Earlier this week, SecurityWeek detailed the shutdown of the DarkComet project by its creator, because his works were used to attack protesters in Syria. The RAT had an interesting lifespan, and it was used in several attacks, according to Arbor Networks.
Jean-Pierre Lesueur, who was responsible for bringing DarkComet to life, said that DarkComet was developed and given away for free, as long as people didn’t use it for malicious purposes.
“…because of the misuse of the tool, and unlike so many of you seem to believe I can be held responsible of your actions, and if there is something I will not tolerate is to have to pay the consequences for your mistakes and I will not cover for you,” Lesueur explained, commenting on the laws that hold developers of security tools responsible for their misuse. “The law is how it is and I must abide by the rules, yes its unfortunate for devs in security but that’s how it is.”
In addition to being used to attack Syrians, DarkComet was also used as a tool to target governments, where the attacker seemed to have used the Remote Access Trojan (RAT) to test redirecting government traffic online. Another example is its use on gamers, as DarkComet was found targeting players of Runescape, likely to create a botnet for DDoS attacks.
“DarkComet is very popular RAT and is actively developed and widely used. It can be difficult to determine the motive of the attacker, however sometimes there are enough traces left over that can help us piece together the potential goals of a campaign,” Arbor’s Curt Wilson wrote.
“The real value of the RAT to the attacker is the core remote control functionality that breaches the confidentiality and integrity of the victim and the victim network by allowing the attacker full access to the target system.”
Arbor’s post on the topic is an interesting read, given that they were using the passwords, server IDs and Command & Control infrastructure of the various DarkComet campaigns to track their usage.