DarkComet
   HOME

TheInfoList



OR:

DarkComet is a
remote access trojan In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system (usually a PC, but the concept applies equally to a server or a ...
(RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from France. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012. The program was discontinued, partially due to its use in the Syrian civil war to monitor activists but also due to its author's fear of being arrested for unnamed reasons. As of August 2018, the program's development "has ceased indefinitely", and downloads are no longer offered on its official website. DarkComet allows a user to control the system with a
graphical user interface The GUI ( "UI" by itself is still usually pronounced . or ), graphical user interface, is a form of user interface that allows users to interact with electronic devices through graphical icons and audio indicator such as primary notation, inst ...
. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.


History of DarkComet


Syria

In 2014 DarkComet was linked to the Syrian conflict. People in Syria began using secure connections to bypass the government's censorship and the surveillance of the internet. This caused the Syrian Government to resort to using RATs to spy on its civilians. Many believe that this is what caused the arrests of many activists within Syria. The RAT was distributed via a "booby-trapped Skype chat message" which consisted of a message with a Facebook icon which was actually an executable file that was designed to install DarkComet. Once infected, the victim's machine would try to send the message to other people with the same booby-trapped Skype chat message. Once DarkComet was linked to the Syrian regime, Lesueur stopped developing the tool, stating, “I never imagined it would be used by a government for spying,” he said. “If I had known that, I would never have created such a tool.”


Target Gamers, Military and Governments

In 2012 Arbos Network company found evidence of DarkComet being used to target military and gamers by unknown hackers from Africa. At the time, they mainly targeted the United States.


Je Suis Charlie

In the wake of the January 7, 2015, attack on the '' Charlie Hebdo'' magazine in
Paris Paris () is the Capital city, capital and List of communes in France with over 20,000 inhabitants, most populous city of France, with an estimated population of 2,165,423 residents in 2019 in an area of more than 105 km² (41 sq mi), ma ...
, hackers used the " #JeSuisCharlie" slogan to trick people into downloading DarkComet. DarkComet was disguised as a picture of a newborn baby whose wristband read "Je suis Charlie." Once the picture was downloaded, the users became compromised. Hackers took advantage of the disaster to compromise as many systems as possible. DarkComet was spotted within 24 hours of the attack.


Architecture and Features


Architecture

DarkComet, like many other RATs, uses a reverse-socket architecture. The uninfected computer with a GUI enabling control of infected ones is the client, while the infected systems (without a GUI) are servers. When DarkComet executes, the server connects to the client and allows the client to control and monitor the server. At this point the client can use any of the features which the GUI contains. A socket is opened on the server and waits to receive packets from the controller, and executes the commands when received.


Features

The following list of features is not exhaustive but are the critical ones that make DarkComet a dangerous tool. Many of these features can be used to completely take over a system and allows the client full access when granted via UAC. * Spy Functions ** Webcam Capture ** Sound Capture ** Remote Desktop ** Keylogger * Network Functions ** Active Ports ** Network Shares ** Server Socks5 ** LAN Computers ** Net Gateway ** IP Scanner ** Url Download ** Browse Page ** Redirect IP/Port ** WiFi Access Points * Computer Power ** Poweroff ** Shutdown ** Restart ** Logoff * Server Actions ** Lock Computer ** Restart Server ** Close Server ** Uninstall Server ** Upload and Execute ** Remote Edit Service * Update Server ** From URL ** From File DarkComet also has some "Fun Features". *Fun Features ** Fun Manager ** Piano ** Message Box ** Microsoft Reader ** Remote Chat


Detection

DarkComet is a widely known piece of malware. If a user installs an
antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
, or a darkcomet remover, they can un-infect their computer quickly. Its target machines are typically anything from
Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
, all the way up to
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...
. Common anti-virus tags for a dark comet application are as follow: * Trojan ackdoorWin32.DarkKomet.xyk * BDS/DarkKomet.GS * Backdoor.Win32.DarkKomet!O * RAT.DarkComet When a computer is infected, it tries to create a connection via
socket Socket may refer to: Mechanics * Socket wrench, a type of wrench that uses separate, removable sockets to fit different sizes of nuts and bolts * Socket head screw, a screw (or bolt) with a cylindrical head containing a socket into which the hexag ...
to the controllers computer. Once the connection has been established the infected computer listens for commands from the controller, if the controller sends out a command, the infected computer receives it, and executes whatever function is sent.


References


External links

* (now defunct) {{remote administration software Windows remote administration software Remote administration software Trojan horses