Imagine that you’ve discovered that your computer has been surreptitiously taking pictures of you at times when you thought the camera was off, and forwarding them to some stranger. Sound like your worst nightmare? In fact—as Miss Teen USA recently discovered to her chagrin—she was the victim of the latest Internet malevolence, officially known as “Blackshades” but informally dubbed “Creepware” by victims and law-enforcers.
So what exactly is Creepware? Think of it as a remote-access Trojan—a mutated version of a family of software known as remote administration tool (RAT). There are many RATs that are used for entirely legitimate purposes (LogmeIn, Microsoft RDP, VNC, etc.) for functions such as remote connectivity on the go or providing technical support. A remote-access trojan is kind of RAT that is installed without your knowledge or permission—one that is designed to hand over control of your computer to a remote entity. And the neighborhood stalker is not the only creep who is friendly with RATs; international criminal gangs like them too, for seizing control of the finances of individuals and companies.
One such RAT—known as “Blackshades” and said to have affected over half a million people worldwide—was taken down yesterday by law-enforcement authorities.
Here is a partial list of Blackshades’ RAT capabilities:
- Webcam control
- Screenshot/Remote desktop
- Keylogger
- Proxy manager ( to redirect your computer’s traffic)
- File download and execution
- URL redirection
- Reverse relay (The attacker sets the victim’s browser to connect to the Internet, in order to hide his footprint.)
Using these advanced techniques, criminals are able to steal sensitive information like bank passwords, social-security numbers, and credit card details—and wreak havoc on unsuspecting victims.
The takedown was the outcome of over two years of investigation and evidence gathering. It was a coordinated crackdown across 19 countries and involving the FBI, which systematically went after the creators of the Blackshades software and their global command-and-control (C&C) infrastructure. (Incidentally, Blackshades was also the toolkit used against Syrian political activists.)
While the news about Blackshades is only now going public, Infoblox DNS Firewall customers have been protected from this group for a long time. The RPZ subscription feed tracks known C&C infrastructures across the Internet, and this include the ones operated by the Blackshades group, or their predecessor called DarkComet, for over two years. We have over 13,000 domains related to Blackshades in the DNS Firewall feed, and were already actively protecting our customers who had the subscription.
This example serves to highlight the strength of the DNS Firewall solution in conjunction with its dynamic RPZ feed. Our approach of tracking domains or IP addresses of bad repute and enforcing at the DNS layer ensures a pervasive security blanket for customers. Thus—be it DarkComet or BlackShades or ShadesRat or DarkMoon—the bad guys tend to re-use existing infrastructure and datacenters, and if they are in our feed, our customers are protected.