Sophos Cloud Optix
To follow up on our post last Friday, I was contacted by the author of the DarkComet RAT Trojan. He seemed quite upset that I suggested the new Mac OS X Trojan BlackHole RAT was related to his Windows creation.
While the BlackHole RAT Trojan seems to be copying the behavior of DarkComet, the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight.
To make a point, DarkComet’s author acknowledges that he is developing his own Mac OS X Trojan, called DarkCometX, that is not yet finished. He provided the following screenshot.
Learning of two Mac OS X Trojans in less than a week was, admittedly, a bit of a surprise. Technically, in and of itself, writing a Trojan is not illegal. It’s all in what you do with it.
Looking at the code and descriptions, though, I think it is clear what the authors expect you to do with their “products.”
BlackHole RAT includes text saying things like
"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!"
and
"So, Im a very new Virus, under Development, so there will be much more functions when im finished."
This hardly sounds like a legal use to me.
Likewise, DarkComet RAT’s author states “This software allow you to make hundreds of functions stealthly and remotely without any kind of autorisation in the remote process.” and references the term “Bot Shell” in his Mac OS X development build.
Some folks provided feedback that I had used the acronym RAT incorrectly, saying it stands for Remote Access Tool, not Remote Access Trojan. While the authors would like you to believe they are simply tools, I think the evidence suggests Trojan is more appropriate.
If you are interested in what you can do to protect your Mac, check out Ben Jupp’s Mac OS X security tips part 1, part 2 and part 3 and download our free Sophos Anti-Virus for Mac Home Edition.
Creative Commons image of Rat Fink courtesy of Jennifer Ennis’s Flickr photostream.
You've used RAT incorrectly twice, now. It's Remote Administration Tool.
all these things are proof of concept and not LIVE REAL threats ! this RAT is a hacking tool and not a TROJAN !!!
Please stop Sophos spreading fear to mac users: F.U.D
yawn.
Sophos are constantly trying to sell products by spreading utter nonsense , its starting to get boring now
bizarre arguments against the trojan label are bizarre.
it's creator labeled it a trojan, intended for it to be one, and succeeded.
The world disagrees with you. It truly is a remote administration tool, not a trojan.
The trojan is the software that delivers the RAT agent and gets it up and running. The RAT portion is what provides the administration features.
Regardless of whether or not DarkComet functions as a trojan, the commonly accepted industry acronym RAT stands for Remote Administration Tool. The reason why, is that there are several respectable companies that produce respectable solutions, which work in incredibly similar ways.
The only difference would be whether the remote administrator was an authorized user, or a sneaky sob. The respectability, if you will, and the level of stealth employed.
http://en.wikipedia.org/wiki/Remote_Administratio…