Wednesday, July 11, 2012

The End of DarkComet RAT - Part 1: The Introduction

If you are not aware, the author of the DarkComet RAT (Remote Administration Tool) has stopped offering the software, and stopped updating it - a move that has somehow been argued to be a victory for law enforcement, although they didn't actually do anything.  Yes, I have heard of deterrence. However, I will leave for another day whether or not the creator of this software should or could actually be liable for the damage it has caused. Thus, in this three part series, I will: (1) introduce the tool, (2) discuss whether there should be legal implications for creators of such tools, and (3) discuss whether there could be legal implications.

From the beginning - a RAT is a Remote Administration Tool. Essentially, this type of tool allows a remote user to exercise control over your machine - it take pictures of the user of the computer, make changes to the computer's configuration, read/write documents, and pretty much anything else you can think of - in hacker terms, you have been "pwned." It is a complete invasion of privacy for the individual, and a complete breach for a corporation. Hackers prepare to take advantage of a RAT by "packing" it - which means the guts of the program are rearranged (code-wise), or the tool is compressed using a novel method. A good packer will allow this program to scoot by an average (or high-security) user's anti-virus, and coupled with an exploit, allow the hacker to take full control as described above. There are a plethora of "packers" and new ones everyday - so anti-virus companies (whose methods are typically signature based) cannot keep up with the evolution of newly packed malware that, in the end, is the same malicious piece of software. Hackers will often test their newly packed versions against VirusTotal - a site which runs a binary through a multitude of anti-virus products, and reports whether or not it is picked up. The holy grail is 0/40, aka undetectable - and this is even taking account of the heuristics and "learning" that AV vendors claim to have injected into their detection engines.  Individuals might also use "crypters," which encrypt the code in various ways to defeat antivirus detection - see below.

What is novel about the DarkComet RAT is that it has always been free to whomever wanted to use it, for whatever purpose. Now, instead of being able to download it, users are greeted with a message from the creator, DarkCoderSc, noting his decision to stop allowing it to be downloaded and further updated. There has been speculation that this decision was tied to the discovery of Syria using this tool to spy on dissidents as well as the software writer's fear that he could be prosecuted for the criminal acts of others - from his statement: "Like it was said above because of the missuse [sic] of the tool, and unlike so many of you seem to believe i can be held responsible of your actions [sic], and if there is something i will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you."

If you doubt the prevalence or wide-spread use of this tool - allow me to demonstrate. The images below are from hacker forums (one underground, one a russian clearnet site):

Click image to enlarge

The first image is from an underground hack bulletin board, asking for information about how to use tor and DarkComet. The second post is a person advertising a "crypter" - which is like a "packer" but as the name states, it encrypts instead of packing. As I described above, using crypters or packers makes anti-virus unlikely to detect the trojan. The service this person is offering is to make it "100% FUD" which is hacker jargon for "(F)ully (U)n(D)etectable," updated every 24 hours to continue to evade antivirus.

There is no doubt that DarkComet is all over the place, and even as he has withdrawn it from the market by not allowing anyone to download it from his site anymore, there are plenty of versions floating around the interwebs - so it is not going away soon.  As others have reported, the author's change of heart likely arises from the arrests of the Mariposa botnet creator and also, more recently, the arrest of the Blackshades RAT creator as part of the Carder Profit bust.

I think the creator of DarkComet can be separated from the cases above, though, because he has always offered his software for free, and thus does not make a profit on illicit use of it. A small distinction, but a legally significant one.

In the next part I will discuss whether or not DarkCoderSc (or other RAT creators) should be prosecuted or held legally liable for his RAT.


  1. Okay do you think Metasploit authors should be arrested or Backtrack authors, it is even worse ?

    Anyway create such tools isn't illegal, he decide by his own to stop it. Also users must accept a strong TOS before using it.

  2. To answer your first question - no. I completely agree with your second statement - and I will discuss this further in my next two posts.

  3. Why Metasploit and Backtrack authors never get charged then ?
    They are doing such things.

  4. I like Metasploit and Backtrack as arguments - and I will be discussing them. Do not assume that I am saying that I believe DarkCoderSc could or should be liable for his RAT. I haven't posted those parts of the series, yet.

  5. On a side note many of your recent posts have had unreadable sections when viewed through the mobile Site. There are large text sections that appear as blocks of white and can't be deciphered. This post has them as well. For example, the last 4 lines of this article have this issue using the mobile Site through a few android browsers.

    1. Thanks for letting us know. I'll look into it.

  6. that's a sad news i always liked darkcomet