Dark Comet Trojan modified and used against government and gamers

Dark Comet, the remote-access Trojan (RAT) written by a Parisian computer geek and used by the Syrian authorities to spy on dissidents, has been modified and tailored for attacks against both gamers and governments.

That is the conclusion of an in-depth study into the use of the Trojan by malicious hackers by Curt Wilson, a research analyst in the Security and Engineering Response Team of security software vendor Arbor Networks.

Wilson examined five separate "campaigns" that he uncovered online, including one that used the phrase Boeing747 in the password, which he traced to the "command and control" centre in an area in South Africa that has two South African Air Force bases.

Another attack, entitled "SearchandDestroy_GOV", was seemingly used to redirect unsuspecting users from legitimate US government websites to malicious websites, or for launching "man in the middle"-style attacks. These are where an attacker makes independent connections with the victims and relays messages between them.

Another appears to target users of the popular online game Runescape, in an attack that wraps up Dark Comet in a dicing "cheat" application. "Based on the indicators seen here, it is possible that the purpose of this particular campaign could be to build a DDoS [distributed denial of service] bot [network], potentially for use as a host booter to boot other gamers offline with SYN flood attacks," said Wilson, writing in a blog post on the company's website.

Wilson's study follows the news that the author of the RAT, Parisian Jean-Pierre Lesueur, took down his website that distributed the malware. Lesueur said that he took down the application after the Syrian government had used it to track down and to spy on dissidents – but also after hearing that another Trojan author had been arrested.

Former hacker Kevin Mitnick, now a security consultant, said that he did not think that Lesueur had profited or sought to profit from sales or consultancy related to the RAT – although he admits that he did make €2,000 (£1,580) from "technical support".