I suppose I’ll tire of these astronomical allusions eventually, but in another stellar post (sorry!) Chester Wisniewski tells us that he’s been contacted by the author of darkComet, who claims that the Blackhole RAT is nothing to do with him, guv, and in fact he’s working on his own OS X RAT. Well, that’s all right then. (Some useful links in that post, by the way.)
This is actually quite nostalgic: a decade or so ago, we quite often had these relatively civilized discussions with virus writers who felt misunderstood, or wanted to make a point about the naming of their creations or incorrect attribution: for example, the author of Den Zuk was somewhat irritated that ‘his’ virus was widely known as Ohio, never having been to Ohio. (That name was used by some vendors because it was first spotted at Ohio State University.)
Of course, AV researchers have tended to make a point of not giving names to malware in accordance with the wishes of malware authors (though media viruses tend to acquire the names that appeal to journalists, irrespective of the wishes of AV researchers or malware authors…) At this point, though, naming of malware (certainly Windows malware) has become largely meaningless (a contention I’ve made a couple of times in papers, eg here): it’s usually more useful to have a file hash to identify a given binary, than an arbitrary and highly generic identifier from a single vendor.
It appears that Chet has also been criticised for expanding the RAT acronym to Remote Access Trojan, rather than Remote Access Tool. If anyone cares about my opinion, I quite agree that these present as Trojans, not legitimate utilities: in fact I wouldn’t use the term Remote Access Tool for a legitimate remote access program, and regard the words Trojan and Tool in this context as almost interchangeable. (No, that doesn’t mean I don’t understand the difference between a Trojan and a legitimate utility.) I have used the term Remote Access Tool earlier in this thread to describe Blackhole, but that’s because I thought that it described its functionality a little more precisely. But I have no problems at all with Remote Access Trojan.
And that, in itself, is quite nostalgic. Rob Slade and I considered this selfsame terminological issue in Viruses Revealed, published ten years ago.
Good Lord, yet another anniversary to blog about, come September. 😉
David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus