[Guide] How To Remove, Back-Trace, Detect, and Prevent a RAT Virus

by AFG - 10-09-2016 - 04:17 AM
Posts:
91

Reputation:
19

Credits:

GoldDiamondKnight
The One and Only
Diamond
Posts:
91

Threads:
18

Joined:
Oct 2016

Likes:
56

Credits:

Reputation:
19

Warning Level:

2 Years Of Service
GoldDiamondKnight
#1
OP
Posted: 10-09-2016 - 04:17 AM
RAT Prevention, Detection, Back-Tracing, and Removal

First of all, a RAT is a "Remote Administration Tool" (very popular in hacking community). What it does is start a server on your computer so that the "hacker" (I don't really consider people who RAT to be hackers) can connect to your computer. A RAT allows the "hacker" to basically control your computer remotely (probably can control the computer even better than you). 

In this tutorial, I will be covering the following subjects.

-Signs that you are infected
-What to do if you think you have a RAT on your computer and how to remove it
-How to track the person who infected you and maybe hack them!
-How to prevent this in the future


PART 1: SIGNS THAT YOU HAVE BEEN INFECTED



Alright, if you have read any good tutorials on RATs, you will know that RATs give you the power to do almost anything to another person's computer including: Browse their files, access their webcam, keylog, restart their computer, disable mouse etc. Some common things that will signify that you have a RAT on your computer are


-Webpages randomly close
-CMD opens up for no reason (CMD is the little black window)
-You are redirected to websites even if you type in a different URL
-Your webcam light switches on (this is a huge one! There should be no reason whatsoever why your webcam is randomly switching on unless you are video chatting with someone)
-Files are deleted without you knowing
-There are processes in the task manager that you don't recognize 
-There are processes of your web browser (EX. chrome.exe or iexplore.exe) open in the task manager even when you don't have any windows open.
-There are signs that another person has accessed your email or other accounts


There are many more than this but these are the most obvious ones. The most obvious one is probably the webcam since I don't know many people that could resist the temptation of accessing someone's webcam. There is no reason why your webcam should switch on unless you are taking a picture of yourself with your webcam or doing a video chat.

Please note that many RATs (including the most popular ones: Cybergate and Darkcomet), usually inject into the default browser meaning that, the RAT process actually looks like it's an internet process such as chrome.exe or iexplore.exe. So if you don't have any webpages open and you see a process like the ones above, you can almost be sure that something funny is going on.


PART 2: WHAT TO DO IF YOU THINK YOU HAVE A RAT ON YOUR COMPUTER | HOW TO REMOVE THE RAT


Note: If you wish to backtrace the virus to the hacker, you will have to do it before you remove the virus/close the connection. To do this, go to step 3 but be sure to come back to this section to find out how to remove the RAT.

So let's say that your webcam light has been switching on randomly and you are pretty sure that you have a RAT. There are many steps to take to ensure that the "hacker" doesn't get his way. First thing I would personally do is put a sticky note or something to cover up the webcam so that the hacker can't see if we are at the computer or not (some hackers will use the webcam to see if you are at the computer or not before they do something)

Here are some tools that we will use to ensure that the RAT cannot access our files or connect to the internet. There are also some files that will help us remove the RAT. All of the files listed are completely free.


Malwarebytes Anti-Malware - This is my life line. It's a scanner that will scan all of your files and attempt to detect the RAT and delete it. Just download the free version and set it up. This tool is probably the most recommended scanner.

Avast Antivirus - This is probably the most popular, free antivirus out there. If you already have a paid one, stick with it. ESET is the best paid antivirus out there but if you need a free one, Avast is the way to go.


Now we are going to try and find out exactly what file the RAT is called. To do this, we are going to use the command prompt which comes with Microsoft Windows. To open up this tool, go to the start menu > all programs > accessories > command prompt. Or you can just search for cmd in the search box or run tool. After doing that and maybe copying this tutorial into a word document for reference, you should close all open internet windows.

Now in the black window that should pop up, we are going to use the following command.


Code:
Code:
netstat -b


You might have to run command prompt as administrator to use this command. 

This will display all the files in your computer that are responsible for what connections to the internet. Since we have just closed all of the internet windows, there should not be any connections (unless you have a program running that has the option to be updated from the internet or a VPN or something). If you are RATed, you should see a suspicious looking file that is opening up a connection. Note what that file is called and try and figure out where you downloaded that file.

After doing that, you should immediately disable your internet (or just block the connection that you know that the RAT is responsible for). I would just disable your internet since you don't need it for now and it's better to be on the safe side.


Now that your internet connection is disabled, the "hacker" will not be able to access your computer since he has not way of connecting to it. For all he knows, you just turned off your computer. It's better if the hacker doesn't know that you know that you have a RAT because if he thinks that you are about to delete the RAT, he might just go crazy and wreck your computer before you do it.

Anyways, we will now do a quick scan with malwarebytes. Also, before you do the scan, you should update malwarebytes, just go to the update tab and click the button that says "check for updates". Please note that it's usually better to do a quick scan since it's literally about 20 times faster since a full scan scans EVERY one of your files which can in some cases, take hours. However, if you have the patience, there is no harm in doing a full scan since the hacker can't do anything for the moment.

Before you commence a scan you

-CLOSE all windows
-CLOSE all webpages (but we should've already done that)
-DO NOT run more than one scan at a time




Now, if no files were detected, it should display a pop up message saying that no malicious items were detected. If you are absolutely sure that you have a RAT, it could be that the RAT was scan-time crypted which means that malwarebytes will not detect it (this is not as likely since most people prefer to have run-time, some crypters can do both scan-time and run-time)

Scan-time crypted = It will not be detected from a scan
Run-time crypted = It will not be detected when you run the file

But don't despair just yet, their are still things that we can do that we will discuss soon.

If you did detect something, the window should display infected files.



When you click the "show results" button, it will show you what file was detected, what it was detected as (Ex. Trojan or adware or virus or worm), and exactly where the file is (the path). Now, you must look closely and see what files were detected since it's possible that it thought that something was a virus when it wasn't.

So you must put a check mark beside the files that you don't recognize because those are most likely viruses (they will often, but not always, be installed in appdata and have a registry key (something like HKCU\Software\...)) Then click "remove selected" and Malwarebytes will attempt to remove the files with a check mark next to them. After it is done (should only take a few seconds), it may ask you to restart your computer. Restart it even if it doesn't ask you to just to be on the safe side.

When your computer starts back up, before any other files starts (such as the RAT), Windows Firewall will monitor exactly what each startup file is trying to do. So if your RAT was not deleted for some reason, the firewall will definitely catch it trying to access your files or the internet. Block the connection and go to the next steps since it seems that Malwarebytes failed. If nothing out of the ordinary happens, than you are done.

Back when you used netstat -b you should have seen what file the RAT was (please note that just deleting it won't do anything at all). So you should do what all hackers hate. Upload that file to virustotal.com. The reason hackers hate it is because virustotal.com distributes what people upload there, to the antivirus companies and in a few days to a week, the antivirus companies will have decompiled (taken apart) the file and updated their antiviruses to detect it as a virus if they found malicious code in it.

So if you do this, in about a week or less, Avast (which you should've installed earlier, unless you already have a good AV), should be updated to detect that file. Only turn on your internet in that week to check for updates to Avast so that the hacker has little chance of accessing your computer or updating his server with a new crypted one.


Finally, if all else fails, try to do a system restore. Do this by going to the start menu and searching for the file System Restore. The file is in C:\Windows\System32 and is called rstrui.exe if for some reason the search failed.

A system restore will basically take your computer and reconfigure it so that it was exactly the same as it was at a previous date. With this, you can reset your computer to a month ago before you downloaded the RAT. If anything, the system restore will undo the changes to the registry so that the RAT at least won't start up every time you start your computer.


If you are sure you are infected, also, make a thread in the MRT section here and they can give you even further information, more specific to your situation.

These are all of the methods that I know of removing a RAT, if you have any other methods, post them below and I will do my best to update the tutorial.



PART 3: TRACKING AND MAYBE, HACKING THE HACKER


Please note that I got the wireshark part of it from a tutorial I read that was made by Anonymous, located here. The rest was from me learning some batch and reading around lots of other tutorials that are too numerous to list.

So to start, we are going to use some variations of the netstat command (we used this earlier if you read that part first). Netstat is used to display connections to your computer and the letters that come afterwards (such as -a -n -b) are used to modify the command to fit your needs.


In this situation, we will use


Code:
Code:
netstat -an


The -a forces it to display all connections, listening and established and the port
The -n forces the window to display the connections in numerical value
You can use netstat -h to view all of the other letters that you can use to modify the command and what each of them do.

Since it displays all connections, there can sometimes be a lot, so to make it easier on yourself, you should close all webpages so that you have less connections to worry about.

Anyways, this will display all connections to your computer and what port it's listening on. 127.0.0.1 is your localhost (your own computer) which means that it's a connection from your own computer, which means that it's safe since the connection belongs to you. If the foreign address is 192.168.1.something, it belongs to your LAN, which means it belongs to one of the computers on your network. This would happen if maybe you had a shared folder or something.

What you should look out for is the foreign address column and watch out for super high ports. If you see a port such as 80 or 445, it's fine but once you start getting into port 78 324 and things like that, you should be very suspicious, especially if you don't have any files that should be establishing a connection. Note that if you have an AV or some other type of file running, it might be establishing a connection since it's constantly checking for updates.

Anyways, once you have ruled out the safe connections, you are left with the random, suspicious ones. If you copy them (to copy in command prompt, you can't use ctrl + C, you must right click > mark > highlight what you want to copy > right click again > and paste it wherever you want), and paste them into the address bar of your web browser, if it's a website, you will visit the website that owns that ip. If nothing shows up as a website, you can pretty much assume that that ip belongs to your attacker.

Another way to find out who's connected to you (my preferred method) is to use the code


Code:
Code:
netstat -b


This displays what files are responsible for what connections and what they are connected to (maybe a website, maybe a server, maybe your hacker!) If you get a website (most people use a website to redirect people to their ip), you can resolve it to an ip by going to this website ip resolver.

Note: If the hacker was using a VPN, this will not work since all you will get from using netstat is the VPN address. However, the next method will not be affected whatsoever by a VPN.

Back tracing the RAT is good and all but where the real satisfaction comes from is if you can beat the hacker at his own game by hacking him! To accomplish that, we will use a program called wireshark which can be downloaded from wireshark.org. Wireshark is a packet sniffing program, it will monitor and record, and capture any and all packets sent and received by your network.

Often, RATs will send the logs of the keystrokes by FTP server or email (SMTP). When someone configures the RAT, they have to enter in the password to the sending email address or the receiving FTP account. That means that most times, the password and username should be contained in the captured packets. So all you have to do is start up wireshark, select your network adapter, and start capturing packets! Leave it capturing for about 30 minutes or more for best results.

Now at the top, in the text box (the search filter), type in FTP. If you are lucky you might be able to get a packet that he sent to his FTP account. To send something to your own account, you must have the username and password, meaning that the packet may contain the username and password, used to access his account. If there is nothing there, that means that he might be sending the keylogs by email. To get the packets for email, type into the box - SMTP. This may contain his email ID and password for the same reasons as the FTP.

This won't work all the time but it's definitely worth trying.


PART 4: HOW TO PREVENT THIS FROM HAPPENING IN THE FUTURE


-NEVER open email attachments from people that you don't know
-NEVER run an unfamiliar file without scanning it with malwarebytes
-NEVER run an unfamiliar file without first running it in sandboxie which can be downloaded here

-ALWAYS keep your antivirus, malwarebytes updated.
-NEVER run java applets on sites that are not guaranteed to be trusted

Posts:
64

Reputation:
22

Credits:

GoldDiamondEmeraldCredit WhoreKnight
Emerald Member
Emerald
Posts:
64

Threads:
8

Joined:
Aug 2016

Likes:
20

Credits:

Reputation:
22

Warning Level:

2 Years Of Service
GoldDiamondEmeraldCredit WhoreKnight
#2
Posted: 10-09-2016 - 05:04 AM
Great thread.
As a """"vigilante"""" of the skype chats I'm in, I'll do this's though a VM.
This helps me screw with the skids who go around ratting.

A HUGE problem, is a lot of them a FUD, or fully undetected, so Virus Scans won't do shit.

A little tip I have, is to scan it on Virus Total, a LOT of times. This will increase the detectability of the file

I had a program that did that last step for me, however when my computer died, ALL of my code was lost, so there's that
Posts:
91

Reputation:
19

Credits:

GoldDiamondKnight
The One and Only
Diamond
Posts:
91

Threads:
18

Joined:
Oct 2016

Likes:
56

Credits:

Reputation:
19

Warning Level:

2 Years Of Service
GoldDiamondKnight
#3
OP
Posted: 10-09-2016 - 05:20 AM
(10-09-2016 - 05:04 AM)Keeper Wrote: Great thread.
As a """"vigilante"""" of the skype chats I'm in, I'll do this's though a VM.
This helps me screw with the skids who go around ratting.

A HUGE problem, is a lot of them a FUD, or fully undetected, so Virus Scans won't do shit.

A little tip I have, is to scan it on Virus Total, a LOT of times. This will increase the detectability of the file

I had a program that did that last step for me, however when my computer died, ALL of my code was lost, so there's that
Alright :)

If you have ESET NOD32 (paid anti-virus), it will detect the crypted / FUD rat within hours after an update to the crypter. So if a crypter becomes FUD again after an update, ESET will be the only anti virus to catch it the same day of it being FUD. 

For example, the popular Cyber Seal crypter doesn't even allow ESET to be installed on your PC.

[Image: fcc004cfcfe74d5db71c868d7c19adea.png]

Another thing I've seemed to notice is that malwarebytes detects crypted rats as well. I've done a few tests and I can confirm it can catch those skiddy viruses. So all in all, if you can, I highly suggest you get ESET NOD32 whether buying it or getting a cracked license ( which I did lol) and you won't have to worry about catching a rat at all. :)

Yes, scanning a rat through virustotal does indeed increase the detection :)
Posts:
26

Reputation:
0

Credits:

Novice Member
Posts:
26

Threads:
0

Joined:
Jul 2017

Likes:
0

Credits:

Reputation:
0

Warning Level:

1 Year Of Service
#4
Posted: 07-29-2017 - 04:35 PM
Thanks bro it worth the share more power and release! :D
Posts:
2

Reputation:
0

Credits:

Rookie User
Posts:
2

Threads:
1

Joined:
Nov 2017

Likes:
1

Credits:

Reputation:
0

Warning Level:

1 Year Of Service
#5
Posted: 11-12-2017 - 12:41 PM
Hi bro. Great thread.
Posts:
5

Reputation:
0

Credits:

Rookie User
Posts:
5

Threads:
0

Joined:
Jul 2018

Likes:
0

Credits:

Reputation:
0

Warning Level:

#6
Posted: 10-02-2018 - 03:09 PM
thanks for sharing, well explained guide
Posts:
88

Reputation:
0

Credits:

Candy Cane
Junior Member
Posts:
88

Threads:
6

Joined:
Feb 2018

Likes:
1

Credits:

Reputation:
0

Warning Level:

Candy Cane
#7
Posted: 01-16-2019 - 10:15 PM
Awesome! great stuff to know.

[Image: qrcode.png]
Posts:
79

Reputation:
14

Credits:

Gold
The Guru
Gold
Posts:
79

Threads:
15

Joined:
Aug 2016

Likes:
4

Credits:

Reputation:
14

Warning Level:

2 Years Of Service
Gold
#8
Posted: 01-16-2019 - 11:08 PM
I’ll stop you there buddy. This is limited to certain windows versions.
If you were to have the education of windows. You’d know using CMD isn’t the way.
The way to do it is to use PowerShell.

I will say nothing more.
Posts:
31

Reputation:
0

Credits:

Novice Member
Posts:
31

Threads:
8

Joined:
Jun 2018

Likes:
0

Credits:

Reputation:
0

Warning Level:

#9
Posted: 01-17-2019 - 08:27 PM
Welp, time to do some hacker shit i guess...
Posts:
20

Reputation:
0

Credits:

Rookie User
Posts:
20

Threads:
1

Joined:
Dec 2018

Likes:
0

Credits:

Reputation:
0

Warning Level:

#10
Posted: 01-18-2019 - 08:14 PM
nice thread man will help some people




USERS BROWSING THIS THREAD:  2 Guest(s)
"Join for the content, stay for the community."
© All Rights Reserved DemonForums.
© 2015-2018 / DemonForums
Server time: 01-21-2019, 03:29 AM (1184 Days Online)