Malware Hunting : The end of DarkComet

Hi everyone!

I don’t know about you but when I was younger, there was a huge trend into making videos about hacking tutorials on Windows. It was also at that time that tools like LOIC became so popular. Hacking has became literally a “point to click” concept, as in video games.

We will deal today a with software that also became popular at that time: DarkComet

A bit of History

DarkComet was a Trojan horse (a type of software known by its abbreviation “RAT”) developed by an independent French programmer.

Although this software was developed in 2008, it began to proliferate in early 2012. The software development was canceled, partly because of its misuse during the Syrian civil war to monitor activists, but also because his creator was afraid to be arrested.

Usage

It should be noted that even if its development was stopped in July 2012, the software is still widely used as shown by these fresh statistics I concocted with the help of Shodan:

C&C distribution in France among the 5 most used trojans

As can be seen, more than 50% of the 5 most common Trojan horses detected by Shodan in France are DarkComet servers.

If the patriotic hack back was authorized as in the previous post, it would probably be necessary to attack DarkComet C2C servers because they are widely used.

What we already know

Darkcomet has been vulnerable in the past. In fact, since 2015, we know that it’s possible to lead to an arbitrary File Download on any DarkComet C2C server. A good starting point would be to examine the functionality of DarkComet file sending (from attacker to victim).

The server uses a very specific transaction model that looks like this (“S” refers to the server and “I” the infected computer):


S: QUICKUP C: file.jpg | 123 | UploadExec
The client initiates a new connection with “QUICKUP”

I: QUICKUP 123 | C: file.jpg | UploadExec
S: “x41x00x43”
I: Ack
S: “file length”
I: Ack
S: “raw binary stream”

The C&C server doesn’t check if it has already issued a download command. This means that anyone connecting to the server can download any file from the server.
Unfortunately, since there is no way for the server to list all the files in a directory, this vulnerability is limited to downloading files known to the attacker.

Among the various files that can be reached, we can have fun targeting two sensitive files for the server:

1°) comet.db which, as the name suggests, is a database (SQLite) actually containing a list of all infected computers (including IP/MAC addresses, Country, current user name, operating system version,…). This database can also contain keystroke recording data.

2°) config.ini which contains all passwords in plain text related to the the DarkComet server configuration.

As said previsouly, this vulnerability is interesting to say the least but unfortunately, it doesn’t allow us directly to get stable foothold on the server.

A bit of research

Let’s take a look now at the downloading function (from victim to attacker).
When the DarkComet server tries to download a file, here’s what actually happens:


S: DOWNLOADFILE 596 | C: file.jpg
The client then opens a new connection:

I: FILETRANSFER | 596
S: “x41x00x43”
I: FILEBOF C: file.jpg | 0
S: Ack
I: “raw binary stream”

The server write the file to a directory specified by the user with the name “file.jpg”. Although it may seem as exploitable as the previous function, it’s unfortunately not. In fact, the 596 in “DOWNLOADFILE 596” is the identifier of a socket . The server wouldn’t accept FILETRANSFER | 596 if it has not previously issued on an identical socket.

It’s not obvious at first sight but the vulnerability is there. I let the detail to the comrade PseudoLaboratories for those interested.

All that to say that the exploitation of the vulnerability leads us to an arbitrary file sending. Wich we can use to provoke a: *roll of drums* …

Remote Code Execution !

The DarkComet server will try to use UPnP by default in order to open ports automatically. To achieve this, it actually writes a file called “upnp.exe” to the Temp directory and run it, if necessary.

We could use at first, the arbitrary file download vulnerability to read the current username and then in a second part, we could use the arbitrary file upload in order to send a payload right in the Temp directory. Boom !

At the next server restart, “upnp.exe” (overwritten by our payload) will be executed.

Privilege escalation

The logical next step in the actual pwnage would be to find a way to get administrator privileges but Darkcomet already dit the job !

Yep, as the software requests administrator privileges at each startup, by inheritance principle, any code executed by Darkcomet is executed with administrator rights, including our payload.

Conclusion

DarkComet is a highly developed software, so much that it’s the most popular trojan in France and in many countries worldwide. It’s certain that if the software development wasn’t be terminated. The flaws mentioned in this article wouldn’t be exploitable.

But with this in mind and if it wasn’t illegal to hack back bad guys, we could clean up to 50% C2C servers in France and maybe more in other countries.

I hope you liked this article, feel free to leave a comment, a remark, or even a message (I read them all !!)

In my case, I was delighted to write this article, I haven’t yet chosen my next victim so don’t hesitate to send me ideas 🤠

Sources

https://pseudolaboratories.github.io/DarkComet-upload-vulnerability/
https://www.shodan.io/
https://techanarchy.net/blog/darkcomet-hacking-the-hacker
https://fr.wikipedia.org/wiki/DarkComet

Leave a Reply

Your email address will not be published.

*