We Have a RAT Problem Says DCA

“We the consumers are outgunned and outmanned. We don’t have the tools needed to protect ourselves.  While you are still better off having a 2013 anti-virus program, it won’t protect you against zero-day malware anymore than the polio vaccine will protect you from Ebola.”

That quote is from the introduction of a new report published last week by the Digital Citizens Alliance entitled Selling “Slaving.”  It focuses on an especially pernicious form of malware called RATs (Remote Access Trojans); the users of these applications; their victims; and the enablers — both corporate and criminal — that help spread and even monetize this growing trend in what sounds a bit like hobbyist hacking.  I have never explicitly recommended reading a whole report of this nature before — often the bulk of a study contains a lot of data supporting the main findings — but I do recommend reading all of this one.  Not only does it discuss a cybersecurity threat of concern to any computer or device user anywhere, but the report reads much more like a very long article that provides insight into the nature, motives, methods, and victims of this class of hackers called ratters.  Their brands of mischief include a wide range — from pranking people for sophomoric amusement; to identity and data theft; to slaving built-in webcams on the computers of women and girls to record Peeping Tom photos and videos that may or may not be used for the purposes of extortion and/or sold through black-market channels trading in child pornography.

The DCA report indicates that ratting is on the rise — and going mobile — but readers should take particular note of the lack of sophistication required relative to the amount of harm that can be caused to victims who fall prey to RATs.  In fact, many ratters can hardly be called hackers at all because they don’t hack into computers by means of any remarkable coding skills. Instead, the unsuspecting victim inadvertently downloads malware to her operating system, and a ratter is then able to control that computer (slave it) using one of a handful of cheap, easy-to-acquire, easy-to-operate software applications. An attack can be targeted (i.e. aimed at a specific victim like someone the ratter knows and has a motive to assault), but it seems that most victims are random people downloading files they assume are innocuous but that contain RAT malware.

Probably the most archetypal story of a malicious and targeted RAT assault — one the DCA report cites in some detail — is that of Cassidy Wolf, the California teenager, who was voted Miss Teen USA in 2013.  In the months leading up to her pageant victory, Wolf was the victim of a ratter, who turned out to be a teenage boy at her high school named Jared Abrahams.  Abrahams had taken control of Wolf’s computer as well as her entire social media presence, and she was completely unaware that he had been slaving her webcam to capture naked images of her until the day she received an anonymous email threatening to leak these images and other personal information on the Web, saying that he would ruin her career plans by turning her into an “internet porn star.”  His demand in trade for his silence was that she provide him with a “sexually explicit” video; and Wolf has been rightly praised for her courage in standing up to her assailant, even after he made good on his threat to release compromising images. She contacted the FBI, went public with her story, and used her pageant celebrity status to raise awareness of the problem. Her decision helped lead to the identification and conviction of Abrahams, and by the time authorities caught up with him, they discovered he had been “slaving” the devices of approximately 150 young women and female minors around the world.  He served 18 months and is currently under house arrest.

Abrahams was a relatively sophisticated hacker — and he clearly chose to target Cassidy Wolf — but many ratters are more casual, random, and technologically inept than Abrahams, so they turn to the same resource many of us use for How-To advice — YouTube.  The fledgling ratter (sometimes called a script kiddie) need not find some remote corner of the dark web in order to learn how to spread and use RAT malware because there are dozens — if not hundreds — of tutorial videos on YouTube right now that provide complete, step-by-step guides to ratting along with helpful comments and links by fellow ratters.  (See, the Web really is about community!) In addition to these tutorials, we find ratter “fan vids,” which are not so much tutorial in nature as  vicarious viewing, so you can watch a ratter harass or spy on a victim while narrating his  observations like “Dude, watch this!” and “Oh, fuck, did you see that?  This shit is sick.”

RATs on YT
Just one of many ratter videos on YouTube. All the visible titles suggest tutorials in how to be a ratter.

Collectively, both the tutorial and the ratter “fan videos” have tens of thousands of views, and the DCA report indicates that about 38 percent of these videos are ad-supported, which means that both Google and the ratter are earning some revenue from the ad buys of major brand advertisers.  This means Google has a problem that reads something like this:  “This illegal invasion of an underage girl’s bedroom brought to you by Procter & Gamble.”  And as much as I criticize Google for profiting from the exploitative aspects of digital life, I would not be surprised if the company seeks to mitigate its role as an enabler of ratting just as it has with a zero-tolerance approach to keeping child pornography out of the Google-verse.  The DCA recommends Google assign a “human team” to address the role that both search and the YouTube platform are playing in this regard, but it cannot be overlooked that the Internet industry’s larger policy agenda, advocating a “hands off” approach to all things Web, provides cover for bad actors in a variety of ways.

And that brings us to one of the primary channels through which RATs are spread (and you’ll be terribly surprised), which is illegal file-sharing sites.  Because Trojan Horse malware is delivered by sneaking the virus into an OS while the user downloads a file he/she assumes is safe, it stands to reason that the black-market world of illegal media and software provides an ideal hunting ground for ratters to set their traps.  In fact, some of those tutorials on YouTube demonstrate how a ratter can download a file from, say, kickasstorrents, modify the file with his RAT, then re-upload the newly infected file awaiting random downloaders because, y’know, “sharing.”

By these methods, ratters trap random prey to be fed upon at leisure and prioritized according to the intent of the ratter.  This may include mining victims for credit card or other sensitive information;  or the ratter may slave the computer to mine bitcoins or to spread RAT infiltration to a larger system, like the victim’s place of business.  But in many cases, it seems, the goal of many a low-skilled ratter (i.e. teenage boys and young men) is to gain access to the computers of women and girls who have webcams.  Thus, as ratters manage to trap these prized victims (often with the enthusiasm of trophy hunters), they sell the IP addresses to other ratters — like commodities in their own little RAT exchange — where access to a boy’s computer sells for about $1 while access to a girl’s computer sells for about $5, according to the DCA.

Now, I have at least implied in the past that piracy sites should be boycotted by anyone who considers herself — or himself — a defender of feminist principles.  In addition to the fact that the site owners directly profit from advertising links to “services” that are tied to varying degrees of exploitation of women (e.g. MEET ASIAN GIRLS NOW!!), this DCA study of RATs demonstrates that these sites also unintentionally provide fertile ground for spreading malware that is consistently used to exploit girls, which is apparently valued at a 5:1 ratio over the exploitation of boys. I’m not sure what else needs to be said about that.

Finally, the DCA report does contain some indication as to how Internet companies, users, and law enforcement might actually work to address the challenge of this growing risk of personal invasion.  But in order to get there, the public will first have to accept that Internet companies and law enforcement have a role to play, that our RAT infestation is just more evidence that a free-for-all policy on the Web is a fundamental failure.

Enjoy this blog? Please spread the word :)