DarkComet RAT Update: Pro-Syrian regime use continues

The EFF is reporting that DarkComet has been seen in a new malware campaign targeted at Syrian dissidents - the article can be found here: Pro-Syrian Government Hackers Target Activists With Fake Anti-Hacking Tool.

Our multi-part series on the hacking tool and its legal and moral implications can be found here.

Read More

The End of DarkComet RAT - Part 3: Could the creators of RATs (or similar software analogues) be prosecuted (law)

And now, on to the finale - could DarkCoderSc be prosecuted for creating, supporting, and distributing the DarkComet RAT.

NO (in the United States)

First, DarkComet RAT can be easily distinguished from Mariposa and Blackshades, on the following grounds:

1. DarkCoderSc never sold what he made - there was no profit motive, and thus one could argue, no intent to defraud.

2. As far as I know, DarkCoderSc was never affiliated with any illicit group as the Blackshades RAT creator was - which would make that person liable for numerous charges, not the least of which would be conspiracy under the CFAA.

3. At least with respect to Mariposa, DarkComet RAT had legitimate uses. You could use it for remote administration, to monitor your kids, and for legitimate purposes not otherwise specified. On the other hand, it is hard to argue legitimate uses for a botnet such as Mariposa.

Second, as many readers have pointed out, there is the "what about Metasploit and Backtrack argument." Namely, those two tools, combined, have probably pwned more computers than DarkComet RAT, yet the creators of those tools (who do have a profit motive) are not prosecuted for such activity. Circumventing these types of arguments would be a prosecutor's nightmare; I would love anyone's possible argument around those, or a different way to distinguish DarkComet/DarkCoderSc.

As I mentioned in the previous post, an interesting argument could be made along the lines of MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005) - specifically, that a tool that had no legitimate legal uses could be a violation of XXX law. I say XXX law, because the Grokster case was based on the Lanham Act (and a judicially created standard of contributory infringement). However, as stated above, this sort of law might be used to prosecute other software creators - but because DarkComet has legitimate uses (see above), even this law would be ineffective. But, is law XXX, making it illegal to create illicit hacking tools off the table? I don't think it should be. 

In fact, it is the law in other countries - Germany's "Anti-Hacking Law" Section 202c of the StGB states "[w]hosoever prepares the commission of an offence under section 202a or section 202b by producing, acquiring for himself or another, selling, supplying to another, disseminating or making otherwise accessible… (2) software for the purpose of the commission of such an offence" is subject to prison time up to a year.  See this document describing the law a little further with recommendations for security professionals. As the article states, the regular use of penetration testing tools does not fall within the ambit of the law, as long as the purpose is legal, and everything is above board. The law is aimed at those tools that are developed or aimed at perpetrating cybercrime.

Such a law for the United States, to return to a normative argument for a second, should be considered. It would immunize Metasploit, Backtrack, etc., but go after those who create the software solely for criminal intentions.

To see the earlier parts of this series follow the links below:

The End of DarkComet RAT - Part 1: The Introduction
The End of DarkComet RAT - Part 1: The Introduction - Update
The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)
The End of DarkComet RAT - More Technical Details

Read More

The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)

I pose the question above at a high level of generality to include in this discussion not just the writer of DarkComet RAT, but writers of other RATs, and more importantly, writers of similar software, for-profit or otherwise. Because I do believe there is one line to be drawn when the person who created the software intended to, or does profit from it. It is clear from my previous post that law enforcement surely does believe that writing software for these motives may be criminal - the Mariposa botnet creator and the Blackshades RAT creator were both taken into custody - however, I would argue that those situations are distinguishable.

But what should the collective "we" think about DarkComet and its creator? And more importantly, how does an enforcement scheme fit within the framework of existing "hacker" software, such as Metasploit (for profit), Backtrack (totally free - but... paid training - Offensive Security) , Samurai WTF (free), Katana (free, and even more underground) -- yes, I could go on. And, is there a "paid-for" vs. "free" dichotomy?

I want to approach this question normatively, first, because I believe this to be somewhat of a novel issue, wrapped inside an already contemplated dilemma; however I am (secretly, but not so much anymore) really hoping to hear at least one person propose an outcome similar to MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005), based not necessarily on statutory law (contributory infringement is not in the Lanham Act), but through judicial interpretation. Remember, forget the law - we're proposing what the law should be, here.

I would like to reiterate that the purpose of this series is to strike a lively debate. First, the easiest analogue to this debate is the "guns kill people" argument. Namely, we don't outlaw guns, even though we know they can kill people but are also used lawfully (the majority of the time); therefore, the argument goes, we can't punish makers of guns because of the potential harm they may cause - we leave the criminal consequences at the doorstep of the individual, instead - they are boxed in by the confines of the law as their state has legislated (most often) and absent just cause (e.g., the Castle Doctrine), murder is murder. But can we dispose of this argument that simply? I (personally) don't think so.

You can't just say DarkCoderSc made a program that is used nefariously and should have known that it would be used in unethical, criminal, and fundamentally immoral ways - and thus he should be punished. Because can't the same argument be used for makers of guns (as the simplified argument above asserts), or maybe the makers of Metasploit (HD Moore), Backtrack, the list goes on.  And, you can't walk away arguing the converse; see below. At the center of the issue is the question - who is more culpable - the tool creators, or the tool users? Or, to put it a couple of other ways - who is more responsible - (a) the gun maker or the shooter; or (b) the scientist who described the process to enrich uranium or the nation-state who launched the nuclear bomb.

So, let's dig in to the heart of the issue. Not surprisingly, it reverberates on a variety of fronts - ethical, legal, and even moral. To name a few: personal responsibility v. governmental intervention; notions of negligence, duty of care, and the reasonable person; foreseeability; national security (the budding argument); material or conspiratorial assistance; and if you want to delve into morality, the argument against such assistance based on natural law (a la righteousness) -- (for example, see Romans 1:18-32). 


I do not propose to have the right answer to this question (in all honesty I am troubled by it), but - I also do not agree with the blanket assertion that because we have already implicitly condoned tools such as Metasploit and Backtrack, that we cannot walk that back. Conversely, I think that would be an inspiring debate. And remember the parallel (yet disparate) personal responsibility argument that turns this issue on its head - it goes like this: we cannot control the end result of every societal interaction, but, we can control the predicate for those interactions. For the lawyers out there, I analogize this (maybe in an over-simplistic way), to the stream of commerce argument. Do you provide a framework to punish the original maker of the faulty product (see Asahi) or do you rein that in and inject (not my words) "objective rationality" (see Dunlop) to shield makers from unintended and unforeseeable outcomes?

Back to the monetary debate - because I like the theme of this argument - that the Blackshades RAT creator and the Mariposa botnet creator went down because they were a part of the criminal enterprise that was taken down. And furthermore, that we look down on individuals who attempt to profit from the (insert belief word here (moral, ethical, religious)) wrong that they have caused. Clear example - we do not allow murders to profit from the story of their offense. Is that analogous to the DarkComet RAT? Should a profit motive be involved?

In the last (third) part of this series, I will discuss whether or not DarkCoderSc (or other RAT creators) could be prosecuted or held legally liable for his RAT.

Just as a little poke - my first post should make it clear that use of DarkComet RAT as a hacking tool is transcendently clear. If you attempt to use lack of foreseeability as the basis of your argument, you automatically lose. Let the debate begin.

Read More

The End of DarkComet RAT - Part 1: The Introduction - Update

I forgot to mention the story from last year about how DarkComet was ported to Mac computers - facts are important -  if for no other reason than to bolster the argument that DarkComet's uses are likely more malicious than condoned.

Before you rail against me - let me note as an aside that I recognize the Metasploit, Backtrack, Core Impact, etc, etc, etc. argument against criminal enforcement. They are legal tools that do the same, and they generate more money (exponentially) than DarkCoderSc could have ever made with DarkComet. That's the beauty of a three-part series. At the end, rail away. Comments are not only allowed, but encouraged throughout the process. But please, vindicate or vilify me when appropriate.

~J

Read More

The End of DarkComet RAT - Part 1: The Introduction

If you are not aware, the author of the DarkComet RAT (Remote Administration Tool) has stopped offering the software, and stopped updating it - a move that has somehow been argued to be a victory for law enforcement, although they didn't actually do anything.  Yes, I have heard of deterrence. However, I will leave for another day whether or not the creator of this software should or could actually be liable for the damage it has caused. Thus, in this three part series, I will: (1) introduce the tool, (2) discuss whether there should be legal implications for creators of such tools, and (3) discuss whether there could be legal implications.

THE INTRODUCTION
From the beginning - a RAT is a Remote Administration Tool. Essentially, this type of tool allows a remote user to exercise control over your machine - it take pictures of the user of the computer, make changes to the computer's configuration, read/write documents, and pretty much anything else you can think of - in hacker terms, you have been "pwned." It is a complete invasion of privacy for the individual, and a complete breach for a corporation. Hackers prepare to take advantage of a RAT by "packing" it - which means the guts of the program are rearranged (code-wise), or the tool is compressed using a novel method. A good packer will allow this program to scoot by an average (or high-security) user's anti-virus, and coupled with an exploit, allow the hacker to take full control as described above. There are a plethora of "packers" and new ones everyday - so anti-virus companies (whose methods are typically signature based) cannot keep up with the evolution of newly packed malware that, in the end, is the same malicious piece of software. Hackers will often test their newly packed versions against VirusTotal - a site which runs a binary through a multitude of anti-virus products, and reports whether or not it is picked up. The holy grail is 0/40, aka undetectable - and this is even taking account of the heuristics and "learning" that AV vendors claim to have injected into their detection engines.  Individuals might also use "crypters," which encrypt the code in various ways to defeat antivirus detection - see below.

What is novel about the DarkComet RAT is that it has always been free to whomever wanted to use it, for whatever purpose. Now, instead of being able to download it, users are greeted with a message from the creator, DarkCoderSc, noting his decision to stop allowing it to be downloaded and further updated. There has been speculation that this decision was tied to the discovery of Syria using this tool to spy on dissidents as well as the software writer's fear that he could be prosecuted for the criminal acts of others - from his statement: "Like it was said above because of the missuse [sic] of the tool, and unlike so many of you seem to believe i can be held responsible of your actions [sic], and if there is something i will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you."

If you doubt the prevalence or wide-spread use of this tool - allow me to demonstrate. The images below are from hacker forums (one underground, one a russian clearnet site):

Click image to enlarge

The first image is from an underground hack bulletin board, asking for information about how to use tor and DarkComet. The second post is a person advertising a "crypter" - which is like a "packer" but as the name states, it encrypts instead of packing. As I described above, using crypters or packers makes anti-virus unlikely to detect the trojan. The service this person is offering is to make it "100% FUD" which is hacker jargon for "(F)ully (U)n(D)etectable," updated every 24 hours to continue to evade antivirus.

There is no doubt that DarkComet is all over the place, and even as he has withdrawn it from the market by not allowing anyone to download it from his site anymore, there are plenty of versions floating around the interwebs - so it is not going away soon.  As others have reported, the author's change of heart likely arises from the arrests of the Mariposa botnet creator and also, more recently, the arrest of the Blackshades RAT creator as part of the Carder Profit bust.

I think the creator of DarkComet can be separated from the cases above, though, because he has always offered his software for free, and thus does not make a profit on illicit use of it. A small distinction, but a legally significant one.


In the next part I will discuss whether or not DarkCoderSc (or other RAT creators) should be prosecuted or held legally liable for his RAT.

Read More