Blackshades

Last updated
Blackshades
Type Trojan horse
Subtype Remote administration trojan
Isolationc.2010 [1]
Author(s)Alex Yucel and Michael Hogue [1]
Operating system(s) affected Windows

Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. [2] According to US officials, over 500,000 computer systems have been infected worldwide with the software. [3]

Contents

In 2014, the United States Federal Bureau of Investigation (FBI) arrested hundreds of people who had Blackshade in their computer. Before the FBI crackdown, Blackshades was sold for US$40 on Hack Forums, and reportedly generated US$350,000 in sales. [1]

Functionality

Blackshades infects computer systems by downloading onto a victim's computer when the victim accesses a malicious webpage (sometimes downloading onto the victim's computer without the victim's knowledge, known as a drive-by download) or through external storage devices, such as USB flash drives. [4] Blackshades has the ability to infect and hack multiple computers from the release of a bait that the hacker can make use of, an improved version of blackshades was released shortly after the original release of the primary version, when hacking organizations like Octagonun and Cyber-Sec, decided to develop special features for coupling to the software such as undetectability, DDoS / TCP Flood, and backdoor persistence features. [1]

Blackshades can reportedly be used remotely to access an infected computer without authorization. Blackshades allows hackers to perform many actions on an infected computer remotely without authorization, including the ability to: [1] [5]

Blackshades reportedly can be used by computer hackers with little experience or by script kiddies, hackers that use programs developed by others to attack computer systems. [1]

Blackshades can also act as ransomware. Hackers using Blackshades can restrict access to the victim's computer and demand a ransom paid to the hacker in order for the restriction to be lifted. [5]

Detection and removal

Many antivirus programs can successfully detect and remove Blackshades, however hackers using the Blackshades software usually avoid detection of Blackshades infections by using software that obfuscates the Blackshades binary to avoid detection by antivirus programs, which the Blackshades organization also sold along with the Blackshades software. [5] [6]

Blackshades in the media

In 2012, Citizen Lab and EFF reported on the use of Blackshades to target opposition forces in Syria. [7]

In 2015, Stefan Rigo from Leeds was given a 40-week suspended sentence for using BlackShades against 14 people, 7 of whom he knew personally. It is reported he paid for the software using his ex-girlfriend's payment card. [8]

In 2013, Cassidy Wolf was a victim of sextortion, after photographs of her were hacked and used in an attempt to blackmail her after being Miss Teen USA 2013. [9] [10] [11] The FBI ran a probe after Wolf reported a threatening email demanding a 'special performance' for the hacker, whom she suspected to be Jared James Abrahams, her former high school classmate. Wolf never created the video demanded, and on September 26, 2013, Abrahams surrendered to FBI agents in Orange County.[ citation needed ] In November 2013, Abrahams pleaded guilty to hacking over 100-150 women and installing the highly invasive malware Blackshades on their computers in order to obtain nude images and videos of them. One of his victims was a 14-year-old girl. [12] On March 18, 2014; Abrahams was sentenced to 18 months in federal prison. [13] Legal scholar Star Kashman speculates that Abrahams used the technique of Google Dorking to find and target Cassidy Wolf's webcam online, leading to the act of sextortion. [14]

FBI crackdown

In 2012, the FBI ran a sting operation called "Operation Card Shop", which led to 24 arrests of hackers in eight countries. One of those arrested was Michael Hogue (also known as xVisceral in online hacking communities). Hogue, a co-creator of Blackshades, was arrested and indicted on charges under 18 U.S.C.   § 1030, more commonly known as the Computer Fraud and Abuse Act. He was sentenced to five years of probation, 20 years suspended prison sentence. [4] [15]

In 2014, the FBI coordinated a worldwide operation to combat the use of the malware, leading to the arrest of almost one hundred people in nineteen countries. [3] On May 19, charges were laid in the United States against five individuals: two men identified as developers of Blackshades and three other men who sold the software or used it to infiltrate other people's computers. [16] Exactly 359 searches were conducted and more than 1,100 electronic devices have been seized as part of the operation. [16] According to the FBI, over 500,000 computers in more than 100 countries were infected by the malware. [17] Blackshades sold typically for US$40, and reportedly generated US$350,000 in sales. [1]

Related Research Articles

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A softcam is essentially a software-based camera.

Internet safety, also known as online safety, cyber safety and electronic safety (e-safety), refers to the policies, practices and processes that reduce the harms to people that are enabled by the (mis)use of information technology.

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Sextortion employs non-physical forms of coercion to extort sexual favors from the victim. Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Camfecting, in the field of computer security, is the process of attempting to hack into a person's webcam and activate it without the webcam owner's permission. The remotely activated webcam can be used to watch anything within the webcam's field of vision, sometimes including the webcam owner themselves. Camfecting is most often carried out by infecting the victim's computer with a virus that can provide the hacker access to their webcam. This attack is specifically targeted at the victim's webcam, and hence the name camfecting, a portmanteau of the words camera and infecting.

DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.

<span class="mw-page-title-main">Cassidy Wolf</span> American model

Cassidy Marie Wolf is an American tv host, model and beauty queen who was crowned Miss Teen USA 2013.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

iSeeYou is a security bug affecting iSight cameras in some Apple laptops.

Government hacking permits the exploitation of vulnerabilities in electronic products, especially software, to gain remote access to information of interest. This information allows government investigators to monitor user activity and interfere with device operation. Government attacks on security may include malware and encryption backdoors. The National Security Agency's PRISM program and Ethiopia's use of FinSpy are notable examples.

References

  1. 1 2 3 4 5 6 7 "Manhattan U.S. Attorney And FBI Assistant Director-In-Charge Announce Charges In Connection With Blackshades Malicious Software That Enabled Users Around The World To Secretly And Remotely Control Victims' Computers". United States Department of Justice. May 19, 2014. Retrieved December 13, 2014.
  2. "Could your Computer be Infected by Blackshades?". FBI . Retrieved May 20, 2014.
  3. 1 2 "BlackShades: Arrests in computer malware probe". BBC News . 2014-05-19. Retrieved 19 May 2014.
  4. 1 2 Loyd, Jordan (June 19, 2012). "U.S. v. Michael Hogue Complaint" (PDF). blackshades.net. United States Department of Justice. Archived from the original (PDF) on December 26, 2014.
  5. 1 2 3 Kujawa, Adam (June 15, 2012). "You Dirty RAT! Part 2 – BlackShades NET". Malwarebytes UNPACKED. Malwarebytes Corporation. Retrieved December 31, 2014.
  6. Hoffman, Patrick (May 16, 2014). "U.S. v. Brendan Johnston Complaint 14 Mag 1086" (PDF). United States Department of Justice. p. 8.
  7. Marquis-Boire, Morgan; Hardy, Seth (June 19, 2012). "Syrian Activists Targeted with Blackshades Spy Software".; Marquis-Boire, Morgan; Galperin, Eva (July 12, 2012). "New Malware Targeting Syrian Activists Uses Blackshades Commercial Trojan".
  8. Rigo, Stefan (October 8, 2015). "Webcam hacker spied on sex acts with BlackShades malware - BBC News". BBC News.;
  9. "Cassidy Wolf: Miss Teen USA 'Sextortion Victim'". Sky News. August 16, 2013. Archived from the original on June 10, 2016. Retrieved September 12, 2013.
  10. "Cassidy Wolf, Miss Teen USA, claims she was extorted by an online hacker, report says". CBS News . August 14, 2013. Archived from the original on November 21, 2013. Retrieved September 12, 2013.
  11. "Miss Teen USA hacker jailed for 18 months". BBC News. March 18, 2014. Archived from the original on November 22, 2017. Retrieved June 20, 2018.
  12. Moss, Caroline (March 18, 2014). "Hacker Who 'Sextorted' Miss Teen USA Gets 18 Months In Prison". Business Insider. Archived from the original on December 25, 2016. Retrieved March 19, 2014.
  13. "Miss Teen USA webcam hacker Jared James Abrahams sentenced to 18 months in prison". The Independent . March 18, 2014. Archived from the original on October 5, 2017. Retrieved March 19, 2014.
  14. Kashman, Star (2023). "GOOGLE DORKING OR LEGAL HACKING: FROM THE CIA COMPROMISE TO YOUR CAMERAS AT HOME, WE ARE NOT AS SAFE AS WE THINK". Wash. J. L. Tech. & Arts. 18 (2).
  15. "Manhattan U.S. Attorney And FBI Assistant Director-In-Charge Announce 24 Arrests In Eight Countries As Part Of International Cyber Crime Takedown". The United States Attorney Office for the Southern District of New York. Archived from the original on 2015-01-01.
  16. 1 2 "BlackShades malware bust ends in nearly 100 arrests worldwide". CBS Interactive. May 19, 2014. Retrieved 20 May 2014.
  17. "More than half million computers worldwide infected with BlackShades malware". Big News Network. Retrieved May 20, 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.