PSA Regarding Computer and Webcam Hacking-
*FIRST: THERE IS ABSOLUTELY NO WAY WHATSOEVER THAT A HACKER CAN BE WATCHING YOU WITHOUT YOUR WEBCAM LIGHT BEING ON*
Okay, so I came across a post today containing an article regarding RAT’s and degenerate creeps spying through the webcams of unsuspecting girls. I’m writing this post because, as an active member of the Hack Forums community [the community that unfortunately hosts the low-lives posting the images of the girls], I know how these trojans spread, how they work, and how you can try to protect yourself from them. I’ll try to keep it short and sweet, but chances are this is going to turn into a HUGE post.
[The following is an explanaition of what a RAT is, you can skip below to the bolded headline for common methods of attack, how to prevent them, and how to tell if you’re infected]
First of all, the “tool” these hackers use to gain access to your webcam is known as a “RAT”, which stands for Remote Administration Tool. These hacks are often developed by experienced hackers or software companies and advertised as a tool to remotely administer your own PC, but they know for a fact that they will be used to wreak havoc online instead, with some less powerful ones being distributed for free, while higher end versions are sold from $40 to $80, as well as the top of the line, private ones being sold for hundreds and loaded with features. These tools are very powerful, and I’ve used them myself in learning to hack - there isn’t a single thing that these tools aren’t capable of when it comes to computers. These tools are often packaged into a small, encrypted file, and spread over the internet. When your computer happens to become infected with one, the hacker will basically gain complete control over your computer, and you would be none the wiser. Not only do these tools grant the hacker access to your webcam and microphone, but they can view your screen, monitor your keystrokes [and even keep a logfile of everything you type in order to view later], access all files on your computer [as well as upload their own files onto your system], control your computer hardware [such as causing your printer to print, open your CD tray, turn off your monitor, etc], listen in through your microphone, and basically do anything that you can do physically sitting down in-front of your PC.
The file that your system is infected with is called the “server”, while the tool used to control the infected system is simply referred to as the RAT, and sometimes “Host”. The server file itself is tiny, rarely exceeding several kilobytes in size. What the server does is serve as a “hole” in your systems defenses, holding the hole open while allowing the hackers to do as they please, whenever they please.
The two most popular RATS are Dark Comet and BlackShades. The interfaces for these programs provides the hacker with a streamlined interface displaying all computers currently under their controls, complete with info such as external IP address, location, username, install-date, etc. Here is an image of the BlackShades GUI:
It is not uncommon for a hacker to have dozens [or even hundreds] of computers under their control at once.
Now, the most common methods of infections are executed either through Java Drive By’s, infected torrents or infected limewire downloads.
A Java Drive By is an attack executed by a malicious website in which the user is prompted with the usual Javascript command box, often seen on video streaming sites, asking the user if they would “like to allow javascript on this page”. We’ve all seen one of these boxes, either as a little yellow box at the top of our web-browser, or as a distinct popup like this:
These attacks are easy to prevent, given that you know what to look for.
Always check to see if the scripts signature can be verified, which is provided right on the box itself. If the box displays “This contents signature cannot be verified”, it is a good idea to NOT allow the script to run. Now, keep in mind that not every script that can’t be verified is an attack, as many small developers cannot afford to “verify” their content signatures. If the site you are on is one you know and trust, and the signature cannot be verified, then you are likely in the clear, just be sure to double-check the web-address to be 100% sure you’re actually on the site you intended to visit, and not a lookalike out to infect your system.
Clicking “Run” on a Java Drive By will discretely download the RAT’s server onto your computer and embed itself in your computers registry, which basically keeps it on your computer and makes it very difficult to clean up.
Another common method is through a user-initiated infect download. You know those torrents of new music albums that are uploaded two weeks before the actual album is released, and you download it, only to realize that it’s a fake? Chances are that your download was infected, as rats can be hidden within or disguised as a plethora of file types, from images to MP3’s. Although there is no easy way to spot an infected file [an actual audio or picture file can be infected and still show up as a .jpg or .mp3], most hackers are lazy and only “hide” the extension, but when right-clicking and viewing the file properties, if you notice that what is supposed to be a music file ends with .exe, .bat, or any other extension that is obviously NOT a music file, do not open it.
Hackers also like to exploit Youtube, maybe through a seemingly legitimate tutorial about how to obtain a free version of photoshop, or how to crack a downloaded version, and they’ll provide links to the “crack” in their descriptions. These files are often infected, so always be sure to check the comments, as well as the uploader’s page and try to gauge for yourself whether or not it seems legitimate [hint: they rarely are].
There are many other methods of attack, but these are the absolute most common and overlooked.
Now, antivirus software can be helpful in stopping some attacks, but any hacker worth a dime will know how to constantly bypass these antivirus programs, because unfortunately, it’s actually a very easy process [you can even pay a meager $5 to have a professional hacker “hide” your server]. That doesn’t mean you should skip out on antivirus, but it just means that you shouldn’t rely on your antivirus alone. The way security software functions is all retroactive - they’re ineffective against any virus or trojan unless it has been caught and documented before. That means if I decide to go and throw together a rat in 30 minutes, Norton won’t be able to detect it, because it wouldn’t be one that’s been “analyzed” before.
Those of you running on the Mac operating system are safe, as these trojans were all developed specifically for the Windows platform, and Macs [so far] as practically incapable of being infected due to the unique filesystem that apple uses in their operating system.
Now, if you’re infected, it can be very difficult to tell. First and foremost:
There is absolutely no way for a hacker to watch you through your webcam without your webcam light coming on
The light is hardwired into the camera itself, so that when the electricity is sent to power and activate the webcam, it will ALWAYS turn on the light as well, there is NO WAY to activate it otherwise, so if you’ve been worried about a hacker spying on you, check your webcam light. If it is off, they are not watching.
Now, if your webcam light has been coming on at random times, and you can’t access it through your computer’s webcam software [or to take a photo on tumblr, for example], then this may be cause for alarm. It can also be the result of a hardware issue, but it is also very possible that your computer is infected, and you may be being watched.
Many lazy hackers will often neglect to prevent their server from making an entry in your computers Start-Up list, although some may disguise it as a legitimate program. You can access your startup list by typing in “Msconfig” into “Run” [in Windows XP] or Search [Windows Vista, 7, and 8], and clicking on the “startup” tab.
This will display all programs that are automatically loaded when your PC boots. Scan through these, and if some seem sketchy, just uncheck them. Keep in mind, however, that some may be programs that your computer needs [maybe a device driver that lets you control your volume from your keyboard or something], BUT you can do no harm to your computer if you decide to uncheck them all. If things run a little oddly, simply make your way back to this menu and recheck whatever you think you need.
Second, there is ONE DIRECTORY where 99% [yeah, I made that statistic up, but in all my experience hackers NEVER change this] of these trojans are installed, and that is in your “appdata” folder.
This folder is hidden by default, but can be accessed by opening up an Windows folder on your computer and copying the following into your address box:
c:\users\%username%\appdata\roaming [be sure to change “username” to your username]
MOST RAT INFECTIONS WILL BE STORED IN THIS LOCATION
Keep in mind that messing with files in this folder may break some programs you have installed, but if you see any files in here that you KNOW don’t belong, delete them.
What I mean by this, is say you download a program that lets you download youtube videos called “VidGrabber”, and you see a copy of vidgrabber.exe just sitting there. Chances are that it’s a virus of some sort. Or maybe you see a copy of that last Beyonce or Radiohead song you downloaded. Once again, that will most likely be an infected file.
If you believe that you might be infected, update your antivirus and run a comprehensive system scan. It may take a while, but a full scan won’t hurt. It might miss the trojan, but then again, it might not. Be sure to disconnect from the internet before running the scan, as a hacker can manipulate the scan if he senses that you’re onto him.
If you don’t have the money to shell out and buy antivirus software, Comodo offers a very powerful and free Firewall and Antivirus program which can be found here:
http://www.comodo.com/products/free-products.php
To be completely honest, I prefer Comodo over paid software, because it is both powerful, easy to use, and just as capable as $100 software. Granted, any decent firewall is likely to be a pain while it first gets used to your computer, but once you’ve manually allowed each of your usual programs to connect to the internet, it turns into a very powerful tool.
FINALLY, if you know for a fact that you’ve been infected and your antivirus can’t fix it, contact a tech-savvy friend or someone, and they may be able to assist you. As malicious and malleable as rats are, they’re pretty easy to remove once you know what you’re looking for, but that is far beyond the scope of this giant wall of text.
If you think you might be infected and have gotten very paranoid, you can shoot me a message and I can try to help.
Soooooo yeah, this ended up being so much longer than I intended, but I hope that it managed to help [for those of you who actually managed to read through this whole thing, anyways -_-]
