Author Topic: DarkComet Rat  (Read 4152 times)

Offline jjunkk

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
DarkComet Rat
« on: May 05, 2012, 12:19:58 AM »
I was just reading www.raymond.cc and saw a post about an infection by DarkCometRat.  The author of the program has written a removal program to scan your system for any infection.  I scanned my system and sure enough it says I am infected.
Is this something new that avast should be concerned about?
Should I trust the scan.
I have always trusted www.raymond.cc in the past.

http://www.raymond.cc/blog/detect-remove-darkcomet-rat-malware-syrian-government/
http://www.darkcomet-rat.com/dcremover.dc

Online Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21710
  • Gender: Male
    • Personal Message (Online)
Re: DarkComet Rat
« Reply #1 on: May 05, 2012, 05:48:12 AM »
if you suspect you are infected, follow this guide and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline freewear

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: DarkComet Rat
« Reply #2 on: May 05, 2012, 06:51:16 AM »
I was just reading www.raymond.cc and saw a post about an infection by DarkCometRat.  The author of the program has written a removal program to scan your system for any infection.  I scanned my system and sure enough it says I am infected.
Is this something new that avast should be concerned about?
Should I trust the scan.
I have always trusted www.raymond.cc in the past.

http://www.raymond.cc/blog/detect-remove-darkcomet-rat-malware-syrian-government/
http://www.darkcomet-rat.com/dcremover.dc

What infection did the program say you had.  Did you run it normally or as administrator?

Please see my thread regarding this issue on the Raymond.cc forum:

http://www.raymond.cc/forum/spyware-viruses/33219-dark-comet-remover-tool-security-center-disabled-infection.html

I read the some blog and even though I've never installed Darkcomet, I decided to use the tool.  Running it normally produced no infection.  However, when I ran it as administrator, it said I had something called a "security center disabler" infection.   Perhaps the techs at Avast could download the tool and run it as administrator and see if they come up with the same conclusion. The download link for the tool is in the first post.    What I did notice is that there are override keys for Antivirus, Antimalware, and the Firewall  in my registry similar to this:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityCenter\\AntivirusOverride!=dword:0

My Windows security center service is running.  Could this be a false positive?  I've read on the Spybot forum that these keys appear when one loads their own security programs.  Could the techs here look at the Darkcomet tool because Avast, Malwarebytes and Superantispyware do not find any infections.   Here's an image of what the Darkcomet remover tool results looked like when run normally and as administrator.






As I've stated on the Raymond.cc forum, some posters had similar results here:

http://malwaretips.com/Thread-Darkcomet-Remover-Tool


Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: DarkComet Rat
« Reply #3 on: May 05, 2012, 08:56:58 AM »
Darkcomet uses an "odd" trick in order to bypass the firewall.It actaully,injects its communication code to a legitimate process,which is IEXPLORE.EXE.It is really easy to understand whether or not you are infected.
Follow these steps:
1)Download process explorer from here  http://technet.microsoft.com/en-us/sysinternals/bb896653
2)Open process explorer and under the "process" button,press the "white button" as shown below(highlighted),or simply press CTL+L.Now click on iexplore,now look for the mutants,IF you can identify the backdoor’s mutex,you are probably infected.The backdoor's mutex is shown below,second highlighted line.

It is usually called DC-Random numbers etc, for example DC-123F4.Dc stands for DarkComet

AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20145
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: DarkComet Rat
« Reply #4 on: May 05, 2012, 02:25:31 PM »
Hi Left123,

Thanks for that very valuable info. Just a question. Wouldn't it be therefore advisable to pre-run it in the sandbox?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: DarkComet Rat
« Reply #5 on: May 05, 2012, 10:13:58 PM »
Hi Left123,

Thanks for that very valuable info. Just a question. Wouldn't it be therefore advisable to pre-run it in the sandbox?

polonus
Well yes i guess,i did my tests on a virtual machine.
Another method : Right click on IExplorer.exe>properties>TCP/IP.If you see any connections,i have bad news for you  ;D


« Last Edit: May 05, 2012, 10:22:03 PM by Left123 »
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20145
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: DarkComet Rat
« Reply #6 on: May 06, 2012, 02:47:32 PM »
Hi Left123,

DarkComet Rat Download site is being associated with unknown_html_RFI_shell and TR/ATRAPS.Gen malware.
See here: http://hosts-file.net/default.asp?s=www.darkcomet-rat.com%2F
classification: EMD
EMD - sites engaged in malware distribution
This classification is assigned to website's engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).

Sites with this classification typically either contain files (e.g. cracks, keygens, adware, spyware, trojans, viruses et al) or lead to such via (for example) "fake scanners" or other social engineering and misleading tactics. This includes the activities of rogue Internet Service Providers (ISPs) that host other sites to which the EMD classification applies.
Even the remover is not beyond suspicion: https://www.virustotal.com/url/76d538c26639e8ed6a0c5ef2dec39844ab9f4e96ffcde28c037e0ba6bbbe1b75/analysis/1336313749/
See: http://anubis.iseclab.org/?action=result&task_id=1888482bbfa99c39449eda88038c30b59&format=html
What I spotted there at first glance to be suspicious in this analysis:
aspects of ecops_virus like behavior -
unexpected heap corruption issue -
firewall disabling properties via HKLM\​SOFTWARE\​CLASSES\​CLSID\​{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31}\​INPROCSERVER32    %SystemRoot%\​system32\​zipfldr.dll -
UltaSurf Zone Settings -
SPR Fraud ProviderId.

Comodo Instant Malware Analysis could not handle it. Tool gives unexecutable as an AutoAnalysis Verdict.

But given clean here:

htxp://darkcomet-rat.com/downloads/DarkCometRemover.zip redirects to htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip

Checking: htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip
Engine version: 7.0.1.2210
Total virus-finding records: 2837272
File size: 951.90 KB
File MD5: 70fc6e16151a54a04001a60cbac04d1c

htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip - archive ZIP
>htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe packed by FLY-CODE
>>htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe packed by FLY-CODE
>>>htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe - archive ZLIB
>>>>htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe/data001 - Ok
>>>>htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe/data002 - Ok
>>>htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe - Ok
>hxtp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/readme.txt - Ok
htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip - Ok

polonus
« Last Edit: May 06, 2012, 04:23:53 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now