Inside DarkComet: a wild case-study
2023-04-28 | 11:00 – 11:50
This research discusses the application of a framework for the automated analysis of malware samples, specifically botnet binaries, which automates the collection, analysis, and infiltration of botnets. Due to the increased number of samples released daily, such frameworks have become a necessity for anti-malware organisations and product vendors. Some academic research has recently been concluded into their design and development. a case-study was conducted which resulted in the collection of 83,175 DarkComet RAT samples, of which 48.85% were successfully analysed and their configuration information extracted, leading to the infiltration of 751 Command and Control servers which provided information on 109,535 unique victim computers. The collection of the DarkComet bot binaries occurred between August of 2013 and June 2014, with CNC infiltration commencing on 10 May 2014 and concluding on 6 June 2014. A refined exploit for the QUICKUP vulnerability, previously document, which prevents detection by botmasters and supports the downloading of large files is provided. The document presents an analysis of the configuration data extracted from the collected malware samples.