Jump to content

RATs (Remote Access Tools)


Dean Ambrose

Recommended Posts

This post is copied from rsthrowaway99912, a Reddit user. If any moderator/admin feel that this post should be moved to Tech, then so be it.

EDIT: Moved to Tech & Computers by Lord Paul.

Copied from http://www.reddit.co...are_and_how_to/

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

HISTORY

 

My history with RATs is an unfortunate one. After being a victim of one myself (lost 300m), I took the terrible decision to acquire one. I had a few victims for a total of about 500m. It was a regrettable decision and a way to get back what I felt was unjustly lost. I don't have contact with the people I hacked, or honestly, I would give the money back. I've since quit runescape and gave the gold away to friends in my clan. I'm hoping this will help some avoid the same fate as me, and those I hacked.

 

WHAT IS A RAT?

 

A RAT (Remote Access Tool) is a virus that gives the hacker virtually unrestricted control to your computer. This includes (but is not limited to) screenshots, webcam, saved browser passwords, cmd prompt, keylogger, the ability to take over your screen (keyboard and mouse), shutdown computer, end processes, delete/steal files, download and execute files (can be used to add more malware), and much more.

 

The exact features vary depending on which RAT the hacker is using, but most of them include the basics above. Another feature some have (including mine) is a built in Runescape pin grabber. If you are infected, the bot will take 4 screenshots, 1 for every time it recognized you are clicking a number for your runescape pin. These screenshots are saved in a hidden folder on your computer, and sent to the hacker on their command. The hacker simply identifies the missing number from each screenshot (since hovering your mouse over the number you are about to click causes it to disappear) and has your pin.

 

HOW IT WORKS

 

The hacker uses his RAT to generate a server, which is generated as an executable ([Caution: Executable File]) file. These files are easily detected as viruses, but are then often crypted (using another program) to make it undetectable by anti-virus software. Crypters can also spoof the extension of a file to make it appear to be something like a .mp3 or .jpg (although if you select "properties" of the file it will still appear as a [Caution: Executable File]).

 

When a victim executes the file, they are infected and connected to the hacker's RAT.

 

COMMON SPREADING METHODS

 

Most Runescape hackers use a JDB (Java DriveBy). A JDB is a website that, when visited, will prompt you with a popup that asks for permission to "run" a plugin needed for the website. Most websites will be something along the lines of a live stream, rsps, or similar to justify the need for a java plugin. If a victim presses run, a line of code is executed that downloads the RATs server from a hosting website, and executes the file upon being downloaded. What's worse is that the victim does not see any of this happen, and the file does not appear in the victim's "downloads".

 

It's important to note that if you receive such a popup, DO NOT click ANYTHING. Use the "control+shift+escape" shortcut (ctrl+alt+delete on windows xp) and end your browser's processes. Alternatively, power down your computer.

 

Other less common methods include simply getting you to download the file. This could be through youtube videos, torrents, or SE (social engineering). NEVER download any third party programs or files from anyone.

 

Also, for people using epicbot or products from garyshood, both of these products are infected with RATs (although they usually only target players with very large banks).

 

WHAT TO DO IF YOU THINK YOU ARE INFECTED

 

The first indication that you might be infected is if your game crashes, or the browser/client you are playing in suddenly closes. Often, the hacker will end your java or browser/client process to force you to log back in to the game, thus acquiring your username, password, and pin. If this happens, I would suggest doing the following:

 

Removing the RAT

 

RATs process will appear in your processes like any other, but can vary depending on the crypter the hacker is using. End any process you don't recognize (the one I used, which is common, gave a process of "vbc[Caution: Executable File]"). If you are not sure what a process is, google it. If you have a process for software you don't own (i.e. Adobe), remove it. This will temporarily remove you from the hacker's RAT.

 

Run a virus scan. Most RATs won't be detected, but there is a possibility one or two antivirus programs will be able to detect it. If your scan comes up clean, this does not necessarily mean your computer is clean!

 

(This is for windows 7, may vary for other operating systems): In the start menu, type in "msconfig" and press enter. Click "startup". This lists all the programs that will start when you boot up your computer, and it is likely the RAT you are infected with will be in there somewhere. Any listing with a manufacturer of "unknown" should be treated as suspicious. The best thing to do is select "deselect all", then press apply, restart computer. This will reduce your computers bootup time, and 99% of RATs will be rendered useless. Even if they are still on your computer, they will not work unless you execute the file manually.

 

To remove the listing from your msconfig startup list (so there is no chance of accidentally enabling it again), go to the start menu and type in "regedit" and press enter. Follow the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig

 

Open all the folders that contain "startup". Delete the items you don't want to appear on the list.

 

Now, for removing the file itself. Most RATs will download into a hidden folder called "appdata". First, you will need to display your hidden folders. Go to Control Panel > folder options > view > show hidden files and folder. Exit and go to your hard drive > users > your account > app data > roaming. Delete every item that is not in a folder, or any folder that seems suspicious. If you see a loose [Caution: Executable File] file in the roaming folder that you don't recognize, that is likely the RAT. Delete it and empty your recycle bin.

 

If for whatever reason you follow these steps and still think you are infected, you will need to format your hard drive. If you have a partition, use that. If not, restore your computer to its factory settings.

 

I hope this helps, and feel free to ask any questions. I'll try to respond to as many as possible.

 

PROTECTION

 

There are some anti virus programs (such as bitdefender and mcafee) that offer key encryption, and will actually thwart some of the RATs keyloggers. They are also very hard for the RAT to remove since the processes are persistent. Look into acquiring one of these.

Link to comment
Share on other sites

  • 3 weeks later...

Nice guide. The only time I got hacked many years ago was like you described. I visited a website that looked like a normal RS fansite, a pop-up asked to install a missing ad-on... the rest is history. On the upside it taught me to never install ad-ons when prompted.

2480+ total

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.