[FAQ] RATs - What you NEED to know.

Tutorials and guides for Plazma Burst and community features.

[FAQ] RATs - What you NEED to know.

Postby ZapruderFilm » 18 February 2017, 20:47

CTRL+F's:
What is a RAT?
What does RAT stand for?
What will happen if I am infected by a RAT/Ratted?
What are key indicators I have been ratted?
How does a RAT work?
Alright, well what are the capabilities of a ill-willed RAT?
What do I need to know to protect myself?
What should I do if I recieve a file I think could be a RAT?
Why should I upload it to virustotal, as opposed to just not opening the file and deleting it?
What if the file comes back clean, but I'm still not sure?
What are common schemes/lies people will use to convince a person to run/open a piece of malware?
Why don't I just use antivirus?
What should I do if I am RATted?
What's the first thing we should do when we think we've run a RAT?
Should I be afraid or scared? I did not know malware has so much potential.

As the use of RATs has become more prominent in PB2, with over 4 users in memory who have infected innocent users.

I have long thought about creating this thread. Really, I was going to make it ages ago. But we are treading on ice. This is a thread about a very scary thing, the use of remote access trojans (RATs). I don't want to scare anyone, but there are things you need to know about this.

Alright, regular thread format, let's get started.

What is a RAT?

A RAT is essentially a software designed to monitor and control computers. Not all RAT's are malicious. Teamviewer is a RAT, but a completely good tool to use while helping with PC's and does not force it's way onto the computer and can be removed at will.

What does RAT stand for?

There's more than one thing it stands for, but they all mean the same thing, except a non-malicious rat is not considered a trojan. Here is some of them.
Remote Access Trojan
Remote Administrator Tool
Remote Administrator Trojan
Remote Agent Tool


What will happen if I am infected by a RAT/Ratted?

The rat will sometimes disappear and the file is removed but the rat reinstalls itself elsewhere. This is one of the most obvious indicators you have been infected. Other things that can happen is that random accounts will be hacked, weird notifications about foreign logins, and financial fraud.

What are key indicators I have been ratted?

RAT's are not easy to notice, but these are signs you might have an issue:

1. Screen turning off randomly
2. Mouse switches doing the wrong thing, screen being controlled.
3. Mouse is in a differnet location than what you left it at.
4. Computer doesn't sleep or lags often.
5. Random insulting error messages
6. Webcam light randomly coming on.
7. Chatbox popping up
8. Someone having a ton of weird info about you.
9. You find your account was used to spam odd links various places.


How does a RAT work?

I am going to go over this briefly. I am deliberately leaving out vital information to prevent informing the wrong people about this.

It starts on a controller computer. This is known as the host, controller, hub, etc.. Exactly like a botnet if you have read my CyberSecurity Glossary.

This computer has a program on it that can generate the RAT stub, or the virus itself. Just a file with no logo the file type can vary from .exe to .jar to .bat to .vbs and many other things (More on this later). This is the malware that is ran to gain control of the slaves/clients/bots (essentially the infected people's computers.)

After this piece of malware is ran on someone's computer, that computer is suddenly listed on the controller computer's control panel.

This is where the RAT can be used to control and manipulate and steal and stalk a person.

Should the infected person turn their computer off or remove the virus, the computer will be listed as offline, and no information can be gained, although any information stolen on startup or while the virus had a live connection can still be browsed or viewed, so long as it was moved to the host computer.


Alright, well what are the capabilities of a ill-willed RAT?

RAT's are something I am heavily against, but in the past I have used them. Here's some things I was able to get a RAT I used in the past to do.


On the first run/execution:


1. Force itself to start everytime the computer starts up. Establish several backup methods of starting in case one gets deleted. Establish several backup connections in case the controller computer lost connection to the infected individual. This was used through websites such as pastebin. My RAT would visit a pastebin page and check it for encoded instructions if it could not connect to the controller computer.
2. Immediately grab all browser saved passwords. This worked on every available mainstream browser, including but not limited to Google Chrome, Internet Explorer, Edge, Opera, and Firefox.
3. Immediately begin keylogging every single computer button press, window and task history, and the time stamps of all of these. These files were stored locally on the infected individuals computer to prevent the files from taking up space on the controller computer, but upon request were easily downloaded/emailed to the controller.
4. Grabbed every email stored on the computer using outlook or any other local email program. Sent to the controller computer.
5. Immediately searched every single file for any word I picked. This feature is commonly used for the word 'password' 'tax' 'taxes' 'credit' 'W2' things such as this.
6. Download and install other malware to make sure if the PC deletes the RAT, I can use other malware to reinstall it.
7.Use the computers CPU to mine cryptocurrencies. This was a very complex feature because I could tell it to only do it when the computer hadn't been used in x amount of time, making it very hard to notice.
8.If the infected individual had a mainstream torrent program such as utorrent, I could secretly 'seed' downloads without the user knowing. This seems insignificant, but let's say I make a download on utorrent of the movie 'up' then corrupt the file. And put a readme.txt in the download, saying if the movie doesn't work, to run the Video Media player updater in the download. Then I can put malware in the movie and then use the people who fall for it to seed more downloads.


While the malware has a live connection to the controlling computer:

1. The bots computer can be controlled. This can be done invisibly by creating a Remote Desktop Protocol in the background, or where the infected person can see it, by controlling their mouse and keyboard.
2. The bots webcam and microphone can be viewed live and or recorded.
3. The bot's PC can be utilized to silently visit websites automatically to generate Pay Per Click traffic or any sort of ad revenue.
4. You can upload and download files to the bot's pc live.
5. You can remotely execute files on the bot's pc.
6. You can leach and utilize the bot's internet connection to conduct Denial of Service or Distributed Denial of Service attacks (DoS and DDoS)
7. You can open and close the disk drive, shut down or restart the computer.
8. You can make a live chat client or a message appear on the infected individuals screen.
9. There are a lot more, but these are the scariest things.


What do I need to know to protect myself?

This is the most important part. Common sense is the best way of protection. Well, you already know a bit of it. RAT's are typically .jar, .exe, .bat, .vbs, .doc, .pdf files. If someone sends you one of these, it's possible you are a target!

What should I do if I recieve a file I think could be a RAT?

First thing's first, upload it to http://virustotal.com/ . This will tell you if antivirus detect it. As long as you do not OPEN the file, you will not be infected. This means you can have a RAT on your pc and not be infected. Allowing you to upload it to virus total.

Why should I upload it to virustotal, as opposed to just not opening the file and deleting it?

There's a lot of reasons for this.

1. If you upload to virustotal, it's possible the scan will come back obviously infected, and then you know that the person is trying to infect you, and not to trust them.
2. If you upload a file to virustotal, it will distribute the virus to antivirus companies to pull it apart and then make it more easily detected by their software. This means you're making it harder for the person to RAT yourself and others.
3. That way, if the file comes back 100% clean, you can know it is possibly safe to run.


What if the file comes back clean, but I'm still not sure?

You have options. I want to be clear - If you ever have a suspicion you have been infected and I am available, I will personally support you and analyze and help remove the threat. If I'm not around, then I recommend uploading the file to https://www.hybrid-analysis.com/ and sending me the scan. I can almost immediately tell you if the file is malware. Do not try to read the scan yourself without research as it has odd indicators sometimes. Also, Hybrid Analysis will automatically upload the file to virustotal for you unless you do not select the 'share this sample with the community?' option.

What are common schemes/lies people will use to convince a person to run/open a piece of malware?

1. Any youtube video claiming to have cracks/cheats.
2. Any sort of game cash generator
3. A 'video game' or 'code' someone wrote and needs to test out.
4. Video game mods as odd file types.
5. Just saying 'open this its funny'
6. Claiming it makes you money.
7. Claiming that the file isn't working on his/her own pc and to try it to help them.
8. Sending files over discord or skype and there is no preview/you need to download it.
9. An .exe cleverly disguised as a zipped file so you double click it to unzip it
10. A .pdf or word macro, meaning the word document is large but doesnt contain much text/it claims to be encrypted and you need to diasble macros to view it.
11. Claiming its a program you need like a hacking program you wanted to try or such.
12. Any sort of aimbot or bot.
13. Claiming it's a driver update or it will fix something on your PC.
14. Telling you it's an antivirus.
15. Putting it with another file you were looking for and saying 'if the file doesnt work, please open this!'


Why don't I just use antivirus?

I actually recommend everyone use antivirus. If you have no money, try Avast! at https://www.avast.com/en-us/index . If you have a few bucks to spend, the by far best antivirus out right now is ESET NOD-32, because it detects new RATs and malware the quickest. Here's the cheapest place I found for licenses: https://www.g2a.com/eset-nod32-smart-se ... lobal.html BUT Antivirus is not nearly as good as a brain, and you should definitely use the utmost caution when dealing with suspicious things. Why? Here is a post I made sometime back proving how easy it is to bypass antivirus with malware: Actually, I couldn't find it, so here's some scans I did with malware reducing the detection simply with a program and changing the icon of the malware:

Spoiler: Show More
Before:


After:



What should I do if I am RATted?

If your antivirus does not detect it and you are too late.. You ran a deadly RAT, then you have a few options. I recommend contacting me. I promise I will be patient and help you through it step by step, and help report the person who did it if we can figure it out.

I'm currently inactive and can't be contacted? No worries!

There are plenty of forums that will help you remove it. I personally recommend the forum listed here:
https://www.bleepingcomputer.com/forums/f/79/security/

You don't want to register? That's fine, I recommend following these instructions:
Looking through this website, running Hitman, Malwarebytes, and any of the other tools that look like they could help.
https://www.bleepingcomputer.com/downlo ... /security/

And here are some nice instructions to generally clean your pc and a good start if you decide to go on a forum.

But always, I recommend the forum or me before bothering with trying to solve it yourself. Let the malware eaters have breakfast.

Spoiler: Show More
Please read these before we start with the procedures,
  • Please do not follow any other instructions other than mine, as they can cause conflict between my fixes.
  • Please be patient, as you can see I have other people to assist.
  • Please consider backing up any important files incase, (usually I will create System Restore Points if needed)
  • Please read the instructions carefully, as it can help a lot.
  • Do not login to valuable sites such as banking etc.It is important that you do the instructions in order. (Up to Down)

  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Download this here AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review in pastebin.com and paste link in next reply.
  • If you're ready to clean it all up, click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\AdwCleaner folder.

  • Please download RogueKiller and save the file to your Desktop.
  • Right-Click RogueKiller.exe and select Run as Administrator
  • Click Scan. Do not use the computer during the scan.A log will be created and saved to the root directory. Paste the file contents to pastebin.com and post the link in your next reply.


Spoiler: Show More
Hello I am here to assist you,

Please read these before we start with the procedures,
  • Please do not follow any other instructions other than mine, as they can cause conflict between my fixes.
  • Please be patient, as you can see I have other people to assist.
  • Please consider backing up any important files incase, (usually I will create System Restore Points if needed)
  • Please read the instructions carefully, as it can help a lot.
  • Do not login to valuable sites such as banking etc.It is important that you do the instructions in order. (Up to Down)

  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Download this here AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review in pastebin.com and paste link in next reply.
  • If you're ready to clean it all up, click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.

  • Please download RogueKiller and save the file to your Desktop.
  • Right-Click RogueKiller.exe and select Run as Administrator
  • Click Scan. Do not use the computer during the scan.A log will be created and saved to the root directory. Paste the file contents to pastebin.com and post the link in your next reply.


What's the first thing we should do when we think we've run a RAT?

Disconnect your internet. RAT can't do anything if it can't connect to a host. Then do research on a phone or different PC and try to get it removed. But sometimes you can't do that and you just have to cover up your webcam and try to get it removed while online.

Should I be afraid or scared? I did not know malware has so much potential.

If you even have read half of this post, you are absolutely fine. Go on with your life more wary and more secure, friend.
ZapruderFilm
  
Left PB2 Staff to join Dark Clan.

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA

Re: [FAQ] RATs - What you NEED to know.

Postby KARL SERG » 18 February 2017, 20:58

Why do you share this information with us?

Don't get me wrong, we are more safe by knowing this and that is a good thing for us... but wouldn't it be more advantageous to People like yourself for us NOT to know this?
User avatar
KARL SERG
Civil Security Ghost [400]
 
Posts: 412
Joined: 17 July 2013, 12:01
Location: Romanian Oligarchic Republic

Re: [FAQ] RATs - What you NEED to know.

Postby Terror Only » 18 February 2017, 21:11

KARL SERG wrote:Why do you share this information with us?

Don't get me wrong, we are more safe by knowing this and that is a good thing for us... but wouldn't it be more advantageous to People like yourself for us NOT to know this?

... eh what...

thanks for info zapruder. this is very helpful
User avatar
Terror Only
Falkok [250]
 
Posts: 259
Joined: 12 February 2016, 11:45
Location: pizza sauce

Re: [FAQ] RATs - What you NEED to know.

Postby ZapruderFilm » 18 February 2017, 21:17

KARL SERG wrote:Why do you share this information with us?

Don't get me wrong, we are more safe by knowing this and that is a good thing for us... but wouldn't it be more advantageous to People like yourself for us NOT to know this?


If you're referring to my history and use of malware, I no longer support malware use, and actually fight against malware use, as I have for a very long time now.

Personally now I only own malware for analysis and testing, and using on computers I already own.

If you aren't referring to my history of malware use, how in any way would it benefit me for you to not know any of this?
ZapruderFilm
  
Left PB2 Staff to join Dark Clan.

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA

Re: [FAQ] RATs - What you NEED to know.

Postby KARL SERG » 18 February 2017, 22:43

ZapruderFilm wrote:
KARL SERG wrote:Why do you share this information with us?

Don't get me wrong, we are more safe by knowing this and that is a good thing for us... but wouldn't it be more advantageous to People like yourself for us NOT to know this?


If you're referring to my history and use of malware, I no longer support malware use, and actually fight against malware use, as I have for a very long time now.

Personally now I only own malware for analysis and testing, and using on computers I already own.

If you aren't referring to my history of malware use, how in any way would it benefit me for you to not know any of this?


Yes, but are you giving us this information because you are a Person who thinks about others or you have another reason? I am asking because it is simpler not to help others than to do so.
User avatar
KARL SERG
Civil Security Ghost [400]
 
Posts: 412
Joined: 17 July 2013, 12:01
Location: Romanian Oligarchic Republic

Re: [FAQ] RATs - What you NEED to know.

Postby ZapruderFilm » 18 February 2017, 23:31

I am sharing this information because I am the first person people will go to if they have a virus, and if they read this then maybe they will never need my help. Also I will be leaving for 30 weeks soon and won't be available to help. Do you have an issue with the post? What possible ulterior motives could i possibly have?
ZapruderFilm
  
Left PB2 Staff to join Dark Clan.

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA

Re: [FAQ] RATs - What you NEED to know.

Postby KARL SERG » 19 February 2017, 12:41

ZapruderFilm wrote:I am sharing this information because I am the first person people will go to if they have a virus, and if they read this then maybe they will never need my help. Also I will be leaving for 30 weeks soon and won't be available to help. Do you have an issue with the post? What possible ulterior motives could i possibly have?


The Post is fine. I just wouldn't think there are People willing to give information without benefiting from that, but I was wrong.

Sorry, I just thought you might have had an interest (not because you have a past or anything, but because that is how other People are).
User avatar
KARL SERG
Civil Security Ghost [400]
 
Posts: 412
Joined: 17 July 2013, 12:01
Location: Romanian Oligarchic Republic

Re: [FAQ] RATs - What you NEED to know.

Postby chrissty33 » 20 February 2017, 01:39

Useful information, especially for someone such as myself who while knows a little about this subject, isn't the most tech savvy.
User avatar
chrissty33
Cyber Grub [25]
 
Posts: 33
Joined: 17 January 2017, 00:57

Re: [FAQ] RATs - What you NEED to know.

Postby ZapruderFilm » 20 February 2017, 04:09

chrissty33 wrote:Useful information, especially for someone such as myself who while knows a little about this subject, isn't the most tech savvy.

If you actually got through it without getting incredibly bored or found yourself skimming, I would definitely recommend you check out my other threads in this section :)
ZapruderFilm
  
Left PB2 Staff to join Dark Clan.

ZapruderFilm
Android T-01187 [200]
 
Posts: 238
Joined: 26 August 2016, 21:00
Location: USA


Return to Tutorials

Who is online

Users browsing this forum: No registered users