- Execute shell commands (dependent on logged in user's privileges)
- Shutdown, restart, or put computer to sleep
- Display a message on the victim's computer
- Create text files on the desktop
- Prompt for admin credentials
The prompt for administrative credentials works as something like a manually driven keylogger. If a victim enters their admin login credentials when prompted, the username and password will be captured and sent to the attacker.
The request for admin permissions is likely directed at Mac OS X users as, unlike Windows, Mac OS X restricts such low level access by programs unless explicitly allowed. One of the best defenses against such tricks is understanding what is normal and necessary for your computer.
For example, when/if you receive a prompt for an admin password, ask yourself the following:
- Were you installing a known good program when the prompt occurred?
- If so, is the program you are installing something that would ordinarily need administrative access?
- Does the dialog box appear normal?
A normal prompt will identify the program requesting the admin permissions; the prompt will include a "details" option to find out more about the request; a normal admin prompt will have correct spelling and a "cancel" option.
Wikipedia has an image of what a valid prompt for admin credentials will look like. In the example provided, the program requesting permissions is System Preferences:
Currently, BlackHole RAT requires its own password in order to install, which means an attacker would need direct access to your computer. For more information, McAfee engineer Gabriel Acevedo provides an in depth McAfee researcher Gabriel Acevedo provides an in depth walkthrough of the BlackHole RAT, including detailed descriptions of its actions for both Windows and Mac users.
Note that BlackHole RAT should not be confused with the Blackhole exploit kit, a framework for delivering exploits and malware via the Web.
Update: New versions of BlackHole RAT have been discovered. For details on the latest capabilities, see: BlackHole RAT v3 Released.