29 September 2015
Description of malware class
A malicious program designed to allow a cybercriminal to gain persistent access to a victim system. It is used to control the victim computer remotely in a hidden way and perform malicious actions, such as download private information, launch programs without the user’s consent, and watch the user’s activities.
Description of platform
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.
Description of malware family
Malware in this family consists of DarkComet, a program designed for remotely controlling or administering a victim computer. The connection parameters are encrypted in the program's executable file.
The program performs the following functions:
- Obtaining information about the infected computer.
- Controlling processes.
- Interpreting commands sent remotely.
- Obtaining a list of windows.
- Providing remote desktop access.
- Deleting programs.
- Managing system services.
- Modifying the system registry.
- Modifying files via the built-in file manager.
- Capturing video and audio from a webcam or microphone.
- Saving keystrokes to a file (keystroke information is not encrypted and is stored in the folder %APPDATA%\dclogs\ in files with the name format YY-MM-DD.dc).
- Acting as a SOCKS proxy server.
- Redirecting IP addresses and ports.
- Capturing clipboard contents.
- Shutting off and restarting the operating system.
- Downloading, sending, and running files.
- Sending keystroke logs to a remote FTP server.
Geographical distribution of attacks by the Backdoor.Win32.DarkKomet family
Geographical distribution of attacks during the period from 24 July 2014 to 27 July 2015
Top 10 countries with most attacked users (% of total attacks)
|Country||% of users attacked worldwide*|
|7||United Arab Emirates||2.91|
* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware