Darkcomet rat Process. You know one thing? Darkcomet rat remover is a tool that helps you to remove the dorkcoment. When you send this, the target computer will receive the message full right and again you can change the icon type here. It says system function. It will show you the system manager. Process manager, remote registry, remote shell. DarkComet Features & How To Use Them. System Monitor: The System Monitor feature allows you to monitor the system which you have infected. From here you can see the CPU Usage & the Ram Usage of your slave. Computer Info: In Computer Info, you can see various amounts of information having to do with Server Connection, Server General Information.
I was messing around on 'Oracle VM' and downloaded Darkcomet from some website.I was using a win7 ISO on one VM that I downloaded the Darkcomet on and Kali Linux on another VM to use the built in functions to check IPs and that stuff. I had the VMs connected to my ethernet driver which im pretty sure how they connected. After I was done attempting to use Darkcomet that wasn't working the way it should, I figured i would check my CMD on my actual PC to see if the Darkcomet I downloaded was really just a virus that someone used to connect to my PC. I'm not very good with 'hacking' per say and i dont know how to do mostly anything but i am trying to learn. When I opened CMD I typed 'netstat' to see if someone was connected and it showed this set if things C:Windowssystem32>netstat
After seeing this I unplugged my Ethernet cord and went into my network and tried to change my ipv4 which i dont really get how to do and also went into my firewall and blocked every inbound and outbound TCP and UDP ports which make it so i couldn't use the internet other than youtube after I plugged my Ethernet back in. When I blocked the ports on my firewall I checked the 'netstat' again and it only showed these
So what I am wonder is if this is actually someone hacking(most likely is) and is there a way I could fix this? I deleted my chrome cache and went onto my phone and checked the router login and checked the logs which doesn't show any sign. I also checked my 'Wifi Inspector' on my phone and it doesn't show any new devices connected to my wifi so im thinking its only on my PC and not my actual router.
1 Answer
I doubt you're being 'hacked', just being paranoid. These addresses would occur even from just simple web browsing, usually established websockets. Breaking down each item on your list:
Stackoverflow. Likely used to facilitate 'push' notification updates.
Microsoft owned. bay404-m Hotmail - Microsoft hosting - Msnbot
wavesSuperuser.com
These ones are harder to work out, one looks like it's related to web chat. Doubtful it's anything malicious.
Google - here
Nothing on the list comes across as sinister in any way. If anything, my netstat
output is probably 4-5 times more entries than this.
Not the answer you're looking for? Browse other questions tagged networkingroutervirtual-machinefirewall or ask your own question.
Developer(s) | Jean-Pierre Lesueur (DarkCoderSc) |
---|---|
Final release | |
Operating system | Microsoft Windows |
Type | Remote Administration Tool |
License | freeware |
Website | https://www.darkcomet-rat.com/[1] |
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc[2]), an independent programmer and computer security coder from France. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012. The program was discontinued, partially due to its use in the Syrian civil war to monitor activists but also due to its author's fear of being arrested for unnamed reasons. [1] As of August 2018, the program's development 'has ceased indefinitely', and downloads are no longer offered on its official website. [3]
DarkComet allows a user to control the system with a Graphical User Interface (GUI). It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.
- 1History of DarkComet
- 2Architecture and Features
History of DarkComet
Syria
In 2014 DarkComet was linked to the Syrian conflict. People in Syria began using secure connections to bypass the government's censorship and the surveillance of the internet. This caused the Syrian Government to resort to using RATs to spy on its civilians. Many believe that this is what caused the arrests of many activists within Syria.[1]
The RAT was distributed via a 'booby-trapped Skype chat message' which consisted of a message with a Facebook icon which was actually an executable file that was designed to install DarkComet.[4] Once infected, the victim's machine would try to send the message to other people with the same booby-trapped Skype chat message.
Once DarkComet was linked to the Syrian regime, Lesueur stopped developing the tool stating that, “I never imagined it would be used by a government for spying,” he said. “If I had known that, I would never have created such a tool.”[1]
Target Gamers, Military and Governments
In 2012 Arbos Network company found evidence of DarkComet being used to target military and gamers by unknown hackers from Africa. At the time, they mainly targeted the United States.[5]
Je Suis Charlie
In the wake of the January 7, 2015, attack on the Charlie Hebdo magazine in Paris, hackers used the '#JeSuisCharlie' slogan to trick people into downloading DarkComet. DarkComet was disguised as a picture of a newborn baby whose wristband read 'Je suis Charlie.' Once the picture was downloaded, the users became compromised.[6] Hackers took advantage of the disaster to compromise as many systems as possible. DarkComet was spotted within 24 hours of the attack.
Architecture and Features
Architecture
DarkComet, like many other RATs, uses a reverse-socket architecture. The uninfected computer with a GUI enabling control of infected ones is the client, while the infected systems (without a GUI) are servers.[7]
When DarkComet executes, the server connects to the client and allows the client to control and monitor the server. At this point the client can use any of the features which the GUI contains. A socket is opened on the server and waits to receive packets from the controller, and executes the commands when received.
Features
The following list of features is not exhaustive but are the critical ones that make DarkComet a dangerous tool. Many of these features can be used to completely take over a system and allows the client full access when granted via UAC.
- Spy Functions
- Webcam Capture
- Sound Capture
- Remote Desktop
- Keylogger
- Network Functions
- Active Ports
- Network Shares
- Server Socks5
- LAN Computers
- Net Gateway
- IP Scanner
- Url Download
- Browse Page
- Redirect IP/Port
- WiFi Access Points
- Computer Power
- Poweroff
- Shutdown
- Restart
- Logoff
- Server Actions
- Lock Computer
- Restart Server
- Close Server
- Uninstall Server
- Upload and Execute
- Remote Edit Service
- Update Server
- From URL
- From File
DarkComet also has some 'Fun Features'.
- Fun Features
- Fun Manager
- Piano
- Message Box
- Microsoft Reader
- Remote Chat
Detection
DarkComet is a widely known piece of malware, If you install an antivirus, or a darkcomet remover, you can un-infect your computer quickly. Its target machines are typically anything from Windows XP, all the way up to Windows 10.
Common anti-virus tags for a dark comet application are as follow:
- Trojan[Backdoor]/Win32.DarkKomet.xyk
- BDS/DarkKomet.GS
- Backdoor.Win32.DarkKomet!O
- RAT.DarkComet
When a computer is infected, it tries to create a connection via socket to the controllers computer. Once the connection has been established the infected computer listens for commands from the controller, if the controller sends out a command, the infected computer receives it, and executes whatever function is sent.
References
- ^ abcdMcMillan, Robert. 'How the Boy Next Door Accidentally Built a Syrian Spy Tool'. Wired.
- ^'DarkCoderSc | SOLDIERX.COM'. SoldierX. Retrieved 13 October 2017.
- ^'Project definitively closed since 2012'.
DarkComet-RAT development has ceased indefinitely in July 2012. Since the [sic], we do not offer downloads, copies or support.
- ^'Spy code creator kills project after Syrian abuse'. BBC. 10 July 2012.
- ^Wilson, Curt. 'Exterminating the RAT Part I: Dissecting Dark Comet Campaigns'. Arbor.
- ^Vinton, Kate. 'How Hackers Are Using #JeSuisCharlie To Spread Malware'. Forbes.
- ^Denbow, Shawn; Hertz, Jesse. 'pest control: taming the rats'(PDF). Matasano.