DarkComet RAT author denies BlackHole Mac Trojan is his

Filed Under: Apple, Malware, Privacy

To follow up on our post last Friday, I was contacted by the author of the DarkComet RAT Trojan. He seemed quite upset that I suggested the new Mac OS X Trojan BlackHole RAT was related to his Windows creation.

Rat Fink photo courtesy of Jennifer Ennis's Flickr photostream

While the BlackHole RAT Trojan seems to be copying the behavior of DarkComet, the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight.

To make a point, DarkComet's author acknowledges that he is developing his own Mac OS X Trojan, called DarkCometX, that is not yet finished. He provided the following screenshot.

Screenshot of DarkCometX Trojan

Learning of two Mac OS X Trojans in less than a week was, admittedly, a bit of a surprise. Technically, in and of itself, writing a Trojan is not illegal. It's all in what you do with it.

Looking at the code and descriptions, though, I think it is clear what the authors expect you to do with their "products."

BlackHole RAT includes text saying things like

"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!"


"So, Im a very new Virus, under Development, so there will be much more functions when im finished."

This hardly sounds like a legal use to me.

Likewise, DarkComet RAT's author states "This software allow you to make hundreds of functions stealthly and remotely without any kind of autorisation in the remote process." and references the term "Bot Shell" in his Mac OS X development build.

Some folks provided feedback that I had used the acronym RAT incorrectly, saying it stands for Remote Access Tool, not Remote Access Trojan. While the authors would like you to believe they are simply tools, I think the evidence suggests Trojan is more appropriate.

If you are interested in what you can do to protect your Mac, check out Ben Jupp's Mac OS X security tips part 1, part 2 and part 3 and download our free Sophos Anti-Virus for Mac Home Edition.

Creative Commons image of Rat Fink courtesy of Jennifer Ennis's Flickr photostream.

, , , , , ,

You might like

5 Responses to DarkComet RAT author denies BlackHole Mac Trojan is his

  1. Get It Right · 1683 days ago

    You've used RAT incorrectly twice, now. It's Remote Administration Tool.

  2. polish67 · 1683 days ago

    all these things are proof of concept and not LIVE REAL threats ! this RAT is a hacking tool and not a TROJAN !!!
    Please stop Sophos spreading fear to mac users: F.U.D

  3. jk3021 · 1683 days ago


    Sophos are constantly trying to sell products by spreading utter nonsense , its starting to get boring now

  4. kurt wismer · 1683 days ago

    bizarre arguments against the trojan label are bizarre.

    it's creator labeled it a trojan, intended for it to be one, and succeeded.

  5. Anonymous · 1509 days ago

    The world disagrees with you. It truly is a remote administration tool, not a trojan.
    The trojan is the software that delivers the RAT agent and gets it up and running. The RAT portion is what provides the administration features.
    Regardless of whether or not DarkComet functions as a trojan, the commonly accepted industry acronym RAT stands for Remote Administration Tool. The reason why, is that there are several respectable companies that produce respectable solutions, which work in incredibly similar ways.
    The only difference would be whether the remote administrator was an authorized user, or a sneaky sob. The respectability, if you will, and the level of stealth employed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.