The truth about Blackshades Malware

I’m going to throw out a few numbers and I want you to guess what they mean:

  • 19
  • 40
  • 100
  • 700,000

Let’s start with 19.

19

19 is the number of countries that FBI agents raided in a recent global cybercrime crackdown.

40

The cost in US dollars of nefarious creepware called BlackShades which allows illicit hackers unauthorized access to keystrokes, passwords, hard drives and webcams on unsuspecting users computers.

100

At least 100 individuals linked to the Blackshades malware fiasco were arrested by the FBI today.  Amid the frenetic arrests, one of the alleged co-creators of Blackshades – 21 year old Michael Hogue (known as xVisceral) – plead guilty and the other creator, Alex Yucel was indicted.

700,000

The approximate number of victims computers hijacked by Blackshades

What the heck is Blackshades?

You’ll be hard pressed to gainsay the fact that malware is becoming increasingly ascendant.

According to a 2013 cyberthreat report from Moscow based security firm Kaspersky Lab, cyber attacks designed to steal financial data surged by 27.6%.

Furthermore, a 2014 security threat report by Sophos corroborates the evidence: malware is concurrently becoming both increasingly sophisticated and clandestine.

The proliferation of malware manifested as malvertisements (which refers to malicious advertisements delivered through benign channels) and other covert paths, means that users need to be especially vigilant in staying safe online.

Blackshades is a case in point.  Here’s the gist:

Blackshades is known as a Remote Access Trojan (RAT) which allows anyone with paltry computer skills to surreptitiously access all the data on a user’s computer.  This includes passwords, webcams… and well everything.

But it doesn’t stop there…

The Blackshades RAT has an ignominious list of abominable features that is only matched by the anguish it brings its victims.

Here’s a sample of the guile ridden functions (special thanks to Adam Kujawa at Malwarebytes for the Blackshades screenshots):

DDoS

Blackshades via Malwarebytes

The RAT can turn your computer into a zombie bot.

This means you can become an unwitting accomplice in launching a distributed denial of service attack (DDoS) against an innocuous website of the attackers choosing.

In other words, your PC can be forced, along with thousands of other machines, to launch a coordinated attack against a website to boot it offline.

Serious shit.

Marketplace

Blackshades boasts an integrated marketplace that provides a haven for attacker to buy other slave computers compromised with the Blackshades Trojan.

The enormities of this tool grow worse when you realize that people can not only sell bot machines to other cybercriminals but also augment the tool with specialty add-ons which make it extremely hard for antivirus engines to detect.

Even more serious shit.

Facebook Controller

We have empirical evidence revealing that Blackshades steals your credentials and then lets the attacker post anything he wants to the victim’s Facebook wall.

Ransomware

Ransomware is a peculiar variant of malware that takes the whole “I’m going to infect your computer and destroy your files” thing to another level.

Ransomware often precludes access to your data by encrypting it and demanding payment for decryption.  If you refuse to pay your file are either destroyed or remain encrypted and therefore unusable.

As you can imagine, this particular strain of malware is virulent and is actually becoming increasingly popular.

For example, if you look at the 2013 Quarterly Threat Report from McAfee (PDF page 12 of 35) , you’ll see that McAfee discovered about a quarter million unique samples of ransomware which eclipses estimates for the same period of the previous year by over 100%.

BlackShades makes it super easy to curate a custom warning message replete with font colors and instructions.

Blackshades File hijacker.  Image credit Malwarebytes

The most insidious part is that the tool is so easy to use that virtually any buffoon who knows how to hold a mouse can wreak bedlam.  This is exacerbated by the fact that the barrier to entry is is also incredibly low.

Blackshades typically sells for anywhere between $40 and $100 dollars on underground markets.  Thankfully the FBI has decommissioned the websites which sold the tool but the problem is still effectual and an estimated 700,000 victims worldwide are still purported infected.

Is it legal?

That question is a serious point of contention because you can’t use the tool without complying to a lengthy license agreement which, ostensiblly absolves Blackshades from any liability.

Some people contend that the software itself isn’t illegal but furtively installing it on a victims computer is.  Exponents of this idea bolster their position by noting that the software has an innocuous past and was originally created a simple monitoring tool.

Now while there is definitely some ambiguity regarding the legality of the Blackshades RAT, regardless of what position you take, it’s a patent fact that stealing data from a users computer is categorically illegal.

But the creators of this little program really tried to exonerate themselves from any blame.  For example, when using the File Hijacker function to setup Ransomware, the program displays this little warning:

WARNING!
You should be extremely careful when dealing with this feature.
Use this feature at your own risk.  However, one thing to put in mind:
This feature was made for educational purposes only.

I can almost see the dust dissipating into the air as Hogue and Yucel wipe their hands and abdicate all responsibility for their hellish creation.

How to detect and destroy Blackshades

Three tools have been reported to alleviate the Blackshades malware (technically known as Spyware.BlackShades.NET)

Each of the above tools has it’s own version of a deep scan.  You’re going to want to forebear any quick scans and perform the most comprehensive scans possible. This will increase the chances of detecting the threat on the first try.

The malware is commonly disseminated through P2P tools such as Bittorrent and social sites such as Facebook and Twitter.

Usually what happens is the user clicks an external link posted on the site that purportedly leads to an interesting photo of video but doesn’t realize Blackshades is silently implanting itself in the background and exposing a backdoor on the users PC.

Once it possesses the victims system, he or she may start to notice erratic behaviors including but not limited to:

  • The web camera light being on even though you’re not using it
  • The mouse cursor jumping and jittering across the screen even though you’re not moving the mouse
  • A text based chat window spontaneously appearing on the screen

A sure way to test for Blackshades is to search for *.bss files on the hard drive.

If you see any of the following files in the search results then you’re infected and you need to destroy the Trojan immediately.

  • dos_sock.bss
  • nir_cmd.bss
  • pws_cdk.bss
  • pws_chro.bss
  • pws_ff.bss
  • pws_mail.bss
  • pws_mess.bss

Through the trio of antimalware tools I mentioned above on your system and start scanning.  I would also disconnect from the internet after installing the antimalware tools to prevent the attacker from interfering with your eradication efforts.

I also suggest changing all your passwords and closely monitoring your credit card statements because if a cybercriminal was base enough to infect your system he’ll certainly feel a sense of entitlement to all your personal information too.

The Bottom Line

The FBI did a kick ass job planning for and executing this sting.  It took about two years to build and was so efficacious that many of the arrested cybercrimnals didn’t have enough time to destroy the evidence.

The real threat of the Blackshades tool is that it’s both affordable and easy to use; therefore, obviating the need to be technically dexterous.  Anyone with a network connection and a few bucks can dupe people into getting infected, having their privacy violated and files held at ransom.

The software is incredibly advanced and yet it’s so easy to use that the threat scope is no longer fettered to computer geniuses.

Leo Taddeo, chief of cybercrime investigations at the FBI told CNN that:

These cyber criminals have paid employees, they have feedback from customers –other cyber criminals – to continually update and improve their product.  It’s very sophisticated software in that it is not very easy to detect.  It can be installed by somebody with very little skills

The moral of the story remind me of an adage I just made up:

Don’t download from specious sources

If you find a link that promises a video or photo but it looks duplicitous or the source is questionable, don’t open it.  In addition, if you have someone over your house using a computer always pay attention to what that person is doing on your computer.

He or she may intentionally or more commonly, unwittingly, infect your computer and then leave you in a world of misery.

Your Thoughts

What do you guys think of Blackshades?  Do you know of anyone who has been infected?  What do you think is a proper punishment for everyone who abetted the Blackshades creators machinations?

Share your thoughts in the comments.

About

Connect with Vonnie on Twitter

Posted in News Tagged with: , ,