Malware RATs can steal your data and your money, your privacy too

How serious can a malicious software infection be these days? Short answer = Very. The video below is a 16 minute answer to that question using pictures of what a malware infection looks like to the bad guy who manages to get a RAT installed on a victim machine. That’s R.A.T. for Remote Access Tool which is one of the most popular categories of “crimeware” being deployed by cybercriminals today. (Update 6/1/2012: Some RATs may be modular in design and possess espionage capabilities highlighted by media coverage of the malware known as Flame, Flamer, or sKyWIper (detected by ESET as Win32/Flamer.A)).

Remote Admin ToolIn the video I take a closer look at one example, DarkComet RAT, the capabilities of which include using the victim’s webcam and microphone to spy on them. This capability was recently added to another piece of modular, point-and-click malware–SpyEye–as described in a  recent story in PC World. (Update 7/12/2012: The author of DarkComet RAT has stopped supplying or updating the software, partly because of its “abuse” by the Assad regime in Syria.)

The video is an expanded recording of a slide presentation I gave several times at Interop in Las Vegas earlier this month and includes a description of the role that antivirus software can play in defeating this type of malware. After the presentations I had numerous requests for copies of the slides from people who wanted to use them in their own security awareness programs. I was happy to oblige because I think that seeing these pictures will have more impact on employees and executives than reading yet another article that merely states: “malware infections are to be avoided because they can compromise data.” That statement is true but sometimes you need to see something to take it to heart.

Note that ESET products detect SpyEye as Win32/Spy.SpyEye and Dark Comet RAT as Win32/Fynloski. If you think your Windows computer is infected with either of these pieces of malware or any other malicious code or spyware you might want to scan it with ESET’s Free Online Scanner.

Author Stephen Cobb, ESET

  • Steve

    Hello, I've found this article and video very useful and alerting, but I would suggest to hide and do not mention the names/logos of these malicious applications (cyber weapon for criminals) as now any newbie can learn from this and start "playing" with these weapons. Even "without a gun licence" some of them may cause harm for countless people or became criminals…

    • Stephen Cobb

      Thanks for your comment Steve, you make a very important point. Malware researchers have to walk a fine line between informing the good people of the world about threats on the one hand and enabling bad people on the other. At ESET we take great not to publicize information that is useful to the bad guys or helpful to someone aspiring to be bad. However, when information is widely known–for a certain definition of widely–then we don’t feel we are making matters worse by repeating it. All of the content in this video was review with those principles in mind. We actually chose to use DarkComet RAT as our example because it has been openly discussed in the mass media in stories about it being used by the Syrian government for spying on its people.


    Actually – SpyEye is a banking trojan of which many speculate the creator got with the creator of ZeuS (another banking trojan) and the source code was to be merged (ZeuSEye anyone?). DarkComet RAT is coded by DarkCoderSC and can be found active on [sentence truncated by Editor]

    • Stephen Cobb

      Your comment is appreciated but I there is a risk with calling SpyEye a banking trojan. It can execute a lot of different attacks, some unconnected with banking, and future attacks can be added through its modular design. As malware makers form part of organized cybercrime that is increasingly sophisticated in terms of management it is not impossible that we will see some botnets pivot, taking up an entirely different type of attack from the one for which they were originally deployed.

  • jaykaykay

    That's a good visual of what goes on. The only problem I have with it is the suggestion that if you think you might be infected, run their free online scanning tool. In that those who are rather naive may have to, or choose to, turn off other programs they have running for this advertised ware to work well and possibly for get to forget turn it back on after a free scan, advertising this way just bothers me, I guess.

    • Stephen Cobb

      Thanks for the compliment and the comment. You raise a good point about the possible unintended side effects of a free scan and we are discussing this internally. The other side of the issue is that the free scan is a helpful service for many people and since it is free, then the act of telling people about it is not exactly advertising, at least in my mind. Would we like people to turn to ESET for paid antivirus software? Indeed we would, but our over-arching goal is reduction of infection and if free scanning and removal of infections gets us closer to that goal, we are happy to do it. Of course, we can’t provide all of our products and services for free because maintaining their effectiveness across a wide range of platforms, in the face of a relentless and increasingly well-funded attackers, well that costs a lot of money.

  • Steve

    @ Stephen Cobb

    I hear you, but I think so it would be better to mask the names of these malicious apps. For those who does not know them , an informative discussion or news is just perfect without letting the public audience know what is the name of the given cyber weapon. It is enough if professionals (good and bad guys) knows the names of these weapons. Its similar to a police investigation and backoffice job where you share only general non specific informations about sources of weapons… In cyber cryme, sharing information is the weapon itself. You learn the name of the very best cyber weapons, google it and it is yours…! I would mention/show their names only and only to professionals, in closed circles. If others already mentioned names etc that is their fault and it does not help the issue if we follow them. 

    • Aryeh Goretsky

      Hello Steve,

      Stephen Cobb is out of the office, so let me see if I can help address your comments: While it is common to make analogies to malicious software as a “cyber weapon”—and, indeed, there has been some discussion about its use as that today—it is better to think of it as tool which are used (almost) exclusively by criminals. A major component of fighting crime is education, and while part of that is geared towards teaching preventative steps, another part is geared towards threat awareness.

      The program demonstrated in the video is already out there and it is being used for malicious purposes. Not talking about it is not going to make it disappear, and is only going to give attackers an advantage over the defenders. When disclosing information about malicious software and malicious software usage, anti-malware researchers always have to walk a fine line between what information they do and do not disclose, and in this case, as Stephen has indicated, the costs of non-disclosure outweigh the costs of disclosure to the security of the computing public.

      Thanks for your comments.


      Aryeh Goretsky

  • Alison Chan

    When the webcam is remotely turned on, wouldn't the pilot light on the webcam illuminate? Or are these remote access tools devious enough to disable the pilot light while surreptitiously enabling webcam?

Follow us

Copyright © 2018 ESET, All Rights Reserved.