ve had that a couple of times, it just makes me giggle, especially if it’s someone with an uber-weird-nasty habit.”
    Seems like they think their own habit is not weird or nasty, just perfectly normal. I always wondered how would it feel like to turn the tables around a bit. If someone providing those tools actually put a back-door to spy on these pervs. And then blackmail them. Probably they would think “Why me? I was just joking, wasn’t being serious.” 

    1. People who lack empathy really think that all of their own characteristics are human and unique and awesome while other people are just gross and/or disposable accessories.

  8. Perhaps someone should create a suite of tools to track down and stop abuse of remote administration tools. It could be named Kill Access Tools Suite (or KATS).

    Seriously though, shouldn’t there be some software solution to help targeted users?

  9. I was considering giving my laptop to my mom once I put a new computer together, but now this worries me, because she’s an avid “cut animal video” clicker and loves to shop online.

    If I understand this correctly, someone potentially could use these programs to turn on remote access to the computer when I have turned it off? Also, could a hardwired wi-fi access toggle switch be compromised (as I suspect it is still ultimately controlled by the operating system)?

    1. There is such a thing as wake on LAN, which is designed to allow you to turn a computer on remotely by sending a special packet at it. Thankfully, it usually requires some kind of sacrifice to the Elder Gods if you want it to work, so I wouldn’t be too concerned about that. You can also check if it’s enabled in the BIOS. It’ll be called Wake-On-LAN or WOL or something similar.

      1. Not a major concern on consumer systems; but may the gods of a dozen dead pantheons save you if a black hat were able to provision a recent Intel AMT module out from under you, though…

        As for the wifi switch, it generally isn’t a true hard switch(there is often a BIOS option to enable or disable it from having any effect); but whether it is a mere cosmetic convenience that the OS can override at any time, or whether it yanks power to the RF side at a firmware level seems to vary by vendor and phase of moon.

        1.  I wouldnt be surprised if the black hats already have built the profile for each individual to build there own unique modile

      1.  No way in hell.

        She’s allowed to use mine here at home, but still avoids it. Hardly even touches the Kindle she was given. I think she’d rather use the one at work because it’s right there in front of her.

        Also, the word “maintenance” doesn’t exist in her vocabulary. She knows how to use a computer, drive a car, or use a cellphone, but don’t ask her to look under the hood.

  10. “Everything we do today involves computers and everything we do tomorrow will require computers.”

    Call me a Luddite, but I disagree.  I’ve become weirdly nostalgic for the days before constant online connectivity.  People take vacations from their computers, I can envision taking a permanent vacation from them if need be.

    Food, clothing and shelter.  It’s all we really need.

  11. “Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves.”
    It is.

      1. Ugh, THAT is a bad movie — this one could be more elaborated. First thing in my mind, is what if one of these guys sees a crime? That’s cliché, but could be well developed. Instead of going to the police (for many reasons, one being these guys are not the good guys and I wouldn’t want to see any kind of redemption in their acts…). Maybe he tracks the killer down and messes with the killers head. Still needs a hero somewhere.
        I see an Oscar in the future. The Mayer type. Sausage anyone?

  12. It’s articles like these that make me appreciate that the Internet’s ability to connect us with the entire world is very much a two-edged sword.  Pre-internet, many people were protected from somewhat sociopathic 14-year-olds (either physically or emotionally) by the simple expedient of lack of physical proximity.

    Now, as many people (especially the elderly) are finding to their displeasure, they’re living next door to the entire world, which also includes criminals who have very little compulsion about exploiting them in almost perfect safety for everything they can get away with.  A rather big shock for those used to living a fairly comfortable, safe, middle-class existence.

    1. At least for old people, phone-based hucksters and TV or radio televangelists arguably had them covered back when Arpanet was still something that you needed to live in academia to know about.

      The internet has certainly upped the game; but its real innovation seems to be bringing non-commercial sociopaths to the mix. Phone scamming is a lousy job, unless it pays really well, and Ma Bell doesn’t give those minutes away, so that keeps the people not running a profitable con (mostly) out of the picture.

      The internet, though, brings out the defective personalities who are willing to put a significant amount of effort into being awful people without any explicit payoff…

  13. Long past time to require built-in cameras on monitors and laptops to have a manual shutter to close them.

    If yours lacks one and most do, a sticky tab like those used to flag a page in a book will do nicely and the greatest hacker in the world can’t do squat about it.

  14. It sounds like most of these hack exploits are due to security problems in Windows. Wouldn’t the best solution to be to switch to something like Ubuntu? It wouldn’t be a guarantee of protection, but would cut out a lot of the security risks.

    The tape solution isn’t really a solution. Yes, it will stop them from seeing you, but if they can control your webcam they already have access to your computer files. It’s like:

    “Hahaha you can’t see me now, hacker.”
    “Yes, but I have stolen all your passwords and usernames, oh and that nude picture of your wife in the folder you thought was hidden.”

  15. Memmmmorieeeeees.  First year at uni, 1998, living in the dorms.  The fun we had with Back Orifice.  Oh man.  

    Of course, none of us had webcams or microphones.  I don’t think we really grokked the power and possibilities that this tool afforded us.  It never occurred to us, for example, to infect people who didn’t live on our rez floor.  After all, why would you bother opening and closing someone’s CD-ROM drive if you weren’t close enough to hear them yell profanity at you?  Such a simple time.

  16. A few years ago, I ran a scan and found files from a Windows exploit on my computer.  It was my first malware infection ever.  Seriously. 

    Fortunately, the exploit was for Win XP, and the computer was running Win98 at the time.  “Keep your system fully updated” isn’t always the best advice. :)

    Today that computer runs Linux.  I suppose that someday the “minority OS” strategy won’t work any more, but Linux is likely to remain relatively secure as long as (1) it’s open source, and (2) there are many more millions of easily cracked computers running Windows.  Thank you Bill Gates!

    Maybe I’m naive, but it seems to me that that one way you can help older or less sophisticated friends and relatives is to give them, or sell them very cheaply, what they need to be reasonably secure.  Buy an old IBM or Toshiba P3 or P4 laptop (no built in webcam) cheaply on eBay, re-cell the battery (check Youtube for help), drop in a new disk drive for stability and speed, load a copy of Linux Lite or Puppy, tweak a few settings, maybe add ClamAV, and hand it to your friend.  You might have to spend an evening showing him or her the slight differences.

    If your relative or friend really needs Windows programs, have a look at Wine.  It’s improved by leaps and bounds in the last year or two.  Be careful what you load and how you load it, of course.  Programs that need security risks like IE should be loaded in their own Wine prefixes. 

    I’m not a security expert, but it seems to me that you’re pretty safe if you set up risky programs to start with shell scripts that shut down the WiFi, or simply redirect everything to as long as those programs are loaded.  Don’t load Java at all unless programs need it, and in that case, make sure it’s disabled in the browser.  Noscript is a good idea, but can be annoying to unsophisticated users.

    Some folks will say “my MIL would never use Linux,” but I’ve been surprised at how easily low-power users who do mostly email and web browsing can be switched from Windows to a thoughtfully configured Linux system.

Comments are closed.