참고 URL : https://github.com/kevthehermit/RATDecoders/blob/master/DarkComet.py
참고 URL : https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-1-darkcomet/
http://www.arbornetworks.com/asert/wp-content/uploads/2012/07/Crypto-DarkComet-Report.pdf
http://www.contextis.com/blog/malware-analysis-dark-comet-rat//
http://www.arbornetworks.com/asert/2012/03/its-not-the-end-of-the-world-darkcomet-misses-by-a-mile/
http://blog.trendmicro.com/trendlabs-security-intelligence/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/
http://resources.infosecinstitute.com/darkcomet-analysis-syria/
Mutex Name : DC_MUTEX-[랜덤문자열]
# Yara Rule (출처 : https://github.com/botherder/viper/blob/master/data/yara/rats.yara)
rule DarkComet
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/DarkComet"
family = "darkcomet"
tags = "rat, darkcomet"
strings:
// Versions 2x
$a1 = "#BOT#URLUpdate"
$a2 = "Command successfully executed!"
$a3 = "MUTEXNAME" wide
$a4 = "NETDATA" wide
// Versions 3x & 4x & 5x
$b1 = "FastMM Borland Edition"
$b2 = "%s, ClassID: %s"
$b3 = "I wasn't able to open the hosts file"
$b4 = "#BOT#VisitUrl"
$b5 = "#KCMDDC"
condition:
all of ($a*) or all of ($b*)
}
Server <-> Bot 간 RC4 암호알고리즘을 사용하여 통신하는 것은 알겠다. 그리고 기본 키로 #KCMDDC[버전]#-890[password] 형식인 것을 알겠는데 Decrypt 하는 법을 모르겠다... 음..
+ 추가 2014.08.19
참고 URL : http://matasano.com/research/PEST-CONTROL.pdf
