Last month CNN reported that supporters of the Syrian regime developed a computer virus to spy on those who opposed the government. Trend Micro experts analyzed the DarkComet Remote Access Trojan (RAT) and revealed the way it's utilized along with its spreading mechanism.
Apparently, the malware spreads via the popular instant messaging platform Skype, in many situations bearing a Facebook icon.
After it’s executed, the piece of malware connects to a command and control (C&C) server hosted by Syrian Telecommunications Establishment.
The DarkComet RAT is highly complex, allowing its masters not only to take pictures with the infected machine’s webcam and record conversations via the attached microphone, but also to record keystrokes and transfer files.
While DarkComet’s developers are still working on improving it, recent reports claim that they regret their work is being used against the people of Syria. They also expressed their intent to create a DarkComet detector to aid Syrians protect their devices.
One of the variants of the malware analyzed by Trend Micros, identified as Bkds_Zapchast.SG, was DarkComet 5 and another version, Bkdr.Breut.A, was appointed as being DarkComet 3.3.
The latter drops two executable files, one of which is the Mac Address Changer tool. The second file is the one that actually causes all the damage, since it immediately connects to the C&C server and starts doing what it knows best.
“To date, we have analyzed 10 samples that connect to the same IP address and display this type of functionality. While some are 'downloaders' that display various decoy images 4, the ultimate payload in these attacks is either DarkComet RAT version 3.3 or version 5,” Trend Micro experts wrote.
Twitter is flooded with messages that reveal not only moral, but also material support for the people of Syria. Now, it remains to be seen if the efforts of the Syrian Electronic Army (a group that supports the local government) and state officials can be defeated by the Anonymous and the masses.