Welcome
Guest
[Log In]
[Register]
Search
Members
Calendar
FAQ
Portal
Devastation
→
Discussion
→
Guides & Tips
→
RATs - How you get them, what they are, how to remove them
Clan Details
Announcements
Staff
Representatives
Rs isn't that bad with revolution.
Friend Chat: Gengar310
Home world: 24
Teamspeak Details
DV Official Memberlist
Zybez
GMT EST
Welcome to Devastation’s Offsite!
Achievements will come here soon! - sepke -
Leader
Gengar
Co-Leader
Sepke2006
War Council
Sepke2006
11 Good Air
Community Managers
DV England
Admins
Gengar310
Welcome to
Devastation
. We hope you enjoy your visit.
You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls.
Registration is simple, fast and easy. I have no problem with accepting anyone from the RSB onto the forums as a clan friend.
Join our community!
If you're already a member please log in to your account to access all of our features:
Username:
Password:
Log In
RATs - How you get them, what they are, how to remove them
Tweet
Topic Started: Jul 21 2012, 11:52 AM (140 Views)
Deleted User
Jul 21 2012, 11:52 AM
Post #1
Deleted User
In my first clan I made this thread and decided to do the same here, since a lot of my friends have been hacked by this recently. It seems to be getting popular, so here's some information on avoiding it. A RAT (Remote Access Tool) is a virus that gives the hacker unrestricted control to your computer. That means screenshots, webcam, saved browser passwords, it can take over your screen, shut down processes, or even shut down your entire computer, everything at all. This is the most common tool used to get runescape passwords and PIN. Depending on what the hacker is using, it may have different features. A lot of them have a built in Runescape PIN grabber. If you are infected, a bot will take 4 screenshots for every number of your PIN. These are saved in a hidden folder on your computer and sent to the hacker by command.
So, how does it work? The hacker uses his RAT to generate a server, which is generated as an executable (.exe) file. These files are easily detected as viruses, but are then often crypted (using another program) to make it undetectable by anti-virus software. Crypters can also spoof the extension of a file to make it appear to be something like a .mp3 or .jpg (although if you select "properties" of the file it will still appear as a .exe).
When a victim executes the file, they are infected and connected to the hacker's RAT.
How do you get a RAT?
Most RS hackers use a java driveby since java is required to play Runescape, obviously. A Java DriveBy (JDB) is a website that, when visited, will prompt you with a popup that asks for permission to "run" a plugin needed for the website. Most of these will be livestreams or something similar to justify a java prompt window. If a victim presses run, a line of code is executed that downloads the RATs server from a hosting website, and executes the file upon being downloaded. What's worse is that the victim does not see any of this happen, and the file does not appear in the victim's "downloads".
If you receive such a popup, DO NOT CLICK ANYTHING. Not "run", not "deny", NOTHING!!! Simply restart your computer from the button. The problem is that the hacker can place hidden java windows on places you are likely to click, so clicking the "deny" button may mean you are actually pressing the "run" and downloading it. I'm not sure if they can go out of the browser, but just to be sure, restart.
If you don't want to get infected by a drive-by I recommend using google chrome. Go to settings then under privacy click content settings and where it says Plug-ins set it to "click to play". This will make it so any type of java or flash applet will have to be clicked on before it's even allowed to load. You can also add trusted sites to the exceptions (like youtube, netflix, etc) so you won't have to click on those applets everytime you want to watch a video or something else that requires loading an applet. The only other way you're going to get infected is by actually downloading something and running it, so just use common sense and don't download things that you can't 100% trust.
Another method is simply getting you to download a file. This could be through torrents or youtube videos for example. NEVER click any shady links and NEVER download from shady torrent sites.
And there probably aren't people here who bot, but bots are a very common method for spreading this. For example epicbot is infected with RATs (although it usually only targets players with very large banks).
What to do if you think you're infected?
The first indication that you might be infected is if your game crashes, or the browser/client you are playing in suddenly closes. Often, the hacker will end your java or browser/client process to force you to log back in to the game, thus acquiring your username, password, and pin. If this happens, I would suggest doing the following:
Removing the RAT
RATs process will appear in your processes like any other, but can vary depending on the crypter the hacker is using. End any process you don't recognize (one that is very commonly used is "vbc.exe"). If you are not sure what a process is, google it. If you have a process for software you don't own (i.e. Adobe), remove it. This will temporarily remove you from the hacker's RAT.
Run a virus scan. Most RATs won't be detected, but there is a possibility one or two antivirus programs will be able to detect it. If your scan comes up clean, this does not necessarily mean your computer is clean!
(This is for windows 7, may vary for other operating systems): In the start menu, type in "msconfig" and press enter. Click "startup". This lists all the programs that will start when you boot up your computer, and it is likely the RAT you are infected with will be in there somewhere. Any listing with a manufacturer of "unknown" should be treated as suspicious. The best thing to do is select "deselect all", then press apply, restart computer. This will reduce your computers bootup time, and 99% of RATs will be rendered useless. Even if they are still on your computer, they will not work unless you execute the file manually.
To remove the listing from your msconfig startup list (so there is no chance of accidentally enabling it again), go to the start menu and type in "regedit" and press enter. Follow the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig
Open all the folders that contain "startup". Delete the items you don't want to appear on the list.
Now, for removing the file itself. Most RATs will download into a hidden folder called "appdata". First, you will need to display your hidden folders. Go to Control Panel > folder options > view > show hidden files and folder. Exit and go to your hard drive > users > your account > app data > roaming. Delete every item that is not in a folder, or any folder that seems suspicious. If you see a loose .exe file in the roaming folder that you don't recognize, that is likely the RAT. Delete it and empty your recycle bin.
If for whatever reason you follow these steps and still think you are infected, you will need to format your hard drive. If you have a partition, use that. If not, restore your computer to its factory settings.
I hope this helps, and feel free to ask any questions. I'll try to respond to as many as possible.
How to protect yourself?
There are some anti virus programs (such as bitdefender and mcafee) that offer key encryption, and will actually thwart some of the RATs keyloggers. They are also very hard for the RAT to remove since the processes are persistent. Look into acquiring one of these.
And no, contrary to what some people believe, you can't simply get a RAT from just chatting to someone on skype or visiting a site. And another myth is that if you have a Mac you're immune to RATs. You aren't, there are RATs for a mac.
Matt
Jul 21 2012, 02:14 PM
Post #2
Scyther
Posts:
109
Group:
Member
Member
#305
Joined:
Jul 7, 2012
o nice guide
:P
weeman1690
Jul 21 2012, 10:35 PM
Post #3
Kyogre
Posts:
1,082
Group:
Elite Member
Member
#31
Joined:
Aug 23, 2011
thanks for the good advice
Batman
Jul 22 2012, 09:21 AM
Post #4
Golbat
Posts:
70
Group:
Friend
Member
#292
Joined:
Jun 22, 2012
<3 rats
Rune
Jul 22 2012, 03:43 PM
Post #5
Zapdos
Posts:
517
Group:
Friend
Member
#155
Joined:
Dec 26, 2011
Batman
Jul 22 2012, 09:21 AM
<3 rats
I rember
1 user reading this topic (1 Guest and 0 Anonymous)
Free Forums with no limits on posts or members.
Learn More
·
Sign-up Now
« Previous Topic
·
Guides & Tips
·
Next Topic »
Discussion
General Discussion
Off Topic
Goals & Achievements
Guides & Tips
Forum Games
Inactive/Leaving
Members Only Section
Information
Clan Discussions
Events
Warring Section
Upcoming wars
Completed wars
Warring Handbook
Applications
New Applications
Go
Choose a theme:
Devastation
Frozen
zanpakuto
Change
Track Topic
·
E-mail Topic
12:49 AM Jul 11
Hosted for free by
ZetaBoards
·
Privacy Policy