Protection from RAT's as well as UAE DM team (People attacking server and members)

[KevinBlackburn]

Me and Cody (Byt3) have found many of the ways a lot of the members have been getting infected. I will be writing a guide on how to stay protected.

1. Go ahead and install a free antivirus. It is better then nothing. I recommend avast its a great antivirus. Located at this website http://www.avast.com/en-us/index

2. The ways UAE DM team have been infecting members is through a Java Drive By (AKA: JDB). What a java drive by is, is a java message will pop up on your screen looking like this: if you push "Run" it will install a rat on your computer. RAT's is a tool that allows the person to have full control of your computer. NOTE: All things that look like the popup above is NOT a rat. For example when playing the game runescape it will pop up. Those are safe, but if someone sends you a random site, and that pops up DONT push run. It will infect you, which is how multiple of our members have gotten infected.

3. One quick tool to use is this http://download.bshades.eu/download....detect.torrent
It was made by a company that creates malware, but this tool detects any rats on your computer, yes it is created by someone that creates malware, but they also made a tool to detect any malware on your computer, dont worry it is 100% safe.



Me and Cody have been looking into this for a while, we have traced the IP's of which the RAT's are resolving to enabling us to match them up on the forums, all members found ratting people will be found, banned and most likely reported. If anyone suspects themself of being infected, PLEASE feel free to contact me or Cody, we would like to take the program and reverse engineer it to trace the IP.

PS:
To get rid of a very common RAT going around SARP type this in

By the way, if you think you were infected by this virus, run this command. It will remove this RAT, I've examined it quite closely.

Code:

taskkill /f /im "msdcsc.exe" & del %UserProfile%\Documents\MSDCSC\msdcsc.exe

PSS:
Another good tip only IF YOU KNOW WHAT YOU'RE DOING!!

Another way to check you have one is to open Task Manager, hit "View" and "Select Colums" and make sure "PID" is showing.



Then open command prompt (Start > cmd.exe) and type in:

Code:

netstat -ano

Scroll up the command prompt a little and you'll see the list of IPs, and it will say "Established" or "Listening" or "Something_Wait" (Highlighted in Red), look for the ones that say Established, and the number next to it is their PID (Highlighted in Green).


Then back on Task Manager, you can read the PID's from the cmd.exe and match them up with the processes running on your PC, by looking at the "Processes" and "Services" tab of Task Manager.

Most of the IPs from the cmd.exe will return to things like Firefox, Chrome, Skype and whatnot, but if you find any IPs that definitely do not link up with a Process running, it could potentially be the IP of the RAT.

Thank you.

[Justin Fakie]

I was RATted not long ago and I took care of it. It's freaky to know some fuck boy from who knows where can be watching you, especially when you talk to people about personal things on messengers. Good looks on this thread, Blackdick.

I just want to say that the leader of Team UAE said he's going to jail LOL

[Aldo]

Thanks for sharing not hard to do ot though.

[KevinBlackburn]

Thanks for sharing not hard to do ot though.

If you know what your doing, my guess it is your first timing seeing a JDB? Those things are tricky.

[Benjamin_Williams]

The only way back from getting ratted is to completely reformat your hard disk and re-install your operating system. If you are getting ratted by things like this and visiting these dodgy sites then all the antiviruses won't protect you from your self. You could have a completely secure system and an unknowing user. Everyone should not be using Internet Explorer and instead be using Firefox or Chrome with extensions NoScript and Adblock.

[DanTheMan]

Thanks man.

[KevinBlackburn]

The only way back from getting ratted is to completely reformat your hard disk and re-install your operating system. If you are getting ratted by things like this and visiting these dodgy sites then all the antiviruses won't protect you from your self. You could have a completely secure system and an unknowing user. Everyone should not be using Internet Explorer and instead be using Firefox or Chrome with extensions NoScript and Adblock.

Please dont post false things, this is completely not true at all. All you need to do is end the proccess and delete the main exe installed on your computer and also remove it from msconfig startup.

[Benjamin_Williams]

Please dont post false things, this is completely not true at all. All you need to do is end the proccess and delete the main exe installed on your computer and also remove it from msconfig startup.

You're wrong in the fact that you accuse my post of being incorrect. Most RAT's don't have a process you can end and hook on to already running windows processes and services like svhost.exe. The average user probably won't even be able to locate the main executable as when the infected file is run it usually infects the windows process then when that windows process is run (on startup) so is the virus.

All RATs and viruses are different so it is difficult to speak generally.

[KevinBlackburn]

You're wrong in the fact that you accuse my post of being incorrect. Most RAT's don't have a process you can end and hook on to already running windows processes and services like svhost.exe. The average user probably won't even be able to locate the main executable as when the infected file is run it usually infects the windows process then when that windows process is run (on startup) so is the virus.

All RATs and viruses are different so it is difficult to speak generally.

The fact that I am even arguing this right now is crazy. 1. All fucking programs have a process, so hence, they can be ended. Second, they dont "hook" onto another service, you will just see a extra svhost.exe in your processes. And third the exe is very easy to find as you open file location of the unknown process as well as using wireshark, please stop posting false info on the thread.

[Benjamin_Williams]

The fact that I am even arguing this right now is crazy. 1. All fucking programs have a process, so hence, they can be ended. Second, they dont "hook" onto another service, you will just see a extra svhost.exe in your processes. And third the exe is very easy to find as you open file location of the unknown process as well as using wireshark, please stop posting false info on the thread.

It's called an injection. There is no false info. I don't know why you're so determined to say this info is false, I suspect you have other motives.

I'll just agree to disagree with you because clearly we both have a different idea of how things work.

[KevinBlackburn]

It's called an injection. There is no false info. I don't know why you're so determined to say this info is false, I suspect you have other motives.

I'll just agree to disagree with you because clearly we both have a different idea of how things work.

Becasue it is wrong, all programs have processes, you are giving out false info to SARP... Also injection doesnt stop the program from having a process unless it has access to ring0, which no rat does at the moment.

[Benjamin_Williams]

Becasue it is wrong, all programs have processes, you are giving out false info to SARP... Also injection doesnt stop the program from having a process unless it has access to ring0, which no rat does at the moment.

Ok. I am not giving out false info. You seem determined to disprove everything I say. Please consult http://en.wikipedia.org/wiki/Rootkit .

Bootkits

A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack", in which a bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords. More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.
The only known defenses against bootkit attacks are the prevention of unauthorized physical access to the system—a problem for portable computers—or the use of a Trusted Platform Module configured to protect the boot path.

Quick google search revealed:

https://www.underground.org.mx/index.php?topic=28482.0
http://c0decstuff.blogspot.co.uk/201...-and-dkom.html

[Luke Shiels]

R@t alerts~

[Chin®]

Who still opens mail attachments from unknown senders at this age of time? Ugh..., if only there was a patch for human stupidity.

PS: This doesn't explain how they get our e-mail addresses? Either the admin team is handing out e-mail addresses as they were handing out ip's a while back, or i call this false. Nice try though.

[KevinBlackburn]

Ok. I am not giving out false info. You seem determined to disprove everything I say. Please consult http://en.wikipedia.org/wiki/Rootkit .



Quick google search revealed:

https://www.underground.org.mx/index.php?topic=28482.0
http://c0decstuff.blogspot.co.uk/201...-and-dkom.html

Clearly you have no idea what you're talking about. I said ring0. ring0 = rootkit, there is not rat right now that has ring0, case closed.

[Emily Grey]

How did yall manage to turn this one into an argument

[KevinBlackburn]

How did yall manage to turn this one into an argument

Its not really a argument, its more false info from a member, but he refuses to notice it. Just ignore it lol.

[Kanji]

Good job Blackburn, good job...

[Justin Fakie]

The only way back from getting ratted is to completely reformat your hard disk and re-install your operating system. If you are getting ratted by things like this and visiting these dodgy sites then all the antiviruses won't protect you from your self. You could have a completely secure system and an unknowing user. Everyone should not be using Internet Explorer and instead be using Firefox or Chrome with extensions NoScript and Adblock.

Not true. Find the location of the process, close the process, disable it on startup, delete the file in the location of the process containing the RAT, and problem solved. Many rats are made by skids and people who use tuts or some bootleg crap.

[KevinBlackburn]

Not true. Find the location of the process, close the process, disable it on startup, delete the file in the location of the process containing the RAT, and problem solved. Many rats are made by skids and people who use tuts or some bootleg crap.

Bout time someone else posts stating he is wrong. My guess is he is going to come back and still argue it but what ever.