-Mouse/Cursor moving without prompt from mouse
-Slow Computer Speed (Web & Offline)
-Losing Accounts
Mostly These:
-Games (Especially Runescape, Maplestory, etc)
-Facebook (When you have many friends)
-PayPals/CCs (If your losing these, the hacker is either an idiot or knows his stuff.)
-Webcam turning on/off
-Removal of programs without victims consent
-Usually AV's and Anti Malware Programs
What a hacker with a RAT wants:
Money
This is almost always the case or the hacker wouldn't have gone to the trouble of building/crypting/binding. Unless its for personal attack.
Hackers will look for game accounts to sell, CCs and PP for obvious reasons, etc.
Ways to combat this:
KeyScramblers
(This is for combating Keyloggers that are built in RAT's)
Don't click remember password anywhere.
(RAT's can download these *saved* passwords directly to the hacker)
RAT Control Info
Cursor Moving:
Non-RAT:
Although this is a very obvious symptom of RAT's, it may also be that your touchpad driver or video drivers are having issues. You may want to either reload them or scan them for missing values. Or it may just be that your mouse is dirty around the rollers, this can cause the mouse to move on its own as well. Optical mouses will also do this if the pad they use has reflective properties. (eg, metal, glass, etc.) Lastly your mouse may just be old.
NOTE: A usual symptom of NON-RAT self cursor movement is that it will move always to the top left of the screen or top then slid to the left. If you are experiencing the cursor moving to the same place everytime, then it is most likely not a RAT.
Solutions:
-Fix/Reload Drivers
-Clean Mouse
-Switch Pad/Surface
-Buy a new mouse (last resort)
Definite RAT Infection:
If your cursor is moving & clicking it is a RAT. If your cursor closes AV warnings, error pop-ups, or permission pop-ups then its most likely a RAT or less likely a script virus,
Solutions:
-Get a AV if you dont have one
-IMO Best Free ones:
-Avira
-Avast
(Usually the AV will NOT detect the RAT if it's crypted, but an AV is still useful. If the AV however does, then delete it.)
-Dl. Atf Cleaner or CCleaner (I recommend CCleaner) and Clean the defaults for Registry and Temp Files
-Get MBAM and do a full scan
-Delete/quarantine everything that it says.
NOTE: If you yourself are a blackhat and have RAT/Bot clients such as Cybergate/Spy-Net/Warbot then please read what MBAM stops and cancel it if its just your client. Also with an AV everytime you open your client your AV will see it and try to delete it. So you will need to make an exception in your AV
- Microsoft Antispyware Beta, spyware Doctor, Ad-Aware SE, SpyHunter or eTrust PestPatrol are also good programs as they have vast RAT db's. Harvey, I'll let you decide which ones the best, as I'm unsure.
After an AV deleted the RAT however the RAT may not have been fully deleted. Use regestry cleaner and clean the registry for empty DWORD Values, etc.
-ESET online scanner
-Avenger
-MBAM (as said above)
Also, please tell the victim in advance not to change any passwords or do any banking related activities on said computer until further notice.
Further RAT Control Information
4.0 - Remote Administration Trojans (RAT)
What is a Remote Administration Trojan?
A RAT or Remote Administration/Access Trojan/Tool (otherwise known as a Backdoor) is a form of malware used to gain control over someone's computer. This tool is most popular with the Black Hats and they're very common infections.
RATs are becoming extremely advanced these days, and they have the capability to completely destroy an unprotected computer. This is why, it's important as helpers to know how to combat RATs.
RATs have features including keyloggers, the ability to steal passwords, open and close CD trays, disconnect external devices such as monitors, delete or edit files, turn on a webcam without the user knowing, edit and delete registry entries, disable security software, and much more. Basically, they're capable of doing anything - the same things you'd do as if you were sitting in a seat behind the computer.
For More Information On RATs
More information can be found on Remote Administration Trojans at these links.
Danger: Remote Access Trojans
What is Remote Access Trojan
What Is a RAT?
Remote Administration Tool
What is a Remote Access Trojan / Backdoor Software?
Remote Admin Tools
RAT: Remote Administration Trojan
QuickStudy: Remote Administration Trojans (RATs)
Remote Administration Trojans
Catching Remote Administration Trojans (RATs)
Compilation for RATs Section
HackForums RAT guide - Q&A. + Explained
4.1 - Remote Administration Trojan (RAT) Cleaning
In this section, we're going to look at the process of cleaning a system from a RAT infection. We'll look at how to identify a RAT and what distinguishes them from other infections. I'm also going to tell you about some malware scanners that are often used to clean RATs.
How To Recognize a RAT Infection
To recognize an infection, you'll need to analyze the symptoms the infected member is experiencing. With experience, you'll be able to apply your common sense and knowledge to determine, based on what has been said by the infected, whether or not the user has been infected by a RAT (or any other infection for that matter).
There are many things that you can look for to help determine whether or not you're dealing with a RAT, so I'm going to list some of them below. Before I do that, I'd like to alert you to some popular RAT names, just for quick reference.
Common RATs
Poison Ivy
Bifrost
ProRAT
Cerebus
Spy-Net
CyberGate
Turkojan
SubSeven
Albertino
Symptoms of RAT Infections
Unexplainable deletion of files.
Unexplainable editing of files.
CD Tray opening and closing, though not provoked.
Webcam randomly turning on.
Keylogging.
Cursor moving freely.
Blocked access to particular sites (usually security-based websites).
Random messages appearing.
Unknown files/documents being created.
Slow Internet speeds.
Unresponsive components (monitors being disabled).
Passwords being changed.
Please note that there are many more symptoms of RAT infection - these are just a few. It's important that you memorize these symptoms for when assisting members with their infections. If the infected member complains about experiencing one or several of these symptoms, you're going to have to know that it's most likely a RAT infection.
Because a RAT infection is, basically, someone controlling one's system from a remote location, common sense can tell you whether or not particular symptoms are going to be of relation to a RAT infection.
After Diagnosis - Cleaning
After you've confirmed that you're dealing with a RAT, you can go about removing it from the infected's computer. Now, there are many issues that can arise when removing RATs, and your recommendations won't always be right. This is why analyzing the symptoms is crucial.
General RAT Cleaning & Removal Tools
This section will address removing the basic, less advanced RAT. Obviously, you'll be able to get a sense of the ferocity of the infection, judging by what you've been told by the infected. If they reveal little more than the bare minimal necessary for your to deduce that they're infected by a RAT, you should do the following.
Ask the user for as much information as possible, including inquiring about all noticed symptoms. This will help you gain a better understanding of the infection.
Decide whether to offer the default removal recommendations or something more advanced. Once again, this will depend greatly on what you've been told. This is where assumptions are going to be necessary.
Default RAT Removal Instructions
The Default RAT Removal Instructions are used when dealing with a RAT, yet you don't know enough about it to offer more precise recommendations. These Instructions are as follows.
SUPERAntispyware
I like to recommend SUPERAntispyware as a default instruction for infected members. SUPERAntispyware is a tool used to target spyware (RATs) and remove them from one's system.
Malwarebytes' Anti-Malware
This tool is an anti-malware application and is used to removal all forms of malware. Though it's not specifically designed for spyware, it's still capable of finding and destroying many spyware infections. You'll find out more about MBAM, as it's commonly referred to as, later on in the guide.
ESET Online Scanner
This tool is similar to MBAM and SAS in that it's a very powerful anti-malware utility, but it has its differences too.
The ESET Online Scanner is a web-based tool. It's recommended that you ask your victim to run this tool through the Internet Explorer Web Browser, as it'll require various plugins on Mozilla Firefox and on other browsers. You'll be given more information about this utility later on.
There are other tools that we can use for removing RATs, yet there really isn't a need for more than the above three. Spybot Search And Destroy is another commonly used tool for these types on infections. You'll find out about this tool later on.
0 comments:
Post a Comment