Author Kills DarkComet Spyware After Syria Uses It

judgecorp writes "DarkcoderSc (Jean-Pierre Lesueur) has ended the DarkComet Remote Access Tool (RAT) project, after it emerged that the Syrian government had used the software to spy on its opponents. The tool was also used to target Mac OS X systems last year."

Interesting.

[gcnaddict]

So this was... legal malware? Can someone clue me in on the history of this utility? As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.

Re:Interesting.

[Ciccio87]

So this was... legal malware?

Hacking / security testing software is legal, it's its usage that could be illegal.

Can someone clue me in on the history of this utility? As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.

It was a RAT (Remote Administration Tool, strict relative of a trojan horse), it could, in effect, be used for good purposes (or for learning purposes, but, without sources, the chanches for this are lesser), however yes, it was mainly a PoC and an exercise in style.

[OT] However, old news is old.

Re:Interesting.

[amicusNYCL]

As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.

From what I can tell, this is a backdoor installer used by attackers that the author claims is actually something along the lines of proof-of-concept/research malware designed to be used for testing purposes, so as to avoid legal liability.

Re:Interesting.

Authors of RAT's usually claim they are for legal uses only, only to be used on computers you are allowed access to. Claiming it is like a VNC server, even though they are straight up trojan horses. I don't know of any trojan author who has gotten into legal issues who wasn't also involved in viruses / worms / bot nets.

Re:Interesting.

[Exrio]

imagine the inventor of the firearm deciding to call it quits because someone found a way to hunt with it instead of kill people (in self defense even?).

Except in this case, unless I'm missing something (is the Syrian government considered better or worse than the activists?), it's the other way around.

Re:Interesting.

Brutal military dictatorship (current government) or Islamist theocracy (rebels), take your pick.

Re:Interesting.

[Exrio]

In retrospective it doesn't matter, either way theft - the usual criminal purpose of these tools - is more like hunting than it is like killing, and one party of a war spying on another is more like (and often leads to actual) killing, so at any rate the GGP's analogy is backwards.

I personally find the inventor's decision reasonable in this case, though I fear I'm far unqualified to tell wether it's indeed a good decision or not.

Re:Interesting.

[davydagger]

at this moment, there is no class of code that is illegal. Its completely legal to write malware, viruses, network security tools.

Its only illegal if you use them against other people's computers. In fact most of the same tools used to break into computers are used to test security legimately, and many have even more diagnostic utilities.(wireshark, nmap, net cat, etc...)

Re:Interesting.

[v1]

Brutal military dictatorship (current government) or Islamist theocracy (rebels), take your pick.

Nuke from orbit?

So easy to go back only a few decades and see how the US, USSR, etc were backing revolutions to get rid of an undesirable govt, only to see it replaced with something different but just as bad. Pineapple face comes immediately to mind, but I heard there was a hand in Saddam as well, just to name a few.

Thing is, the "rebels" are rarely being lead by someone that supports the people. It's more often someone that wants power. All the "people" generally want is change, but the wrong kind of change is usually the only one that has a chance of succeeding.

Re:Interesting.

[hairyfeet]

Question: Is that enough to absolve them of legal liability? Because it seems kinda flimsy to me, like writing a worm and then going "oopsie, it was just for testing" when it gets out and infects thousands of PCs, it just doesn't sound like the kind of thing a simple EULA or statement can CYA. So is that really all there is to it? The right kind of EULA and you can cook up anything?

Re:Interesting.

[manu0601]

Except in this case, unless I'm missing something (is the Syrian government considered better or worse than the activists?), it's the other way around.

Yes, if we talk about self defense, there should be a balance between attacker and defender. If you shoot an unharmed attacker in the back, it is difficult to call that self defense.

Re:Interesting.

[Charliemopps]

So Windows RDT is a hack tool? What about all the remote administration that's done in corporate environments? My security team can remote into my computer at any time and view everything I'm doing... they can move files around, download stuff... whatever they'd like... all without me knowing a thing. Is that a trojan? I use a RAT to control remote PC on my network that just plays music on my porch. Is that a trojan? There's plenty of stuff this kind of thing is useful for that's not illegal.

Re:Interesting.

[TheLink]

Violent revolutions tend to result in the ones willing and able to do the most violence reaching the top. Once they are there, they usually don't let anyone else take over. And who can stop them? They can defeat everyone else in the country - they've already done it on their way up.

That's why most (all?) communist revolutions lead to Dictatorships - because Engels etc put violence as part of the implementation plan.

When leaders are those with the most soldiers rather than the most votes, it's a lot harder to change the leadership without bloodshed.

The American Revolution may be an exception, but there are significant differences in the details. People should learn what made it different, before promoting violent revolution as a way to select a new government.

Re:Interesting.

[ae1294]

In Japan it's illegal to write or even save a virus to your computer. Apparently you get 3 years of jail time for writing and 2 years for acquire a virus.

Citation: http://www.futuregov.asia/articles/2011/jun/22/japan-enacts-anti-computer-virus-law/

Re:Interesting.

Have you even looked at DarkComet? It's a trojan. The title even calls it spyware. Windows RDT, GoToMyPC, LogMeIn, and SSH don't have "Firewall Bypass," file binding, anti virtual execution and other stealth features built into them. The thing even has a "spy functions" section.

Re:Interesting.

[Monkier]

Some was arrested in Japan for this recently: http://yro.slashdot.org/story/12/07/05/135230/japanese-13-year-old-arrested-for-virus-creation

Re:Interesting.

[BronsCon]

GoToMyPC and LogMeIn certainly do, it's part of the "ease of use" functionality that means even my very nontechnical designer can use it to remote into his PC at home (with a stock unconfigured router, so no port forwarding) from the office.

Re:Interesting.

[rbrausse]

So this was... legal malware?

Hacking / security testing software is legal, it's its usage that could be illegal.

not in Germany. Sigh, stupid politicians...

Re:Interesting.

No, GoToMyPC and LogMeIn don't have a built in option to inject the server code into a running iexplorer.exe process to disguise itself as a trusted program to bypass firewalls like DarkComet or other spyware.

Re:Interesting.

[History's+Coming+To]

His ability to turn it off is a weapon, are you trying to say he's not allowed it?

Re:Interesting.

Unless you're working for Sony. Just call the virus "DRM" and you'll be fine.

Re:Interesting.

But when a for-profit corporation publishes something that does EXACTLY THE SAME THINGS that's OK, right?

Re:Interesting.

[gl4ss]

well,

what's the difference between carrier iq and "hacking software"? or between hacking software and nmap? between hacking software and remote desktop? it boils down only to how it is marketed and installation path.

Re:Interesting.

[flappinbooger]

So this was... legal malware? Can someone clue me in on the history of this utility? As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.

Dark Comet was simply a very robust and functional Remote Admin Tool. You know, like Teamviewer or Logmein Pro or.... Take your pick.

The thing is, it was free and it was totally customizable in how you compile the client side service. Meaning, you could make the runtime executable glom itself into explorer.exe or iexplore or whatever persistence method you wanted. It could automatically add itself to the registry in different ways to guarantee it running.

Also it reportedly could respond well to having the service "crypted" meaning to encrypt and encode the compiled program to be undetected by security software.

In other words, it wasn't just a Remote Admin Tool, it was a RAT. RATs can be used for botnets, spying, stealing, so on.

The guy was a very good programmer and he created a very nice pistol. Apparently he couldn't stand to see it become the next Saturday Night Special.

I deal with malware all the time, I own an IT business. So, of course I checked out Dark Comet, Poison Ivy, Blackshades, etc, to see how these things work. A commercial offering is Cybergate RAT. There's tons of them, but Dark Comet was noteworthy in that it was clean and free, was around a long time, and actually worked well.

A guy could legitimately deploy a RAT in order to support a client base. The problem is that these "aggressive" programs get flagged as malware all the time.

Mainly because they get used as malware all the time.

A side note - Cybergate is a commercial offering that will provide a clean version of the product that will NOT get flagged by antivirus software.

Re:Interesting.

[Eponymous+Hero]

guns were invented first and foremost for war, so that's why it is the way it is. it's not the other way around. the RAT tool was also invented for an aggressive purpose, but can be used for good in the right context. it's amazing how many people completely missed this and decided i must be trolling. not this time, assholes!

Re:Interesting.

[davydagger]

this is terrible. Do they grant licenses for virus researchers?

what about the in case of the low budget, some guy in a basement open source type? I guess you can't crowd source virus research now.

In a future were viruses are outlawed, only the outlaws will be able to do ANY work, to include legitimate research on viruses.

Re:Interesting.

[shaitand]

That's easy. The difference between the successful revolutions and the unsuccessful ones is economic power and backing. The American Revolution, British, French, etc (there are at least as many nations with successful revolutions that haven't led to dictatorships as there are those that have) were successful and didn't lead to dictatorship because they weren't led by the people fighting but rather were backed by third parties. Usually parties with economic power and social status. For instance, in the American revolution some great freedom type propoganda was used to stir up peasants to fight but it was the wealthy merchant class that wanted and pushed the revolution for better trade and tax terms.

When people talk about the US having been corrupted and now ruled by corporations it cracks me up. The US was ruled by the wealthy merchant class since its inception. Corporations amount to the same hiding behind paper that manages to deceive people into thinking the paper turns the corporation into a seperate thing from the people who reap profits from its actions. Thus people vilify (even in criminal, civil, and tax court) the paper rather than the people who profit from it. The changes in lobbying allowing corporations to fund campaigns directly just allow the handful of people who actually control a corporation to turn the bribes into a tax write-off rather than having to pay the bribes with after tax money. It's nothing more than a tax cut for major dollar politician bribers.

The propaganda spouted by the founding fathers to successfully manipulate people into implementing their agenda was wonderful. But those ideals never ruled in this country.

Honor among thieves?

[Alimony+Pakhdan]

Or am I missing something here?

Prosecute authors of remote administration tools?

[tepples]

This in the article worries me: "Symantec said that any closures of [remote administration tool] projects were a positive thing, especially if the creators were compelled to do so by the threat of prosecution." So are GoToMyPC, LogMeIn, and SSH considered terrorist tools now?

Re:Prosecute authors of remote administration tool

So are GoToMyPC, LogMeIn, and SSH considered terrorist tools now?

No, you fucking idiot. But nice strawman since the person you quoted said nothing about terrorism.

Re:Prosecute authors of remote administration tool

[tepples]

Author Kills DarkComet Spyware After Syria Uses It

the person you quoted said nothing about terrorism.

I'll grant that that particular quote does not mention terrorism, but the article mentions Syria, and Syria is one of the four remaining countries on the United States' list of State Sponsors of Terrorism.

The law of unintended consequences...

[DesScorp]

... is a bitch.

Re:Prosecute authors of remote administration tool

So your logic is: if Syria = Terrorism and Syria = (RAT) , there for (RAT) = Terrorism?

what is malware?

[TapeCutter]

What legal liability? AFAIK the only restrictions on what code one can write and distribute involve encryption, encryption was (is?) considred a munition by most major nations, and therefore had/(has?) export restrictions applied to it. Code is simply a tool for making other tools, and aside from the encryption thing, none of it is illegal. What you do with those tools may or may not be legal.

It boils down to how you approach the question, what is malware? If you think of that as a technical question that can be answered by examining the code, it puts all code monkeys in a very precarious legal position (re: encryption == munition). OTOH if you define malware as the use of code to do something illegal, then it brings the whole thing back to a moral/legal question concerning the intent of the tool user to commit a crime, rather than the intent of the tool maker. The law tends strongly toward the latter definition, meaning virus authour's get in legal trouble with authorities for releasing their virus, not for writing it.

Re:what is malware?

[amicusNYCL]

It boils down to how you approach the question, what is malware?

However you want to define it, part of the definition is getting the software installed without the user knowing what, if anything, they're installing.

Re:Prosecute authors of remote administration tool

[murdocj]

So your logic is: if Syria = Terrorism and Syria = (RAT) , there for (RAT) = Terrorism?

I'm rescuing the parent post from being modded to oblivion since it hits the nail right on the head.

I don't get it...

[ettusyphax]

So he shut the project down ostensibly because the Syrian government was using it to spy on citizens or whatever. "Misuse of the tool" being his words. Okay yeah that sucks but what did he expect people to use it for? Monitoring their baby's computer to make sure it doesn't choke on the keys? Shutting it down now as opposed to before when it was never used for nefarious ends? Seems like a pile of BS to me. More likely he shut it down because of legal threats now that he's on the radar - as is not-so-subtly implied by the article.

You made a bomb "for educational purposes" and then gave it away. Don't pretend like you're on some moral high ground when it goes off in someone's face and your name shows up in the newspaper.

Re:I don't get it...

Cynicism rules all.

Redemption is just some silly nonsense dreamed up by Hollywood.

Because you can't scientifically prove the existence of good intentions (without ulterior motives), they don't exist.

That's a bleak moral landscape, friend.

Awesome

[n3r0.m4dski11z]

More developers should have the balls and control to do this. Kudos. But i have watched BBC.Panorama.2012.Homs.Journey.into.Hell. So you could say i am a bit biased. Burn that asad guy at the stake! war criminal beyond belief.

http://kat.ph/bbc-panorama-2012-homs-journey-into-hell-576p-x264-aac-hdtv-t6239795.html

The noble hacker motif

[GodfatherofSoul]

Kind of like the noble hooker of Hollywood lore, abandoning her nefarious deeds for the good of humanity. Thank you, mon frere! Of course, it would've worked out great had you not started the project in the first place.

Re:Prosecute authors of remote administration tool

A safer place. When the final contry on that list turns 'good' we'll only have the US to worry about.

Drawing the Line

I'm glad this fucker draws the line somewhere at least.

So hacking into other people's computers for financial gain or just for the fun of it = good. Hacking in so that you can find and kill them = bad.

Who knew these fucks had a conscious?

How's the blacklist sw for anti-pirate sites doin?

[Impy+the+Impiuos+Imp]

It's all fun and games until someone loses an eye. Or resistance movememt.