DarkComet is a freely available remote access trojan (RAT) developed by an independent programmer, “DarkCoderSC,” first observed in 2011, and is still considered to be one of the most common RATs used. It is marketed as a “tool” as opposed to a “trojan” as it is claimed to be for network administrator use; however, its functionality attracts hackers.

What is RAT?

A Remote Administration Tool (otherwise known as a RAT) is a piece of software designed to provide full access to remote clients. Capabilities often include keystroke logging, file system access and remote control; including control of devices such as microphones and webcams. RATs are designed as legitimate administrative tools, yet due to their extensive capabilities are often seen used with malicious intent.

When a RAT is identified as the payload in a malicious infection, typical malware analysis will resolve all the capabilities being provided to the attacker. However, the attacker may not be using all the capabilities provided; they may only be using the keylogging facility or using the backdoor to install further tools onto the infected host.

To make a full impact assessment, this detail is necessary and may only be available through analysis of the commands sent to the host by the attacker. However, access to the command and control traffic is limited as most RATs implement encryption or obfuscation to hide data sent over the network.

Details of DarkComet RAT

Dark Comet RAT has been available for a few years and is now at version 4, with over 70,000 downloads to date. The RAT appears to be regularly updated with bug fixes and new features.

Dark Comet provides many very similar features to other commercially available RATs and implements the same Client-Server architecture. Servers are built on the Client machine and deployed to as many remote hosts as required, once deployed they will make a connection back to the client and await commands. The Client-side provides an administration console to manage all incoming connections, allowing full command and control capability and file system access. Multiple server ‘profiles’ can be maintained from a single client, and the servers may be updated or uninstalled remotely.

The trojan uses Crypters to evade antivirus tools and can disable Task Manager, Registry Editor, Folder Options, Windows Firewall, and Windows User Account Control (UAC). DarkComet is also able to log keystrokes, provide file system access and remote control – including control of devices such as microphones and webcams, and has a distributed denial-of-service (DDoS) capability.

The trojan has several “fun functions” including, the Fun Manager – different types of fun functions, including hiding the desktop, lock, task icons, systray icons, taskbar, start button, task manager, and open/close the CD tray. The remote desktop capability allows the attacker to see the active screen of the infected user as well as take control of the mouse and keyboard. DarkComet is most commonly spread through drive-by attacks and links on social networking sites. Systems can be protected by keeping them updated and using antivirus software.

Default server settings

When a server is created via the administration console, several settings are required. The following table shows the default settings used for server creation with a version 4 client and may be commonly used.

Bold indicates a regular expression

In addition to the basic settings above, a series of options are provided during the server build process. These options affect how the server will act on the host, such as autostart locations and provide additional capabilities such as keylogging and host file modification. The range of options available is shown below.

Module Options

  • Melt server executable after initial execution
  • Change file creation date (if selected, the date is set to 16/04/2007 unless specified otherwise, no option is available for the time change)
  • Persistence installation (Various persistence methods have been seen including use of the HKLM Run Key and Userinit Keys)
  • File attributes (select multiple, default none): Hidden, System, Archive, Temporary, Read Only

Stealth and Performance Options

  • Path attributes (select multiple, default none): Hidden, System, Archive, Temporary, Read Only
  • Hide startup key from MSConfig (32bit only)
  • Hide stub from explorer and related file management tools
  • Hide parent stub from explorer and related file management tools
  • Explorer Injection is also available in a specific “FWB” (Firewall Bypass) version

Capability Options

  • Disable Task Manager
  • Disable Registry
  • Disable Windows Firewall (XP SP3 to Windows 7)
  • Disable Windows UAC
  • XP SP2 or earlier:
    • Disable AV Notify
    • Disable Security Center
    • Disable Windows Update
    • Disable Control Panel

Keylogging

  • Active offline keylogging from a startup is disabled by default, however, live keylogging can be enabled post-infection. The keylog created by offline keylogging can also be sent via FTP (disabled by default).

Hosts File Modification

  • Hosts file (system32\drivers\etc\hosts) modification can be included in the server build so that the modification takes place on server startup, before any attempt to establish a network connection. Note that modification of the hosts’ file is also available remotely from the console once the communication between the server and client has been established.

Server Build

  • No packing by default, however, two packers are included: UPX and MPRESS (.NET PE32+)
  • No default filename for the module.