Attacks/Breaches
7/10/2012
04:42 PM
Connect Directly
RSS
E-Mail
50%
50%

DarkComet Developer Retires Notorious Remote Access Tool

Some call DarkComet a tool; others call it a Trojan. RAT had been used by Syrian police and anti-Tibet organizations to spy on targeted computers.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
The creator of a notorious remote access tool (RAT) known as DarkComet has announced that he's retiring the free software, effective immediately.

Developer Jean-Pierre Lesueur said on his DarkComet website that he decided to pull the plug after his software was used for illegal purposes, for which he didn't want to be held accountable. Lesueur, meanwhile, has also released--via the website--a free tool to detect any instance of DarkComet running on a computer, "even packed/compressed/virtualized etc.," as well as another tool "to extract the data in a darkcomet stub," he said.

"Why did I take such a decision? ... Because of the misuse of the tool, and unlike so many of you [I] seem to believe I can be held responsible [for] your actions, and if there is something I will not tolerate [it] is to have to pay the consequences for your mistakes and I will not cover for you," wrote Lesueur on his website. "The law is how it is and I must abide by the rules, yes it's unfortunate for [developers] in security but that's how it is. Without mentioning what happened in Syria ..."

What happened in Syria was this: Syrian police used DarkComet earlier this year to spy on opponents of President Bashar al-Assad. Likewise, DarkComet reportedly has been used to spy on pro-Tibet non-governmental organizations.

[ Read 8 Lessons From Nortel's 10-Year Security Breach. ]

Remote access tools have been available for some time, and used in numerous "low and slow" nation state attacks, as well as in advanced persistent threat attacks. But awareness of such tools increased markedly last year, after revelations that the Shady RAT series of attacks--attributed by many information security watchers to China--had successfully compromised at least 72 organizations, including 22 governmental agencies and contractors.

What can DarkComet or other RATs do? "This software allow you to make hundreds of functions [stealthily] and remotely without any kind of [authorization] in the remote process," Lesueur told security firm Sophos last year, in reference to DarkCometX, a then-in-development Mac version of his RAT.

Given that functionality, Chester Wisniewski, a senior security advisor at Sophos Canada, said the "RAT" term was a misnomer. "While the authors would like you to believe they are simply tools, I think the evidence suggests Trojan is more appropriate," he said.

DarkComet creator Lesueur has been careful to distinguish between how his software could be used legitimately or illegally. On his website, in response to a rhetorical question about whether just the act of using DarkComet would be illegal, he said: "Well it depends how you use it, if you use it to control remote machines without any authorization from the owner then yes, if you use it in your own network then it is fully legal."

Lesueur's retiring of DarkComet clearly is his attempt to avoid arrest or imprisonment for having built and distributed the free software. "While in the past authors of such tools believed that they were immune from prosecution by claiming that they were educational tools, arrests--starting with the alleged author of the infamous Mariposa botnet--have begun to wake up authors of such tools to the possibility that they could be breaking the law," according to a Symantec blog post.

"These arrests are sending a message to the authors of such tools that they are not above the law and could face prosecution for their actions," according to Symantec, which predicts that more developers of freeware RATs--and similar tools--will soon retire their wares. "Time will tell, but any similar closures due to the risk of prosecution must be seen as a step in the right direction in combating the risk posed by such freely available tools," the company said.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
7/12/2012 | 1:20:11 AM
re: DarkComet Developer Retires Notorious Remote Access Tool
"Well it depends how you use it, if you use it to control remote machines without any authorization from the owner then yes, if you use it in your own network then it is fully legal."

This is absolutely true, and I feel bad for the developer in this case. Building a tool, whether it's a set of scripts of a remote control package, that falls into the wrong hands and gets utilized for illegal activities shouldn't necessarily make you liable for what the user of the tool has done.

If you want to extend that theory - that the manufacturer is responsible for the use of what they manufacture - then a gun manufacturer that builds a gun that a thug then takes and kills someone with would then be held accountable for building the gun. At the other end of the spectrum, a cement company sells a 50 lb bag to an individual who then uses that product to create "cement overshoes" - who gets held liable at that point? Under this line of thinking, the cement company would be liable for murder.

I realize that other countries have different ways of looking at things than we do here, but the question that I ask is, "Does this really make sense?" - if you're creating a product that gets marketed as a way to attack other entities, you're liable. If it's simply a tool, should you really be held liable?

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.