Tips for Sniffing Out the Blackshades RAT

Last week, one of the most aggressive international cybercrime crackdowns was conducted by law enforcement officials in over a dozen countries that snared more than 90 people.

The Blackshades Remote Access Tool or RAT was a $40 piece of software that the FBI estimates infected over 700,000 computers worldwide, many of them in the U.S.

Blackshades is one of the many malicious tools which target Internet connected computers that even a novice can use and once installed, allows a remote user total control of your system.

The high-profile ‘sextortion’ case of Miss Teen USA, Cassidy Wolf, who was a victim of the Blackshades RAT, brought this particular underworld tool to the public’s attention, but there are many more.

Wolf was sent an anonymous extortion e-mail message that threatened to post nude images of her that were captured from her webcam by a remote hacker that turned out to be a former school mate.

Remote Access Tools are actually legitimate programs used by IT departments to help support users, but Blackshades had various nefarious tools built-in that allowed a remote user to record keystrokes to steal passwords, activate webcams to silently take pictures and video of victims and encrypt data files so that users would have to pay a ransom to regain access to their own files.

Blackshades uses an obfuscation technique which constantly changes its appearance to avoid detection by traditional anti-virus programs, which contributed to its worldwide usage by hackers.

Typically, the attack vector was a cleverly crafted e-mail scam or a cleverly disguised link on social media that convinced victims to allow the program to be installed without their knowledge.

Even though most everyone is well aware of the dangers of opening file attachments in e-mail messages, the crafty social engineering tactics by hackers continue to fool people into a false sense of security.

RAT’s can make their way into your computer from e-mail scams, drive-by downloads that exploit computers that don’t have the latest updates or as a hidden program in what appears to be a legitimate download.

The possible indicators of an infection by Blackshades or any other RAT according to the FBI can vary widely, but some of them include:

• Webcam indicator lights that randomly turn on when you aren’t using the webcam
• Mouse cursors that move erratically by themselves
• A display that suddenly goes dark by itself while you are using it
• Text-based chat windows that appear unexpectedly
• Inaccessible computer files that ask for an encryption key

If you’re comfortable under the hood, another step is to examine the Windows Registry for an unusual entry that contains a random string of letters and numbers that include the subkey of ‘SrvID’.

If your computer is running slow, takes forever to start up or seems really sluggish when you try to begin surfing the web, these are all indications that things are not as they should be.

Slow or unusual performance is not a certain indication of infection, but is always an indication that something is not right, so don’t ignore these symptoms.