• Welcome to The Wilderness Guardians - OSRS Clan - PvP, PvM and More - OSRS Mobile Clans.
 

RATs - How you get them, what they are, and how to remove them.

Started by Randy, June 20, 2012, 11:36:52 PM

Previous topic - Next topic

Randy

Quoting this entire post from a guy on reddit:

HISTORY
My history with RATs is an unfortunate one. After being a victim of one myself (lost 300m), I took the terrible decision to acquire one. I had a few victims for a total of about 500m. It was a regrettable decision and a way to get back what I felt was unjustly lost. I don't have contact with the people I hacked, or honestly, I would give the money back. I've since quit runescape and gave the gold away to friends in my clan. I'm hoping this will help some avoid the same fate as me, and those I hacked.
WHAT IS A RAT?
A RAT (Remote Access Tool) is a virus that gives the hacker virtually unrestricted control to your computer. This includes (but is not limited to) screenshots, webcam, saved browser passwords, cmd prompt, keylogger, the ability to take over your screen (keyboard and mouse), shutdown computer, end processes, delete/steal files, download and execute files (can be used to add more malware), and much more.
The exact features vary depending on which RAT the hacker is using, but most of them include the basics above. Another feature some have (including mine) is a built in Runescape pin grabber. If you are infected, the bot will take 4 screenshots, 1 for every time it recognized you are clicking a number for your runescape pin. These screenshots are saved in a hidden folder on your computer, and sent to the hacker on their command. The hacker simply identifies the missing number from each screenshot (since hovering your mouse over the number you are about to click causes it to disappear) and has your pin.
HOW IT WORKS
The hacker uses his RAT to generate a server, which is generated as an executable (.exe) file. These files are easily detected as viruses, but are then often crypted (using another program) to make it undetectable by anti-virus software. Crypters can also spoof the extension of a file to make it appear to be something like a .mp3 or .jpg (although if you select "properties" of the file it will still appear as a .exe).
When a victim executes the file, they are infected and connected to the hacker's RAT.
COMMON SPREADING METHODS
Most Runescape hackers use a JDB (Java DriveBy). A JDB is a website that, when visited, will prompt you with a popup that asks for permission to "run" a plugin needed for the website. Most websites will be something along the lines of a live stream, rsps, or similar to justify the need for a java plugin. If a victim presses run, a line of code is executed that downloads the RATs server from a hosting website, and executes the file upon being downloaded. What's worse is that the victim does not see any of this happen, and the file does not appear in the victim's "downloads".
It's important to note that if you receive such a popup, DO NOT click ANYTHING. Use the "control+shift+escape" shortcut (ctrl+alt+delete on windows xp) and end your browser's processes. Alternatively, power down your computer.
Other less common methods include simply getting you to download the file. This could be through youtube videos, torrents, or SE (social engineering). NEVER download any third party programs or files from anyone.
Also, for people using epicbot or products from garyshood, both of these products are infected with RATs (although they usually only target players with very large banks).
WHAT TO DO IF YOU THINK YOU ARE INFECTED
The first indication that you might be infected is if your game crashes, or the browser/client you are playing in suddenly closes. Often, the hacker will end your java or browser/client process to force you to log back in to the game, thus acquiring your username, password, and pin. If this happens, I would suggest doing the following:
Removing the RAT
RATs process will appear in your processes like any other, but can vary depending on the crypter the hacker is using. End any process you don't recognize (the one I used, which is common, gave a process of "vbc.exe"). If you are not sure what a process is, google it. If you have a process for software you don't own (i.e. Adobe), remove it. This will temporarily remove you from the hacker's RAT.
Run a virus scan. Most RATs won't be detected, but there is a possibility one or two antivirus programs will be able to detect it. If your scan comes up clean, this does not necessarily mean your computer is clean!
(This is for windows 7, may vary for other operating systems): In the start menu, type in "msconfig" and press enter. Click "startup". This lists all the programs that will start when you boot up your computer, and it is likely the RAT you are infected with will be in there somewhere. Any listing with a manufacturer of "unknown" should be treated as suspicious. The best thing to do is select "deselect all", then press apply, restart computer. This will reduce your computers bootup time, and 99% of RATs will be rendered useless. Even if they are still on your computer, they will not work unless you execute the file manually.
To remove the listing from your msconfig startup list (so there is no chance of accidentally enabling it again), go to the start menu and type in "regedit" and press enter. Follow the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig
Open all the folders that contain "startup". Delete the items you don't want to appear on the list.
Now, for removing the file itself. Most RATs will download into a hidden folder called "appdata". First, you will need to display your hidden folders. Go to Control Panel > folder options > view > show hidden files and folder. Exit and go to your hard drive > users > your account > app data > roaming. Delete every item that is not in a folder, or any folder that seems suspicious. If you see a loose .exe file in the roaming folder that you don't recognize, that is likely the RAT. Delete it and empty your recycle bin.
If for whatever reason you follow these steps and still think you are infected, you will need to format your hard drive. If you have a partition, use that. If not, restore your computer to its factory settings.
I hope this helps, and feel free to ask any questions. I'll try to respond to as many as possible.
PROTECTION
There are some anti virus programs (such as bitdefender and mcafee) that offer key encryption, and will actually thwart some of the RATs keyloggers. They are also very hard for the RAT to remove since the processes are persistent. Look into acquiring one of these.



I am the one who bends!
WG for 7+ years

Colinwarrior



Currently busy with:
Western Michigan University
Proud WG member from January 2006 - Fall 2009 and owner of a WG t-shirt

Vio

I don't have RATs, but I do have ...  (H) ... POSSUMs.

YYYYYYYYYEEEEEEEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHH

Mojo

New WG Forums

[spoiler]

[spoiler=Awards and Older Sigs]











[/spoiler]

Raging Mage2


Click image for achievement thread!


#1 In Heaven's Slayer Challenge (2mil exp in 1 month)

Originally WG 16/05/06

Al

helpful guide, thank you for posting this...and sorry about your loss :/
"Start by doing what's necessary, then what's possible; and then suddenly you are doing the impossible." -St. Francis of Assisi


[spoiler]


Runner-up, Best Staff Member, Summer 2012 :-)










RIP other Summer award :<


(Shared w/ Mojo & 7PB)







[/spoiler]https://twitter.com/wildguardRS

Pacman Syu

Whaddya know, another redditor. Regardless, thanks for posting this, somehow this slipped through my /r/runescape readings.
NYEK NYEK NYEK.

・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ :<

Armybuilder



Panda|Vulcan and Armybuilder, His Lordship and Vio and Patty and Owen - Biggest Bromances - Winter Fun Awards 2013

Pacman Syu

NYEK NYEK NYEK.

・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ :<

davidcu96

is this limited to runescape or could it be used for credit cards and online banking too?