It is Saturday night and Suzanne (name changed) is in her Miami home, hunched over her laptop. The house is quiet, save for the keyboard tapping, when a message from nowhere pops on her screen: "Hi Suzy." The 19-year-old feels a chill. She is visible from afar on a hacker's computer. He has taken control of her machine with a remote administration tool, rat in short, and is now able to see her through the webcam, rummage her files and listen in through her microphone. Next, her mouse and keyboard freeze and a Notepad file starts typing - by itself. She looks up: the tiny light beside her webcam glows. She gazes fearfully into the lens, wondering if someone's watching, when a message pops again, saying the hacker knows all about her. To prove it, he starts talking about her room, the colour of her walls, the pattern on her sheets, and her Facebook messages. Scared out of her wits, she reaches for the power switch and flicks it off.
Far away, the hacker, Sachin, opens his control panel, on which he can see all his victims, or 'slaves', through their webcams. Besides providing a host of fun tools for messing with his slaves, the panel shows their locations and the status of their machines. "I can hide their Windows Start button or the taskbar or the clock or the desktop or record their keystrokes and, thereby, their passwords," he says in an email interview.
"Ratting is easy," says Sachin. "It is the setting up of the software which is difficult." For those who can't manage on their own, best-seller author Sachin hawks his expertise on hackforums.net in the latest edition of his e-book, Spreading Guide v7.0, which costs £15 (around Rs 1,500). Readers are told they can pick up to 3,000 slaves a day. And if this handholding isn't enough, one can simply buy slaves from more successful ratters for up to $50 a piece. "The auction market for slaves has been good and consistent. The US slaves come cheap as there are too many of them. Everyone's got the US covered," says Sachin, who narrated the Suzanne story.
Also, Sachin chillingly discloses, "people offer free coaching for beginners on Skype". A 15-year-old from Amsterdam who goes by the name of Blue Sky on hackforums.net says he is a mentor to many. "The basics of cyber-peeping haven't changed much: just get your target to download an e-mail attachment or click a link that triggers an automatic download, activate the camera, then sit back and watch." Then there is free rat software like DarkComet and non-free ones like BlackShades. Ritesh Chopra, country manager (India & SAARC), Norton by Symantec, the maker of anti-virus software, says: "The ones for sale can cost up to $250. Add-on services such as fully undetectable crypting and set-up cost between $20 and $50." By using these, Sky says building an army of slaves is child's play.
To fish for slaves, many employ social engineering tricks. Lonely Fox messages random people on Facebook and infects them. "With the right words, anything is possible." There are others who make drive-by sites that look like a picture from Facebook and say something like "this is an ugly picture of you" or "is this you in the picture?" This tempts some to click and then they become slaves. Some create a fake Facebook account, and 'like' a few Justin Bieber pages and start commenting on them: "Check out my new Bieber screensaver, it's so hot." A link is given. "Think of the thousands of people going on those pages by the minute, you will definitely get some gullible bots," says Fox. "Poor people," says Sachin, "They think they are alone in their homes, but have no idea they are the laughing stock of the underground people."
Ratters have complete control over the computers they infect. And these attacks are very silent. DarkComet even has a Fun Manager that can perform all sorts of tricks on the target. "To startle, I can open a chat window or the CD tray," Fox says. The purpose is to annoy people. Spaceboy admits: "We are all going to hell for this." Most other ratters tend to accept ratting as harmless fun. But morals generally take the back seat to mockery. Fox says he posts pictures of his 'ugly slaves', some caught picking their noses. The hurdle is the webcam: its light glows every time the camera is in use, which can alert the victim. "The first time I use a slave's cam, I send a fake Windows-like message saying the cam's software is updating and the light may go on and off," says Spaceboy. That puts off suspicion. Pankaj Jain, director, ESET India, another maker of anti-virus software, says the light is tied to the camera physically, so it turns on when in use. "If a hacker can remove that bit of the software code which controls the light, he can disable it."
Such footage could be used for blackmail. Or can cause trauma. Take 'Suzy', who shook uncontrollably, unable to collect herself. After the incident, probably she couldn't concentrate on her studies. Probably she had holed up alone, away from family and friends. Probably she felt 'terrorised' because someone had secretly burrowed his way into her hard drive, and then into her life, following her every move. Ratters insist it is harmless fun. "Most stuff you would capture on a camera," says Spaceboy, "they've already posted on Facebook." So, a video of someone isn't going to yield much cash. That brings us to the basic question: what drives the ratter? "Every young person I spy on," Fox says, "seems to be living the life I have been denied. These people are having fun: making plans for prom and going to parties. I have never had that. I am lonely all the time. So I rat them, thinking, oh, you do all these wonderful things, now why don't you have a bad day just like me?"
But do not try this at home. Cyber law expert Pavan Duggal says: "Hackers using rats to invade computers and spy on a victim through webcams and microphones is a breach of privacy. Such activities constitute the offence of hacking and computer-related offences under the Information Technology Act, 2000." Prashant Mali, also a cyber-law expert, says the offence is punishable with three years' imprisonment or a fine of Rs 5 lakh or both. "It is cognizable: the police can arrest without warrant." Online forums that post and host information pertaining to ratting often cross the line into illegality. However, the Act is silent on rat software. "But," Duggal says, "if a piece of software contains banned parameters, it would be illegal." Funnily, rats were originally intended for industrial purposes such as controlling a system or monitoring a place through a webcam from afar. "A number of times, software is made keeping in mind legitimate purposes. However, it is the illegal usage the law seeks to penalise," says Duggal.
How does one protect against becoming a slave to ratters? Chopra of Norton by Symantec says, "Keep antivirus definitions, operating systems, and software up-to-date." Avoid opening emails from unknown senders and clicking on suspicious attachments and links. Also, be suspicious of unexpected webcam activity. "Use a piece of tape to cover it when not in use." Jain says, "All prominent antivirus software can easily remove rats. But beware a friend's pen drive." Laptops and desktops are not the only targets: smartphones with cameras and microphones are vulnerable too. They need to be treated for viruses, malware and rats.
OPEN, BY ACCIDENT
It's eight in the morning and a woman sits at a hotel reception in Belgorod, Russia. A child is running around the place and the woman smiles at him. Then a middle-aged man walks in with his luggage. Both trade hellos and the woman gets back to the child and makes friends with him. The feed should be private, meant to be seen only by the manager. Somebody forgot to click a box - and now anyone who knows where to look can watch it on opentopia.com.
France-based Flemming Funch, co-owner of the website with Patrick Cornwell, says: "I made an automated programme that found open webcams on Google, and went regularly to take a snapshot of each, to then present that in a gallery. It was a bit of a surprise how popular it became." Indeed, the discussion forum for the hotel webcam seems to be active. A viewer says, "Wow, these girls at the reception just get to sit and drink. What kind of management do they have?" Another says, "I just looked it up on Google. The hotel has got four out of a five-star rating."
PERILS OF A SMART HOME
Paul Mathis, 40, is working in his home in Texas, when, all of a sudden, a row of lamps goes off, and then comes on. The ceiling fan starts whirring on its own and a four-wheeled robot activates its electric eyes and starts work. All this may suggest the presence of a resident evil. But Mathis knows an Internet user, and not a ghost, is adding flicker to the lights. Mathis, net name Restil, the creator of drivemeinsane.com, has brought his home automation project onto the Internet. By going to the site, you can control his appliances such as lamps, disco ball, fan, icicle lights and the robot.
An automated home consists of Internet-connected appliances that can be remotely controlled. The devices can talk to each other and even act on the owner's behalf. Mathis is not alone in doing this. Icepick.com publishes data of an automated, or smart, home. "The toilet of this house was hooked up on September 12, 1998. Since then, it has been flushed 45,338 times." The site shares toilet trivia, too. "The total water consumption since 1998 equals 0.18 Olympic swimming pools. This equals 580 euros."