DarkComet

DarkComet
Developer(s)	Jean-Pierre Lesueur (DarkCoderSc)
Final release	5.3.1
Operating system	Microsoft Windows
Type	Remote Administration Tool
License	freeware
Website	https://www.darkcomet-rat.com/

Last updated February 15, 2024

DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc^[2]), an independent programmer and computer security coder from France. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012. The program was discontinued, partially due to its use in the Syrian civil war to monitor activists but also due to its author's fear of being arrested for unnamed reasons.^[1] As of August 2018, the program's development "has ceased indefinitely", and downloads are no longer offered on its official website.^[3]

DarkComet allows a user to control the system with a graphical user interface. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.

History of DarkComet

Syria

In 2014 DarkComet was linked to the Syrian conflict. People in Syria began using secure connections to bypass the government's censorship and the surveillance of the internet. This caused the Syrian Government to resort to using RATs to spy on its civilians. Many believe that this is what caused the arrests of many activists within Syria.^[1]

The RAT was distributed via a "booby-trapped Skype chat message" which consisted of a message with a Facebook icon which was actually an executable file that was designed to install DarkComet.^[4] Once infected, the victim's machine would try to send the message to other people with the same booby-trapped Skype chat message.

Once DarkComet was linked to the Syrian regime, Lesueur stopped developing the tool, stating, “I never imagined it would be used by a government for spying,” he said. “If I had known that, I would never have created such a tool.”^[1]

Target Gamers, Military and Governments

In 2012 Arbos Network company found evidence of DarkComet being used to target military and gamers by unknown hackers from Africa. At the time, they mainly targeted the United States.^[5]

Je Suis Charlie

In the wake of the January 7, 2015, attack on the Charlie Hebdo magazine in Paris, hackers used the "#JeSuisCharlie" slogan to trick people into downloading DarkComet. DarkComet was disguised as a picture of a newborn baby whose wristband read "Je suis Charlie." Once the picture was downloaded, the users became compromised.^[6] Hackers took advantage of the disaster to compromise as many systems as possible. DarkComet was spotted within 24 hours of the attack.

Architecture and Features

Architecture

DarkComet, like many other RATs, uses a reverse-socket architecture. The uninfected computer with a GUI enabling control of infected ones is the client, while the infected systems (without a GUI) are servers.^[7]

When DarkComet executes, the server connects to the client and allows the client to control and monitor the server. At this point the client can use any of the features which the GUI contains. A socket is opened on the server and waits to receive packets from the controller, and executes the commands when received. In some cases, the malware may use system utilities to evade detection and gain persistence. For example, it can employ the T1564.001 technique by starting attrib.exe through cmd.exe to hide the main executable.

Features

The following list of features is not exhaustive but are the critical ones that make DarkComet a dangerous tool. Many of these features can be used to completely take over a system and allows the client full access when granted via UAC.

Spy Functions
- Webcam Capture
- Sound Capture
- Remote Desktop
- Keylogger
Network Functions
- Active Ports
- Network Shares
- Server Socks5
- LAN Computers
- Net Gateway
- IP Scanner
- Url Download
- Browse Page
- Redirect IP/Port
- WiFi Access Points
Computer Power
- Poweroff
- Shutdown
- Restart
- Logoff
Server Actions
- Lock Computer
- Restart Server
- Close Server
- Uninstall Server
- Upload and Execute
- Remote Edit Service
Update Server
- From URL
- From File

DarkComet also has some "Fun Features".

Fun Features
- Fun Manager
- Piano
- Message Box
- Microsoft Reader
- Remote Chat

Detection

DarkComet is a widely known piece of malware. If a user installs an antivirus, or a darkcomet remover, they can un-infect their computer quickly. Its target machines are typically anything from Windows XP, all the way up to Windows 10.

Common anti-virus tags for a dark comet application are as follow:

Trojan[Backdoor]/Win32.DarkKomet.xyk
BDS/DarkKomet.GS
Backdoor.Win32.DarkKomet!O
RAT.DarkComet

When a computer is infected, it tries to create a connection via socket to the controllers computer. Once the connection has been established the infected computer listens for commands from the controller, if the controller sends out a command, the infected computer receives it, and executes whatever function is sent.

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

Back Orifice is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

ClamAV (antivirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.

Remote administration refers to any method of controlling a computer from a remote location. There are many commercially available and free-to-use software that make remote administration easy to set up and use. Remote administration is often used when it's difficult or impractical to be physically near a system in order to use it or troubleshoot it. Many server administrators also use remote administration to control the servers around the world at remote locations. It is also used by companies and corporations to improve overall productivity as well as promote remote work. It may also refer to both legal and illegal remote administration.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Sub7, or SubSeven or Sub7Server, is a Trojan horse program originally released in February 1999. Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". As of June 2021, the development of Sub7 is being continued.

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "RAT" part of the name refers to the software's ability to operate as a "Remote Administration Tool".

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. According to US officials, over 500,000 computer systems have been infected worldwide with the software.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS, and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

njRAT, also known as Bladabindi, is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user's computer. It was first found in June 2013 with some variants traced to November 2012. It was made by a hacking organization from different countries called M38dHhM and was often used against targets in the Middle East. It can be spread through phishing and infected drives. To date, there are many versions of this virus, the most famous of which is njRAT Green Edition.

Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.

References

1 2 3 4 McMillan, Robert. "How the Boy Next Door Accidentally Built a Syrian Spy Tool". Wired.
↑ "DarkCoderSc | SOLDIERX.COM". SoldierX. Retrieved 13 October 2017.
↑ "Project definitively closed since 2012". DarkComet-RAT development has ceased indefinitely in July 2012. Since the [sic], we do not offer downloads, copies or support.^{[ permanent dead link ]}
↑ "Spy code creator kills project after Syrian abuse". BBC. 10 July 2012.
↑ Wilson, Curt. "Exterminating the RAT Part I: Dissecting Dark Comet Campaigns". Arbor.
↑ Vinton, Kate. "How Hackers Are Using #JeSuisCharlie To Spread Malware". Forbes.
↑ Denbow, Shawn; Hertz, Jesse. "pest control: taming the rats" (PDF). Matasano. Archived from the original (PDF) on 2015-03-28. Retrieved 2015-05-05.

External links

Official website (now defunct)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[McMillan2012-1] 1 2 3 4 McMillan, Robert. "How the Boy Next Door Accidentally Built a Syrian Spy Tool". Wired.

[DarkCoderSc_{{!}}_SOLDIERX.COM-2] "DarkCoderSc | SOLDIERX.COM". SoldierX. Retrieved 13 October 2017.

[3] "Project definitively closed since 2012". DarkComet-RAT development has ceased indefinitely in July 2012. Since the [sic], we do not offer downloads, copies or support.^{[ permanent dead link ]}

[4] "Spy code creator kills project after Syrian abuse". BBC. 10 July 2012.

[5] Wilson, Curt. "Exterminating the RAT Part I: Dissecting Dark Comet Campaigns". Arbor.

[6] Vinton, Kate. "How Hackers Are Using #JeSuisCharlie To Spread Malware". Forbes.

[7] Denbow, Shawn; Hertz, Jesse. "pest control: taming the rats" (PDF). Matasano. Archived from the original (PDF) on 2015-03-28. Retrieved 2015-05-05.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e Remote administration software
General	Remote desktop software Comparison of remote desktop software
Implementations	Absolute Manage AetherPal AnyDesk Apple Remote Desktop Chrome Remote Desktop Citrix Virtual Apps ConnectWise Control Crossloop IBM BigFix LogMeIn Microsoft System Center Configuration Manager NetSupport Manager pcAnywhere RealVNC Remote Desktop Services Remote Utilities RescueAssist scrcpy Secure Shell Splashtop StrongDM TeamViewer ThinLinc TightVNC Timbuktu UltraVNC Virtual Network Computing NX technology
Controversial Implementations	Back Orifice Back Orifice 2000 NetBus Sub7