Author Kills DarkComet Spyware After Syria Uses It

← Back to Stories (view on slashdot.org)

Author Kills DarkComet Spyware After Syria Uses It

Posted by Unknown on Monday July 9, 2012 @11:43AM from the evil-doer-with-a-conscience dept.

judgecorp writes "DarkcoderSc (Jean-Pierre Lesueur) has ended the DarkComet Remote Access Tool (RAT) project, after it emerged that the Syrian government had used the software to spy on its opponents. The tool was also used to target Mac OS X systems last year."

50 comments

Min score:

Reason:

Sort:

Interesting. by gcnaddict · 2012-07-09 11:46 · Score: 5, Interesting

So this was... legal malware? Can someone clue me in on the history of this utility? As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.

--
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
1. Re:Interesting. by Eponymous+Hero · 2012-07-09 12:01 · Score: -1, Troll
  
  "DarkComet RAT ends like this after several years of res/dev and with thousands of users through the world,” DarkcoderSc added. “The source codes will remain private and not for sale."
  imagine the inventor of the firearm deciding to call it quits because someone found a way to hunt with it instead of kill people (in self defense even?).
  
  Symantec said that any closures of RAT projects were a positive thing, especially if the creators were compelled to do so by the threat of prosecution.
  the same way cops are happy when full auto assault rifles are off the streets, but feds/military still want to use them. take away symantec's RATs and you will hear lots of crying.
  
  --
  insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
2. Re:Interesting. by Ciccio87 · 2012-07-09 12:06 · Score: 5, Informative
  
  So this was... legal malware?
  Hacking / security testing software is legal, it's its usage that could be illegal.
  
  Can someone clue me in on the history of this utility? As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.
  It was a RAT (Remote Administration Tool, strict relative of a trojan horse), it could, in effect, be used for good purposes (or for learning purposes, but, without sources, the chanches for this are lesser), however yes, it was mainly a PoC and an exercise in style.
  
  [OT] However, old news is old.
3. Re:Interesting. by amicusNYCL · 2012-07-09 12:06 · Score: 1
  
  As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.
  From what I can tell, this is a backdoor installer used by attackers that the author claims is actually something along the lines of proof-of-concept/research malware designed to be used for testing purposes, so as to avoid legal liability.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
4. Re:Interesting. by Anonymous Coward · 2012-07-09 12:08 · Score: 2, Informative
  
  Authors of RAT's usually claim they are for legal uses only, only to be used on computers you are allowed access to. Claiming it is like a VNC server, even though they are straight up trojan horses. I don't know of any trojan author who has gotten into legal issues who wasn't also involved in viruses / worms / bot nets.
5. Re:Interesting. by Exrio · 2012-07-09 12:10 · Score: 2
  
  imagine the inventor of the firearm deciding to call it quits because someone found a way to hunt with it instead of kill people (in self defense even?).
  Except in this case, unless I'm missing something (is the Syrian government considered better or worse than the activists?), it's the other way around.
6. Re:Interesting. by Anonymous Coward · 2012-07-09 12:23 · Score: 0
  
  Brutal military dictatorship (current government) or Islamist theocracy (rebels), take your pick.
7. Re:Interesting. by Exrio · 2012-07-09 12:58 · Score: 0
  
  In retrospective it doesn't matter, either way theft - the usual criminal purpose of these tools - is more like hunting than it is like killing, and one party of a war spying on another is more like (and often leads to actual) killing, so at any rate the GGP's analogy is backwards.
  I personally find the inventor's decision reasonable in this case, though I fear I'm far unqualified to tell wether it's indeed a good decision or not.
8. Re:Interesting. by davydagger · 2012-07-09 13:10 · Score: 5, Interesting
  
  at this moment, there is no class of code that is illegal. Its completely legal to write malware, viruses, network security tools.
  
  Its only illegal if you use them against other people's computers. In fact most of the same tools used to break into computers are used to test security legimately, and many have even more diagnostic utilities.(wireshark, nmap, net cat, etc...)
9. Re:Interesting. by v1 · 2012-07-09 13:42 · Score: 2
  
  Brutal military dictatorship (current government) or Islamist theocracy (rebels), take your pick.
  Nuke from orbit?
  So easy to go back only a few decades and see how the US, USSR, etc were backing revolutions to get rid of an undesirable govt, only to see it replaced with something different but just as bad. Pineapple face comes immediately to mind, but I heard there was a hand in Saddam as well, just to name a few.
  Thing is, the "rebels" are rarely being lead by someone that supports the people. It's more often someone that wants power. All the "people" generally want is change, but the wrong kind of change is usually the only one that has a chance of succeeding.
  
  --
  I work for the Department of Redundancy Department.
10. Re:Interesting. by hairyfeet · 2012-07-09 14:02 · Score: 1
  
  Question: Is that enough to absolve them of legal liability? Because it seems kinda flimsy to me, like writing a worm and then going "oopsie, it was just for testing" when it gets out and infects thousands of PCs, it just doesn't sound like the kind of thing a simple EULA or statement can CYA. So is that really all there is to it? The right kind of EULA and you can cook up anything?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
11. Re:Interesting. by manu0601 · 2012-07-09 14:44 · Score: 1
  
  Except in this case, unless I'm missing something (is the Syrian government considered better or worse than the activists?), it's the other way around.
  Yes, if we talk about self defense, there should be a balance between attacker and defender. If you shoot an unharmed attacker in the back, it is difficult to call that self defense.
12. Re:Interesting. by Charliemopps · 2012-07-09 14:53 · Score: 1, Informative
  
  So Windows RDT is a hack tool? What about all the remote administration that's done in corporate environments? My security team can remote into my computer at any time and view everything I'm doing... they can move files around, download stuff... whatever they'd like... all without me knowing a thing. Is that a trojan? I use a RAT to control remote PC on my network that just plays music on my porch. Is that a trojan? There's plenty of stuff this kind of thing is useful for that's not illegal.
13. Re:Interesting. by TheLink · 2012-07-09 15:07 · Score: 1
  
  Violent revolutions tend to result in the ones willing and able to do the most violence reaching the top. Once they are there, they usually don't let anyone else take over. And who can stop them? They can defeat everyone else in the country - they've already done it on their way up.
  
  That's why most (all?) communist revolutions lead to Dictatorships - because Engels etc put violence as part of the implementation plan.
  
  When leaders are those with the most soldiers rather than the most votes, it's a lot harder to change the leadership without bloodshed.
  
  The American Revolution may be an exception, but there are significant differences in the details. People should learn what made it different, before promoting violent revolution as a way to select a new government.
  --
  
  Too many replies beneath your current threshold
14. Re:Interesting. by chinasandstone · 2012-07-09 15:48 · Score: -1, Offtopic
  
  i love red sandstone very much i love marble columns very much
15. Re:Interesting. by ae1294 · 2012-07-09 16:33 · Score: 4, Informative
  
  In Japan it's illegal to write or even save a virus to your computer. Apparently you get 3 years of jail time for writing and 2 years for acquire a virus.
  Citation: http://www.futuregov.asia/articles/2011/jun/22/japan-enacts-anti-computer-virus-law/
16. Re:Interesting. by Anonymous Coward · 2012-07-09 16:51 · Score: 0
  
  Have you even looked at DarkComet? It's a trojan. The title even calls it spyware. Windows RDT, GoToMyPC, LogMeIn, and SSH don't have "Firewall Bypass," file binding, anti virtual execution and other stealth features built into them. The thing even has a "spy functions" section.
17. Re:Interesting. by Monkier · 2012-07-09 18:24 · Score: 2
  
  Some was arrested in Japan for this recently: http://yro.slashdot.org/story/12/07/05/135230/japanese-13-year-old-arrested-for-virus-creation
18. Re:Interesting. by BronsCon · 2012-07-09 18:56 · Score: 1
  
  GoToMyPC and LogMeIn certainly do, it's part of the "ease of use" functionality that means even my very nontechnical designer can use it to remote into his PC at home (with a stock unconfigured router, so no port forwarding) from the office.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
19. Re:Interesting. by rbrausse · 2012-07-09 19:25 · Score: 1
  
  So this was... legal malware?
  Hacking / security testing software is legal, it's its usage that could be illegal.
  not in Germany. Sigh, stupid politicians...
20. Re:Interesting. by Anonymous Coward · 2012-07-09 19:42 · Score: 2, Informative
  
  No, GoToMyPC and LogMeIn don't have a built in option to inject the server code into a running iexplorer.exe process to disguise itself as a trusted program to bypass firewalls like DarkComet or other spyware.
21. Re:Interesting. by History's+Coming+To · 2012-07-09 20:56 · Score: 1
  
  His ability to turn it off is a weapon, are you trying to say he's not allowed it?
  
  --
  Please consider this account deleted, I just can't be bothered with the spam anymore.
22. Re:Interesting. by Anonymous Coward · 2012-07-09 20:57 · Score: 1
  
  Unless you're working for Sony. Just call the virus "DRM" and you'll be fine.
23. Re:Interesting. by Anonymous Coward · 2012-07-09 21:14 · Score: 0
  
  But when a for-profit corporation publishes something that does EXACTLY THE SAME THINGS that's OK, right?
24. Re:Interesting. by gl4ss · 2012-07-09 21:59 · Score: 1
  
  well,
  what's the difference between carrier iq and "hacking software"? or between hacking software and nmap? between hacking software and remote desktop? it boils down only to how it is marketed and installation path.
  
  --
  world was created 5 seconds before this post as it is.
25. Re:Interesting. by flappinbooger · 2012-07-09 23:49 · Score: 1
  
  So this was... legal malware? Can someone clue me in on the history of this utility? As far as I can tell, this looks like proof-of-concept/research malware designed to be used for testing purposes, but that's the best I can gather.
  Dark Comet was simply a very robust and functional Remote Admin Tool. You know, like Teamviewer or Logmein Pro or.... Take your pick.
  The thing is, it was free and it was totally customizable in how you compile the client side service. Meaning, you could make the runtime executable glom itself into explorer.exe or iexplore or whatever persistence method you wanted. It could automatically add itself to the registry in different ways to guarantee it running.
  Also it reportedly could respond well to having the service "crypted" meaning to encrypt and encode the compiled program to be undetected by security software.
  In other words, it wasn't just a Remote Admin Tool, it was a RAT. RATs can be used for botnets, spying, stealing, so on.
  The guy was a very good programmer and he created a very nice pistol. Apparently he couldn't stand to see it become the next Saturday Night Special.
  I deal with malware all the time, I own an IT business. So, of course I checked out Dark Comet, Poison Ivy, Blackshades, etc, to see how these things work. A commercial offering is Cybergate RAT. There's tons of them, but Dark Comet was noteworthy in that it was clean and free, was around a long time, and actually worked well.
  A guy could legitimately deploy a RAT in order to support a client base. The problem is that these "aggressive" programs get flagged as malware all the time.
  Mainly because they get used as malware all the time.
  A side note - Cybergate is a commercial offering that will provide a clean version of the product that will NOT get flagged by antivirus software.
  
  --
  Flappinbooger isn't my real name
26. Re:Interesting. by Eponymous+Hero · 2012-07-10 04:18 · Score: 1
  
  guns were invented first and foremost for war, so that's why it is the way it is. it's not the other way around. the RAT tool was also invented for an aggressive purpose, but can be used for good in the right context. it's amazing how many people completely missed this and decided i must be trolling. not this time, assholes!
  
  --
  insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
27. Re:Interesting. by davydagger · 2012-07-11 10:47 · Score: 1
  
  this is terrible. Do they grant licenses for virus researchers?
  
  what about the in case of the low budget, some guy in a basement open source type? I guess you can't crowd source virus research now.
  
  In a future were viruses are outlawed, only the outlaws will be able to do ANY work, to include legitimate research on viruses.
28. Re:Interesting. by shaitand · 2012-07-16 15:25 · Score: 1
  
  That's easy. The difference between the successful revolutions and the unsuccessful ones is economic power and backing. The American Revolution, British, French, etc (there are at least as many nations with successful revolutions that haven't led to dictatorships as there are those that have) were successful and didn't lead to dictatorship because they weren't led by the people fighting but rather were backed by third parties. Usually parties with economic power and social status. For instance, in the American revolution some great freedom type propoganda was used to stir up peasants to fight but it was the wealthy merchant class that wanted and pushed the revolution for better trade and tax terms.
  When people talk about the US having been corrupted and now ruled by corporations it cracks me up. The US was ruled by the wealthy merchant class since its inception. Corporations amount to the same hiding behind paper that manages to deceive people into thinking the paper turns the corporation into a seperate thing from the people who reap profits from its actions. Thus people vilify (even in criminal, civil, and tax court) the paper rather than the people who profit from it. The changes in lobbying allowing corporations to fund campaigns directly just allow the handful of people who actually control a corporation to turn the bribes into a tax write-off rather than having to pay the bribes with after tax money. It's nothing more than a tax cut for major dollar politician bribers.
  The propaganda spouted by the founding fathers to successfully manipulate people into implementing their agenda was wonderful. But those ideals never ruled in this country.
Honor among thieves? by Alimony+Pakhdan · 2012-07-09 12:01 · Score: 1

Or am I missing something here?
1. Re:Honor among thieves? by Anonymous Coward · 2012-07-09 12:44 · Score: -1
  
  You're not missing anything. Neither Apple, nor Microsoft behave with honor.
Prosecute authors of remote administration tools? by tepples · 2012-07-09 12:04 · Score: 5, Interesting

This in the article worries me: "Symantec said that any closures of [remote administration tool] projects were a positive thing, especially if the creators were compelled to do so by the threat of prosecution." So are GoToMyPC, LogMeIn, and SSH considered terrorist tools now?
Re:Prosecute authors of remote administration tool by Anonymous Coward · 2012-07-09 12:22 · Score: 3, Interesting

So are GoToMyPC, LogMeIn, and SSH considered terrorist tools now?
No, you fucking idiot. But nice strawman since the person you quoted said nothing about terrorism.
Re:Prosecute authors of remote administration tool by tepples · 2012-07-09 12:43 · Score: 0

Author Kills DarkComet Spyware After Syria Uses It
the person you quoted said nothing about terrorism.
I'll grant that that particular quote does not mention terrorism, but the article mentions Syria, and Syria is one of the four remaining countries on the United States' list of State Sponsors of Terrorism.
The law of unintended consequences... by DesScorp · 2012-07-09 12:44 · Score: 1

... is a bitch.

--
Life is hard, and the world is cruel
dear fellow hackers by Anonymous Coward · 2012-07-09 12:48 · Score: -1

STOP publishing publically to morons that will use this shit to harm people....
your truly
CHRoNoSS
President and Chairmen of the United Hackers Association....
P.S. go ahead however and publish all the ddos crap ya want lets just blot out the net sun everywhere....corporations deserve some time outs....
Re:Prosecute authors of remote administration tool by Anonymous Coward · 2012-07-09 13:23 · Score: 3, Insightful

So your logic is: if Syria = Terrorism and Syria = (RAT) , there for (RAT) = Terrorism?
www.brand-onlinerabat.dk,billigste nike free sko by Anonymous Coward · 2012-07-09 13:49 · Score: -1

http://www.brand-onlinerabat.dk/nike-shox-sko-c-188.html
http://www.brand-onlinerabat.dk/nike-shox-sko-c-188.html
nike free run 38,6
nike free run 46
nike free run 7.0 herre sko
nike free run 2 dame + pink
nike free run 2 fluorescent green
nike free run 2 grey and green
nike free run + 2
nike free run + 2 damer
nike free run kvinder
nike free run lunarglide sko
nike free run lyesr?d
nike free run orange blue men
nike free run +2 herre sko
nike free pink yellow
nike free run billigt
what is malware? by TapeCutter · 2012-07-09 13:53 · Score: 1

What legal liability? AFAIK the only restrictions on what code one can write and distribute involve encryption, encryption was (is?) considred a munition by most major nations, and therefore had/(has?) export restrictions applied to it. Code is simply a tool for making other tools, and aside from the encryption thing, none of it is illegal. What you do with those tools may or may not be legal.

It boils down to how you approach the question, what is malware? If you think of that as a technical question that can be answered by examining the code, it puts all code monkeys in a very precarious legal position (re: encryption == munition). OTOH if you define malware as the use of code to do something illegal, then it brings the whole thing back to a moral/legal question concerning the intent of the tool user to commit a crime, rather than the intent of the tool maker. The law tends strongly toward the latter definition, meaning virus authour's get in legal trouble with authorities for releasing their virus, not for writing it.

--
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
1. Re:what is malware? by amicusNYCL · 2012-07-10 02:25 · Score: 1
  
  It boils down to how you approach the question, what is malware?
  However you want to define it, part of the definition is getting the software installed without the user knowing what, if anything, they're installing.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Re:Prosecute authors of remote administration tool by murdocj · 2012-07-09 14:10 · Score: 1

So your logic is: if Syria = Terrorism and Syria = (RAT) , there for (RAT) = Terrorism?
I'm rescuing the parent post from being modded to oblivion since it hits the nail right on the head.
I don't get it... by ettusyphax · 2012-07-09 15:21 · Score: 3, Insightful

So he shut the project down ostensibly because the Syrian government was using it to spy on citizens or whatever. "Misuse of the tool" being his words. Okay yeah that sucks but what did he expect people to use it for? Monitoring their baby's computer to make sure it doesn't choke on the keys? Shutting it down now as opposed to before when it was never used for nefarious ends? Seems like a pile of BS to me. More likely he shut it down because of legal threats now that he's on the radar - as is not-so-subtly implied by the article.

You made a bomb "for educational purposes" and then gave it away. Don't pretend like you're on some moral high ground when it goes off in someone's face and your name shows up in the newspaper.
1. Re:I don't get it... by Anonymous Coward · 2012-07-09 15:55 · Score: 0
  
  Cynicism rules all.
  Redemption is just some silly nonsense dreamed up by Hollywood.
  Because you can't scientifically prove the existence of good intentions (without ulterior motives), they don't exist.
  That's a bleak moral landscape, friend.
Re:Prosecute authors of remote administration tool by chinasandstone · 2012-07-09 15:53 · Score: -1, Offtopic

i love red sandstone very much i love marble columns very much
Tor Discussion Forums + DNSCrypt by Anonymous Coward · 2012-07-09 15:55 · Score: -1

# In this post:
#
# 1. Tor Discussion Forums (two hidden services)
# 2. DNSCrypt - for Linux, Mac, and Windows (from opendns)
# 1. Tor Discussion Forums (two hidden services)
We need an official Tor discussion forum.
I did not see this issue mentioned in Roger's *latest* notes post, so for now, mature adults should visit and post at one or both of these unofficial tor discussion forums, these tinyurls will take you to:
** HackBB:
http://www.tinyurl.com/hackbbonion
** Onion Forum 2.0
http://www.tinyurl.com/onionforum2
Each tinyurl link will take you to a hidden service discussion forum. Tor is required to visit these links, even though they appear to be on the open web, they will lead you to .onion sites.
I know the Tor developers can do better, but how many years are we to wait?
Caution: some topics may be disturbing. You should be eighteen years or older. I recommend you disable images in your browser when viewing these two forums[1] and only enabling them if you are posting a message, but still be careful! Disable javascript and cookies, too.
If you prefer to visit the hidden services directly, bypassing the tinyurl service:
HackBB: (directly)
http://clsvtzwzdgzkjda7.onion/
Onion Forum 2.0: (directly)
http://65bgvta7yos3sce5.onion/
The tinyurl links are provided as a simple means of memorizing the hidden services via a link shortening service (tinyurl.com).
[1]: Because any content can be posted! Think 4chan, for example. onionforum2 does not appear to be heavily moderated so be aware and take precautions.
###
# 2. DNSCrypt for Linux, Windows, Mac (from opendns.com)
"In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It does not require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers. We know that claims alone do not work in the security world, however, so we have opened up the source to our DNSCrypt code base and it is available on GitHub"
https://www.opendns.com/technology/dnscrypt/
- Download the right package for your Linux distribution:
https://blog.opendns.com/2012/02/16/tales-from-the-dnscrypt-linux-rising/
https://github.com/opendns/dnscrypt-proxy/blob/master/README.markdown
https://github.com/opendns
https://blog.opendns.com/2012/05/08/dnscrypt-for-windows-has-arrived/
http://techcrunch.com/2011/12/05/dnscrypt-encrypts-your-dns-traffic-because-theres-always-someone-out-to-get-you/
http://www.h-online.com/security/news/item/DNSCrypt-a-tool-to-encrypt-all-DNS-traffic-1392283.html
http://blog.opendns.com/2012/02/06/dnscrypt-hackers-wanted/
https://www.linuxquestions.org/questions/debian-26/dnscrypt-930439/
###
eof
Awesome by n3r0.m4dski11z · 2012-07-09 16:45 · Score: 1

More developers should have the balls and control to do this. Kudos. But i have watched BBC.Panorama.2012.Homs.Journey.into.Hell. So you could say i am a bit biased. Burn that asad guy at the stake! war criminal beyond belief.
http://kat.ph/bbc-panorama-2012-homs-journey-into-hell-576p-x264-aac-hdtv-t6239795.html

--
-
The noble hacker motif by GodfatherofSoul · 2012-07-09 19:33 · Score: 1

Kind of like the noble hooker of Hollywood lore, abandoning her nefarious deeds for the good of humanity. Thank you, mon frere! Of course, it would've worked out great had you not started the project in the first place.

--
I swear to God...I swear to God! That is NOT how you treat your human!
Re:Prosecute authors of remote administration tool by Anonymous Coward · 2012-07-09 20:15 · Score: 0

A safer place. When the final contry on that list turns 'good' we'll only have the US to worry about.
Drawing the Line by Anonymous Coward · 2012-07-10 00:59 · Score: 0

I'm glad this fucker draws the line somewhere at least.
So hacking into other people's computers for financial gain or just for the fun of it = good. Hacking in so that you can find and kill them = bad.
Who knew these fucks had a conscious?
How's the blacklist sw for anti-pirate sites doin? by Impy+the+Impiuos+Imp · 2012-07-10 02:39 · Score: 1

It's all fun and games until someone loses an eye. Or resistance movememt.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.