DarkComet
Developer(s) | Jean-Pierre Lesueur (DarkCoderSc) |
---|---|
Stable release |
DarkComet Legacy 5.3.1
|
Operating system | Microsoft Windows |
Type | remote administration/trojan |
License | freeware |
Website | DarkCoderSc Site |
DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from France.[1] Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.
DarkComet allows a user to control the system with a Graphical User Interface (GUI). It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password cracking.
History
Syria
In 2014 DarkComet was linked to the Syrian conflict. People in Syria began using secure connections to bypass the government's censorship and the surveillance of the internet. This caused the Syrian Government to resort to using RATs to spy on its civilians. Many believe that this is what caused the arrests of many activists within Syria.[2]
The RAT was distributed via a "booby-trapped Skype chat message" which consisted of a message with a Facebook icon which was actually an executable file that was designed to install DarkComet.[3] Once infected, the victim's machine would try to send the message to other people with the same booby-trapped Skype chat message.
Once DarkComet was linked to the Syrian regime, Lesueur stopped developing the tool stating that, “I never imagined it would be used by a government for spying,” he said. “If I had known that, I would never have created such a tool.”[2]
Target Gamers, Military and Governments
In 2012 Arbos Network company found evidence of DarkComet being used to target Military and Gamers by unknown Hackers from Africa. At the time, they mainly targeted the United States.[4]
Je Suis Charlie
In the wake of the January 7, 2015, attack on the Charlie Hebdo magazine in Paris, hackers used the "#JeSuisCharlie" slogan to trick people into downloading DarkComet. DarkComet was disguised as a picture of a newborn baby whose wristband read "Je suis Charlie." Once the picture was downloaded, the users became compromised.[5] Hackers took advantage of the disaster to compromise as many systems as possible. DarkComet was spotted within 24 hours of the attack.
Architecture and Features
Architecture
DarkComet, like many other RATs, use a reverse-connecting architecture. The client is the system which is not infected with DarkComet. The client is the system with the GUI which controls the servers. The servers are all the infected systems. The servers do not contain a GUI.[6]
When DarkComet executes, the server connects to the client and allows the client to control and monitor the server. At this point the client can use any of the features which the GUI contains. A beacon goes off from the server every 20 seconds which waits for a command from the client.
Features
The following list of features is not exhaustive but are the critical ones that make DarkComet a dangerous RAT. Many of these features can be used to completely take over a system and allows the client full access.
- Spy Functions
- Webcam Capture
- KUKA
- Remote Desktop
- Keylogger
- Network Functions
- Active Ports
- Network Shares
- Server Socks5
- LAN Computers
- Net Gateway
- IP Scanner
- Url Download
- Browse Page
- Redirect IP/Port
- WiFi Access Points
- Computer Power
- Poweroff
- Shutdown
- Restart
- Logoff
- Server Actions
- Lock Computer
- Restart Server
- Close Server
- Uninstall Server
- Upload and Execute
- Remote Edit Service
- Update Server
- From URL
- From File
DarkComet also has some "Fun Features" which confirms that the tool was not meant to be used maliciously.
- Fun Features
- Fun Manager
- Piano
- Message Box
- Microsoft Reader
- Remote Chat
Detection
Systems can be protected from DarkComet by simply keeping their system updated and ensuring their antivirus is up to date. DarkComet has multiple ways to reach systems but most commonly it is distributed via drive-by attacks and social networking sites. Drive-by attacks are when a malicious script embedded on a webpage executes and tries to exploit some vulnerability in a system. Social media allow for the rapid distribution of DarkComet. Links which can contain DarkComet are quickly distributed.[7]
Every 20 seconds, a beacon goes off. Listening for the beacon can expose whether a system has been compromised by DarkComet.
References
- ↑ Lesueur, Jean-Pierre. "Jean-Pierre LESUEUR".
- 1 2 McMillan, Robert. "How the Boy Next Door Accidentally Built a Syrian Spy Tool". Wired.
- ↑ "Spy code creator kills project after Syrian abuse". BBC. 10 July 2012.
- ↑ Thank you for your recent contributions to Wikipedia. While the Wikipedia community appreciates your efforts to increase the amount of information on the site, we cannot accept sources that appear to be the original work of the editor. If the material you added can be attributed to a reliable source, you may add it back if you cite it. This increases the reputation of Wikipedia as a whole and aids in the verifiability of the article.
- ↑ Vinton, Kate. "How Hackers Are Using #JeSuisCharlie To Spread Malware". Forbes.
- ↑ Denbow, Shawn; Hertz, Jesse. "pest control: taming the rats" (PDF). Matasano.
- ↑ Kujawa, Adam. "You Dirty RAT! Part 1 – DarkComet". Malwarebytes.