Video Screencast Help
Security Response

Creepware - Who’s Watching You?

Created: 10 Dec 2013 14:19:40 GMT • Updated: 09 Jun 2014 14:08:27 GMT • Translations available: 日本語
Symantec Security Response's picture
+6 6 Votes
Login to vote

creepware_title_banner.png

Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness? Many of us have heard the stories about people being spied on using their own computer or people being blackmailed using embarrassing or incriminating video footage unknowingly recorded from compromised webcams. But are these stories true and are some people’s seemingly paranoid precautions justified? Unfortunately the answer is yes, precaution against this type of activity is necessary and there are a multitude of programs out there that can be used for this type of malicious activity…and more. Remote access Trojans (RATs), or what we are calling creepware, are programs that are installed without the victim’s knowledge and allow an attacker to have access and control of the compromised computer from a remote location.

This blog will aim to give a general overview of creepware; describing what these threats are and what can, and is, done with them and what the implications are or both the victims and the users of creepware. The blog will also look at the economy of creepware, examining the underground market dealing in everything from the sale of software to the sale and trade of victims. Finally, we will look at how creepware is spread and how to protect against it.

Before we get into the details, here’s a video that will tell you what you need to know about the growing problem of creepware:

creepware_play_vid.png

Figure 1Click this image to view Symantec's creepware video
 

What exactly is creepware?

The acronym RAT is one that is often used when talking about a piece of software that allows someone to control a computer from a remote location. RAT can be an abbreviation for any of the following:

  • Remote Access/Administration Tool
  • Remote Access/Administration Trojan

The one difference between remote access tools and remote access Trojans is that the latter is installed surreptitiously and used for malicious purposes. There are many remote access tools, which are used for legitimate reasons such as technical support or connecting to a home or work computer while travelling etc. Unfortunately the same useful features found in remote access tools can be used for malicious activity and a great deal of malware has been designed with this in mind; these programs are called remote access Trojans. Once these Trojans are installed on a victim’s computer they can allow an attacker to gain almost complete control of it. Presence of the Trojan is indiscernible and an attacker can do almost anything that someone physically sitting at the computer can do, including recording footage using the webcam. Recent high-profile cases of this unsavory and creepy behavior have prompted the name creepware to be used when describing remote access Trojans.

Creepware uses a client-server model but switches the usual dynamic we think of when discussing client-server system setups. Creepware flips this process and makes the victim’s computer the server and the attacker’s computer becomes the client. Once the victim’s computer is compromised with creepware an attacker can send requests to it to retrieve files and perform a whole host of other nasty actions.
 

What’s the big deal?

While there was a time when the use of creepware was relatively rare it is now unfortunately becoming more common. Users of creepware can range from those who make money from extortion and fraud to those using the software for what they see as harmless fun or pranking, otherwise known as trolling. While these two activities may seem to some as very different, they both involve unauthorized access to computers, which is not only morally wrong but is also a serious crime.

Worryingly, morals do not seem to be high up on the list of characteristics when it comes to creepware users, a fact that is blatantly obvious when perusing the many online forums with sections dedicated to creepware.

creepware_blog_fig1.png

Figure 2. Doing it for the lulz

creepware_blog_fig2.png

Figure 3. Blackmailing victims

While many users on these forums seem to have no moral compass whatsoever, others have an extremely skewed view of what is right and wrong. In one thread a user justifies RATing (using creepware) people by saying it’s their own fault for downloading and installing programs from untrusted sources.

creepware_blog_fig3.png

Figure 4. Blaming the victims

Another forum user thinks that if all you do is watch your victims, without them knowing, then it’s fine.

creepware_blog_fig4.png

Figure 5. Justifying invasion of privacy

Trawling through the countless posts on creepware/remote access Trojans there seems to be a never-ending supply of users looking for help to set up their software and begin RATing. While there are a few who feel (mildly) guilty about doing what they do, the overwhelming majority see no harm in invading their victims’ privacy and in some cases making money from RATing. In a thread named “Morals of messing with people” one user asks fellow hackers their opinion on whether what they do is right.

creepware_blog_fig5.png

Figure 6. Moral dilemma

The replies speak for themselves.

creepware_blog_fig6.png

Figure 7. Moral bull****

Unfortunately, creepware users may not see, or care about, the damage that can be caused by creepware. There are plenty of cases where innocent people have fallen prey to creepware and have been left traumatized or worse by their attackers. One way in which creepware users monetize their activities is sextortion. Sextortion is a form of exploitation that employs non-physical forms of coercion to extort sexual favors from the victim.

In August 2013, Miss Teen USA, 19-year-old Cassidy Wolf became a victim of creepware. Miss Wolf was hacked by a fellow high-school student who used creepware to take pictures of her undressing in her bedroom. The hacker then attempted to blackmail his victim by threatening to publish the pictures online if she didn’t take more explicit photos but Miss Wolf went to the police. The hacker was eventually caught and pleaded guilty to hacking at least two dozen women in a number of countries.

Another well-publicized case involved an attacker using creepware to display a warning message box on his victims’ computers telling them that their webcam’s internal sensor needed to be cleaned. To do this, they were told to place the computer close to steam. Several of the women were subsequently recorded taking a shower when they had brought the computer into the bathroom.

Sadly, these cases are only the tip of the iceberg when it comes to creepware and the impact it can have on victims. Because many victims do not report this type of crime perpetrators often escape justice. Attackers can threaten to post stolen or recorded content online, and if this threat is carried out the victim’s reputation can be permanently damaged. The effects of this type of harassment and cyberbullying in general are long lasting and can even lead to suicide. Creepware, it would seem, is a cyberbully’s ideal tool.

Creepware and RATs are a global problem; they are used throughout the world, usually for all the wrong reasons.

creepware_country_stats_600x600_mk2.png

Figure 8. Top five countries for RAT activity in past six months
 

What can creepware do?

So what exactly can creepware do? There are an abundance of creepware programs on the market, such as Blackshades (W32.Shadesrat), DarkComet (Backdoor.Krademok), Poison Ivy (Backdoor.Darkmoon), and jRAT (Backdoor.Jeetrat) to name but a few, many of these programs share the same core set of functionality. We’ll take a closer look at one in particular, the Pandora RAT detected by Symantec as Trojan.Pandorat.

Pandora RAT allows an attacker to gain access to the following items on a compromised computer:

  • Files
  • Processes
  • Services
  • Clipboard
  • Active network connections
  • Registry
  • Printers

If all that isn’t enough, Pandora can also allow an attacker to:

  • Remotely control the compromised desktop
  • Take screenshots
  • Record webcam footage
  • Record audio
  • Log keystrokes
  • Steal passwords
  • Download files
  • Open Web pages
  • Display onscreen messages
  • Play audio messages using the text-to-speech function
  • Restart the compromised computer
  • Hide the taskbar
  • Hide desktop icons
  • Cause system failure/blue screen of death

Ease of use and a slick graphical user interface (GUI) are very important factors in today’s design-focused world, and creepware is no exception. Pandora, as is common with other RATs, sports an easy-to-use GUI that can be mastered almost instantly by experts and novices alike. If the use of creepware was once reserved for hardened blackhat hackers it is now most definitely accessible to everyone from script kiddies to total noobs.

creepware_screen_shots_600x600_mk2.png

Figure 9. User friendly human computer interface of Pandora RAT

Creepware has many different uses including:

  • Voyeurism
    Attackers use the victim’s webcam and/or microphone to secretly record them.
  • Information/file stealing
    Information such as banking details or passwords and files such as pictures and videos can be copied or deleted.
  • Blackmail/sextortion
    Pictures or videos stolen from the computer, or recorded using the webcam, are used to force the victim into posing for explicit pictures or videos, performing sexual acts, or coercing money from the victim.
  • Trolling
    The attackers use creepware to cause the computer to behave strangely by opening pornographic or shocking websites, displaying abusive messages, or in some cases causing system damage all for their amusement.
  • Using computer for DDoS attacks, etc.
    Compromised computers can be used to carry out distributed denial of service (DDoS) attacks, bitcoin mining, or other functions where it may be beneficial for the attacker to use victims’ resources.
     

Creepware economy

Creepware is big business in the underground economy with a thriving market revolving around the sale of the software. The creepware itself can be purchased from the developers’ own websites or from people advertising on hacking forums. Advertisements for the sale of FUD crypters, JDB generators, and slaves among other things can be found in said forums. If you find this terminology a little bewildering, here are some useful definitions:

  • FUD – Fully undetectable (by security vendors)
  • Crypter – A tool used to rearrange files in a way that the actual bytes are scrambled, making it difficult to detect
  • JDB – Java drive-by – This involves a Java applet being placed onto a website, when the user visits the site a pop-up will appear asking for user permission. Once permission is given, the creepware is downloaded.
  • Slave – A computer that has been infected with creepware

If all that sounds a little too much like hard work, anyone interested in getting their own creepware setup can pay any number of willing “experts” to do all the leg work for them. Prices vary for different services. Creepware/RATs can be found for free but the ones that are for sale can cost anything up to $250. Add-on services, such as FUD crypting and setup cost between $20 and $50. As with most things these days, free advice and instructions can easily be found online with plenty of users eager to pass on their knowledge about the best tools, tricks, and methods concerning creepware.
 

What can users do to protect themselves?

The following methods may be used to infect computers with creepware:

  • Drive-by downloads – By visiting a website, the user unknowingly downloads the creepware onto their computer
  • Malicious links – Malicious links, leading to websites hosting drive-by downloads, are distributed using social media, chat rooms, message boards, spam email etc. The attacker may also hack user accounts to make it seem like the link is being sent by a friend. Others may try to lure victims by posting enticing messages.
  • Exploit kits – Potential victims may visit compromised websites or click on malicious links and are then redirected to the exploit kit’s server where a script runs that will determine what exploits can be leveraged. If an exploit is viable, the victim is infected with the creepware and the attacker is notified.
  • Peer-to-peer file-sharing/torrents – The creepware server installer is packaged with a file, usually a popular program or game crack, and shared on a file sharing site. Once the file is executed, the creepware server module is installed.

To stay protected against creepware, Symantec recommends users to:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Avoid opening emails from unknown senders and clicking on suspicious email attachments.
  • Exercise caution when clicking on enticing links sent through email, instant messages, or posted on social networks.
  • Only download files from trusted and legitimate sources.
  • Be suspicious of unexpected webcam activity. When you’re not using the webcam, keep the shutter closed, if your webcam doesn’t have a shutter, use a piece of tape to cover it when not in use.

In today’s world, computers play an important role in our lives and the idea that such a ubiquitous tool could be used by an attacker to invade our privacy is a scary thought. While creepware is capable of causing a great deal of damage, taking appropriate defensive steps can keep you protected. By having good up-to-date security software and following some basic best practices we can all keep the creeps out of our computers.