The week of August 10, 2014

How an Xbox hack became a weapon of war in Syria

By Patrick Howell O'Neill

The messages came from friends they thought they could trust.

In 2012, one year into the civil war in Syria, rebels and activists began to receive Skype messages from comrades and colleagues who urged them to download and look at a screenshotted conversation featuring a man personally threatening the rebels’ lives.

“There is a person who hates you and keeps talking about you,” the message, translated from Arabic, read. “I took a screenshot of the conversation. Please beware of this person, as he knows you personally.”

In a war zone, where death surrounds you, it’s easy to see why so many rebels quickly clicked the links to try to understand the new threat.

Instead, they were hacked. The warning was a fraud, and once the download was done, their computers were essentially owned by the Syrian government, betraying their every move online: Their microphones captured everything they said for the enemy, their keyboards gave away the most sensitive passwords and messages they typed, and their personal accounts were stolen and used to spread the attack to the next unsuspecting victim.

The crisis in Syria spilled over into cyberspace in many ways. Both sides have waged what could be considered the first social media war. President Bashar al-Assad’s supporters started widely hacking opposition as soon as violence began. Bloody propaganda has saturated YouTube, Twitter, and Facebook ever since the first shots were fired. The Syrian Electronic Army has waged a global war against opponents of Assad, serving as a reminder that when a war hits the Web, borders mean little or nothing.

In fact, the Blackshades Remote Access Tool (RAT), the powerful cyberweapon Syria used to surreptitiously enslave rebels’ computers, was actually built in America. The same program recently led to the arrests of 90 hackers around the world who had been using it to illegally take over thousands computers for their own gain—in most cases, without the computers’ owners ever knowing they’d been hit. According to the FBI, Blackshades has generated $350,000 in sales and infected over half a million computers.

“The RAT is inexpensive and simple to use, but its capabilities are sophisticated and its invasiveness breathtaking,” U.S. Attorney Preet Bharara said earlier this year when speaking about Blackshades.

There are many remarkable things about Blackshades—it’s potent, cheap, and incredibly easy to use—but perhaps what’s most incredible is just how unremarkable its creator is. It’s the work of a bored teenager who could not have possibly envisioned the way his cheap hack could affect one of the bloodiest uprisings of the past decade.

Leveling up

In 2008, Michael Hogue was simply looking for an edge in Halo 3, the hypercompetitive Xbox game. Then 17, he went by the name xVisceral and set a personal goal to rise to the top rank—50—in each mode of gameplay. The drive was long and futile, especially in a mode called Squad Battle, in which players relied as much on others as on themselves. No matter what he tried, he couldn’t seem to get past level 45. To take his mind off of his Squad Battle struggle, Hogue played another mode called Team Slayer. After winning a string of games, his console was forcefully disconnected from the Internet, putting him on losing end of a battle for the first time in recent memory.

According to the FBI, Blackshades has generated $350,000 in sales and infected over half a million computers.

Once he was finally able to reconnect, Hogue logged back into Halo and discovered that a player named HgB RoBeRt had forcefully severed his Internet connection. Curious, he messaged the user to find out how he did it. The answer lay in a small host of hacking tools and a legion of bots, both of which RoBeRt soon entrusted to Hogue. XR Hostbooter 1.4 and Biozombie, the two most important crimeware programs Hogue was freely given, allowed him to infect unsuspecting victims’ computers with malware that turned them into bots, or slaves. Once infected, he could use them in what’s known as a distributed denial-of-service attack (DDoS), which works by overwhelming a specific IP address with packets of data, eventually forcing it offline. DDoS attacks can be used against individuals, to cheat in video games, or at the logical extreme, to take down entire websites or networks. “[RoBeRt] probably [took over my computer and] made me one of his bots,” Hogue later wrote in a memoir published on HackForums.net, the primary source for this article, “but that wasn’t the point, I [now] could boot [my own bots] on Xbox Live. I started doing it regularly.”


A screengrab of Biozombie

When Windows 7 was released in 2009, Hogue’s two weapons of choice suddenly stopped working. By then, however, he’d already grown tired of Halo and delved deeper into the black-hat hacking community. He spent his time coding his own version of the tools that not only worked with the new operating system but also made them easier to work with and thus more accessible to more people than ever before. Hogue’s new hacks immediately found a small audience. He put up a website and YouTube videos teaching others how to use his tools to enslave computers for their own nefarious purposes. Soon, strangers began ripping his videos and posting copies with infected links that, in turn, made the machines of the unsuspecting downloaders slaves themselves. Hogue was inspired. “I figured I would join in on the fun.” He began slipping in links to his hacking programs that infected users with a RAT that easily would give him complete control and knowledge over everything the victim’s computer did. Soon, he had a small army of slaves and a growing fanbase. “I’m not proud of that,” Hogue reflected later, “but, well, it happened.”

A dual life

In 2009, Hogue’s real education began. By day, he was a computer science student at the University of Arizona. By night, he was lurking in hacker forums, most notably uNkn0wn.eu and Hack_Hound. For $100, he bought a program called D-Crypt that hid malware from detection. All the while, his army of slaves was growing exponentially. “I would put up the same Adobe Photoshop CS4 torrent every day,” he explained, “and get over 1,000 infections per week.” Hogue spent his first semester in college learning to program in Visual Basic 6 to develop his first fully featured product: xVisceral 1.0. Released in February 2010, it was a cheap, simple, and potent denial-of-service weapon. It sold for $15 at HackForums.net, a seedy Toys “R” Us for hackers who often need the kind of training wheels Hogue specialized in.


 Xvisceral version 1.0

XVisceral 1.0, however, was a slow seller. In response, Hogue released a free mini version of the program that did nothing to help his shrinking bank account but did gain him a much wider following that came to love his quick response to bugs and feature requests.


Xvisceral mini

Just prior to his first commercial release, Hogue registered xVisceral.com, a move meant to help build his personal brand. He used his real name and Tucson, Ariz., address to buy the new domain. It would ultimately prove his downfall.

The rush to market

If Hogue was going to take his hacking to the next level, he knew he needed help.

He forged a partnership with MarjinZ, the talented hacker who had originally sold him D-Crypt. Lacking the experience and know-how to build better crimeware, xVisceral and Marjinz entered into a 50/50 deal to continue development of xVisceral’s work—on the condition that they change the name from xVisceral to Blackshades.

Hogue continued coding work on very basic features that he could handle while MarjinZ added more complex, marquee weapons. While MarjinZ was more talented, Hogue remained the public face of Blackshades, thanks to his aggressive marketing and effective customer support.

The pair’s first product, Blackshades 2.3, hit the market in 2010 for $50, payable through Western Union or Liberty Reserve, the latter of which has since been shut down for money laundering.

Blackshades and programs like it were tailor-made to commit serious cybercrimes. Crucially, however, Blackshades itself was not illegal. Hogue publicly called Blackshades “professional computer surveillance” and, on his website and in marketing material around the Internet, he outlined possible legal uses of the tool, such as network maintenance and remote computer repair. The terms of use even expressly prohibited using Blackshades to hack anyone at all.

Those pretenses were abruptly dropped, however, when Hogue made Blackshades available on CarderProfit.cc, a black-hat site that explicitly and exclusively enabled credit card fraud on a massive scale.


A screengrab of Carder Profit

Under MarjinZ’s stewardship, Blackshades began to include more potent weapons like automatic credit card keylogging. As Hogue explained in his pitch to the operator of CarderProfit, a user known only as m4v3r1ck: “[Y]ou can download from all at once, or scan for keywords, or digits and if it detects a Credit Card is being entered it can send screenshots to FTP and you can scan for digits that are 16 in a row :P”

Despite complications—Hogue had to negotiate with and then pay off a talented hacker who kept cracking their software and releasing it for free—sales exploded.

Through xVisceral’s marketing and MarjinZ’s coding, Blackshades expanded into a wide spectrum of new products that allowed users to steal passwords, run enslaved computers from almost any device, obfuscate locations, defend against malware, and infiltrate virtually every corner of a victim’s computer. Soon, Hogue was receiving hundreds of messages each day as the company’s de facto customer service rep.

“It was ridiculous,” he said, “and I was about to tear my hair out.”


Blackshades NET

In 2011, Hogue publicly resigned from his position at Blackshades, burned out and relieved to be done with it all. He was “begged” to stay by MarjinZ, Hogue said, but he couldn’t be convinced.

He returned to Blackshades less than a year later, looking for more money and flair.

Blackshades generated over $350,000 in sales and infected over half a million computers, according to the FBI, but much more may have been stolen by its users from victims across the globe.

Blackshades had taken on a life of its own.

The Syrian uprising

By May 2012, the war in Syria was reaching a bloody new plateau. A brief ceasefire ended with the Houla massacre when 108 villagers were summarily executed, witnesses said, by pro-government militias.

Around that time, the Syrian government added Blackshades to its arsenal. It was attractive and effective because it was so good at avoiding detection—a crypter and bot marketplace was embedded in the tool so that anyone could easily buy a thousand enslaved computers or a custom crypter to cloak their own attacks.

Syrians wielded Blackshades like a knife, sending Skype messages from compromised accounts to soldiers in the Free Syrian Army, a 50,000-strong command that’s opposed Assad since 2011. Once rebels mistakenly downloaded Blackshades, it spurred a domino effect: It dropped files into multiple user directories, created registry entries in order to access the Internet, and bypassed the Windows firewall in order to communicate back to its master. Blackshades then established an AutoRun key in order to start up every time the computer was turned on, unpacked itself, and started talking to the Syrian government command and control.


Screengrab via Electronic Frontier Foundation

The attack flew under the radar for weeks, undetected by the vast majority of antivirus products on the market. It was eventually discovered by Western activist organizations like the Electronic Frontier Foundation, which found that Blackshades called back to the same website as previous Syrian attacks—a sign, according to Adam Kujawa of security firm Malware Bytes, that the hackers weren’t particularly skilled.

“This means that regardless of all the obfuscation used by the hackers to hide the implant binary, they are still using the at least some of the default settings for the implants themselves,” Kujawa explained. “This is usually a sign of a lack of experience using this kind of tool or a lack of concern for using the tool correctly.”

Hogue, still the public face of Blackshades despite a lengthy absence, hastily dismissed the reports about Blackshades use in Syria.

A lasting legacy

In late July 2012, one week after the world learned about Syria’s use of Blackshades, federal authorities arrested Hogue in Tucson, Ariz. He was charged with conspiracy to commit computer hacking and distribution of malware, both of which carry sentences of up to 10 years.

CarderProfit.cc, in turned out, was part of an elaborate FBI sting resulting in dozens of arrests in 13 countries, called “the largest coordinated international law enforcement action in history directed at ‘carding’ crimes.”In his original marketing pitch , Hogue had openly admitted his crimes—including using hijacked computers to commit credit card fraud—to a federal agent posing as the hacker m4v3r1ck.

One year later, in the summer of 2013, MarjinZ—revealed to be Alex Yucel, a 24-year-old Swedish hacker—was arrested in Moldova while selling Blackshades to undercover agents. He now faces 40 years in prison for charges including computer hacking, access device fraud, conspiring to commit access device fraud, and aggravated identity theft.

Syrians wielded Blackshades like a knife, sending Skype messages from compromised accounts to solfiers in the Free Syrian Army.

In May 2014, news broke that law enforcement agencies in 19 countries had cooperated to arrest more than 90 more Blackshades users—notably including 23-year-old American Brendan Johnson, who was brought in as the company’s chief marketer.

Following the far-reaching FBI-led takedown of Blackshades, the hacks that Hogue and Yucel made easily available to the world have had a dynamic afterlife. Initially, worldwide Blackshades infections fell to a third of the previous level. More recently, however, attacks by the RAT have been on the rise once again, especially against business and personal targets.

Jared Abrahams, a 20-year-old college student, was arrested after allegedly using Blackshades to hack into Miss Teen USA Cassidy Wolf’s computer and then blackmailing her and eight other women. Abrahams used the complete control he had over Wolf’s computer to secretly take nude photos of her with her own webcam.

“The large number of features combined with its ease-of-use has helped Blackshades RAT flourish among aspiring cybercriminals and even more seasoned malicious actors,” security firm Prolexic explained in a recent report on Blackshades. “It has gained the interest of major organized crime groups and government entities. The FBI’s takedown of the official webpage and subsequent mass arrests are a testament to the popularity of the toolkit itself.”

Prolexic expects Blackshades to be a potent cyberweapon for the foreseeable future.

In the abyssal world of cybercrime, you can stop the hackers eventually, but once their code has been written, there’s no telling where it might end up.

Photo via bclinesmith/Flickr (CC BY 2.0) | Remix by Jason Reed