W32.Shadesrat (Blackshades) author arrested

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

W32.Shadesrat (Blackshades) author arrested
Botnet BlackShades
Malware Shadesrat
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / June 30,2012
Editor/Conference Symantec
Link http://www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested (Archive copy)


In a global sting operation carried out by the FBI, over 24 people have been arrested, including an individual named Michael Hogue, a.k.a. "xVisceral". According to an underground forum post, xVisceral is involved in the Blackshades project, at the very least as a project manager. It is likely, however, that this Remote Access Tool (RAT) is the work of more than one individual.

"MICHAEL HOGUE, a/k/a "xVisceral," offered malware for sale, including remote access tools ("RATS") that allowed the user to take over and remotely control the operations of an infected victim-computer. HOGUE's RAT, for example, enabled the user to turn on the web camera on victims' computers and spy on them, and to record every keystroke of the victim-computer's user. If the victim visited a banking website and entered his or her user name and password, the key logging program could record that information, which could then be used to access the victim's bank account. HOGUE sold his RAT widely over the Internet, usually for $50 per copy and boasted that he had personally infected "50-100" computers with his RAT, and that he'd sold it to others who had infected "thousands" of computers with malware. HOGUE's RAT infected computers in the United States, Canada, Germany, Denmark, and Poland, and possibly other countries." Source: United States Attorney's Office

The coder for the tool appears to be "MarjinZ". The source code for BlackShades was leaked in 2010 and both aliases appear in the chat server admin database.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1061,
   editor = {Symantec},
   author = {},
   title = {W32.Shadesrat (Blackshades) author arrested},
   date = {30},
   month = Jun,
   year = {2012},
   howpublished = {\url{http://www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested}},