Cyber Crime Review
Cyber Crime Review

October 2023


The End of DarkComet RAT – Part 1: The Introduction

Cyber CrimesCyber Crimes

If you are not aware, the author of the DarkComet RAT (Remote Administration Tool) has stopped offering the software, and stopped updating it – a move that has somehow been argued to be a victory for law enforcement, although they didn’t actually do anything.  Yes, I have heard of deterrence. However, I will leave for another day whether or not the creator of this software should or could actually be liable for the damage it has caused. Thus, in this three part series, I will: (1) introduce the tool, (2) discuss whether there should be legal implications for creators of such tools, and (3) discuss whether there could be legal implications.


From the beginning – a RAT is a Remote Administration Tool. Essentially, this type of tool allows a remote user to exercise control over your machine – it take pictures of the user of the computer, make changes to the computer’s configuration, read/write documents, and pretty much anything else you can think of – in hacker terms, you have been “pwned.” It is a complete invasion of privacy for the individual, and a complete breach for a corporation. Hackers prepare to take advantage of a RAT by “packing” it – which means the guts of the program are rearranged (code-wise), or the tool is compressed using a novel method. A good packer will allow this program to scoot by an average (or high-security) user’s anti-virus, and coupled with an exploit, allow the hacker to take full control as described above. There are a plethora of “packers” and new ones everyday – so anti-virus companies (whose methods are typically signature based) cannot keep up with the evolution of newly packed malware that, in the end, is the same malicious piece of software. Hackers will often test their newly packed versions against VirusTotal – a site which runs a binary through a multitude of anti-virus products, and reports whether or not it is picked up. The holy grail is 0/40, aka undetectable – and this is even taking account of the heuristics and “learning” that AV vendors claim to have injected into their detection engines.  Individuals might also use “crypters,” which encrypt the code in various ways to defeat antivirus detection – see below.

What is novel about the DarkComet RAT is that it has always been free to whomever wanted to use it, for whatever purpose. Now, instead of being able to download it, users are greeted with a message from the creator, DarkCoderSc, noting his decision to stop allowing it to be downloaded and further updated. There has been speculation that this decision was tied to the discovery of Syria using this tool to spy on dissidents as well as the software writer’s fear that he could be prosecuted for the criminal acts of others – from his statement: “Like it was said above because of the missuse [sic] of the tool, and unlike so many of you seem to believe i can be held responsible of your actions [sic], and if there is something i will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you.”

If you doubt the prevalence or wide-spread use of this tool – allow me to demonstrate. The images below are from hacker forums (one underground, one a russian clearnet site):

The first image is from an underground hack bulletin board, asking for information about how to use tor and DarkComet. The second post is a person advertising a “crypter” – which is like a “packer” but as the name states, it encrypts instead of packing. As I described above, using crypters or packers makes anti-virus unlikely to detect the trojan. The service this person is offering is to make it “100% FUD” which is hacker jargon for “(F)ully (U)n(D)etectable,” updated every 24 hours to continue to evade antivirus.

There is no doubt that DarkComet is all over the place, and even as he has withdrawn it from the market by not allowing anyone to download it from his site anymore, there are plenty of versions floating around the interwebs – so it is not going away soon.  As others have reported, the author’s change of heart likely arises from the arrests of the Mariposa botnet creator and also, more recently, the arrest of the Blackshades RAT creator as part of the Carder Profit bust.

I think the creator of DarkComet can be separated from the cases above, though, because he has always offered his software for free, and thus does not make a profit on illicit use of it. A small distinction, but a legally significant one.

In the next part I will discuss whether or not DarkCoderSc (or other RAT creators) should be prosecuted or held legally liable for his RAT.

Comments 0
There are currently no comments.