To follow up on our post last Friday, I was contacted by the author of the DarkComet RAT Trojan. He seemed quite upset that I suggested the new Mac OS X Trojan BlackHole RAT was related to his Windows creation.
While the BlackHole RAT Trojan seems to be copying the behavior of DarkComet, the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight.
To make a point, DarkComet’s author acknowledges that he is developing his own Mac OS X Trojan, called DarkCometX, that is not yet finished. He provided the following screenshot.
Learning of two Mac OS X Trojans in less than a week was, admittedly, a bit of a surprise. Technically, in and of itself, writing a Trojan is not illegal. It’s all in what you do with it.
Looking at the code and descriptions, though, I think it is clear what the authors expect you to do with their “products.”
BlackHole RAT includes text saying things like
"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!"
"So, Im a very new Virus, under Development, so there will be much more functions when im finished."
This hardly sounds like a legal use to me.
Likewise, DarkComet RAT’s author states “This software allow you to make hundreds of functions stealthly and remotely without any kind of autorisation in the remote process.” and references the term “Bot Shell” in his Mac OS X development build.
Some folks provided feedback that I had used the acronym RAT incorrectly, saying it stands for Remote Access Tool, not Remote Access Trojan. While the authors would like you to believe they are simply tools, I think the evidence suggests Trojan is more appropriate.
Creative Commons image of Rat Fink courtesy of Jennifer Ennis’s Flickr photostream.