How a Blackhole RAT Can Take Control of Your Computer

A sample authentication dialog box


BlackHole is a remote administration tool (RAT) that, used maliciously, can also serve as a remote access trojan. The BlackHole RAT can be used on either Mac OS X or Windows, and enables a remote attacker to do the following:

  • Execute shell commands (dependent on logged in user's privileges)
  • Shutdown, restart or put the computer to sleep
  • Display a message on the victim's computer
  • Create text files on the desktop
  • Prompt for admin credentials

The prompt for administrative credentials works as something like a manually driven keylogger. If a victim enters their admin login credentials when prompted, the username and password will be captured and sent to the attacker.

The request for admin permissions is likely directed at Mac OS X users as, unlike Windows, Mac OS X restricts such low-level access by programs unless explicitly allowed by the user. One of the best defenses against such tricks is understanding what is normal and necessary for your computer (in this example, a Mac).

For example, when/if you receive a prompt for an admin password, ask yourself the following:

  1. Were you installing a known program from a trustworthy developer when the prompt occurred?
  2. If so, is the program you are installing something that would ordinarily need administrative access?

One of the ways to tell if an authentication prompt isn't legit is that it might fail to identify the program requesting the admin permissions. A legitimate authentication prompt will include a "details" option to find out more about the request. And this might sound silly but check for spelling errors in the window where you'd type in your credentials. Lots of nefarious folks don't always have pay attention to these details.

Currently, BlackHole RAT requires its own password in order to install, which means an attacker would need direct access to your computer. Note that BlackHole RAT should not be confused with the Blackhole exploit kit, a framework for delivering exploits and malware via the Web.