Your favorite malware authors: Now on Twitter!

If you want a preview of the next wave of malicious programs, there's now an easy way to keep tabs -- just follow the tweets

Who can keep up with the swarms of malware churned out by professional operations? The activities of smaller hacking groups such as the one operated by TJX and Heartland hacker Albert Gonzalez, or state-sponsored hacking operations such as the one believed to be responsible for the attacks on Google and other IT firms are even more difficult to monitor.

The malware authoring community is more clubby than stealthy, but it has typically operated just below the surface, communicating through members only listservs and Websites that aren't publicly accessible. But as Mikko H. Hyppönen at F-Secure points out, malware authors are increasingly willing -- if not eager -- to talk about what they're working on in a public forum.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Witness the phenomenon of the tweeting Trojan author @DarkCoderSc, a French hacker who has been updating his couple dozen followers since April on the progress of DarkComet RT, a remote administration tool (RAT) application he is developing. (Note: "Remote administration tools" are also referred to as "Trojans" when they're used for things other than "administration.")

The program itself, which is pre-release, hasn't yet been identified by the major antivirus companies, but DarkCoderSc promises that, when finished, it will have many features that should get it flagged as malicious, including keylogging, multithreaded upload/download, botnet functions, and remote capture and webcam streaming -- basically features that let you spy on infected systems. Using Twitter, you can keep up with the progress on DarkComet. A post from April updates us on work on the keylogger function, which DarkCoderSc said "works very well and get all the keys with special carracters for all type of keyboard ;)" and on "persistence" in 32- and 64-bit environments.

Of course, creating new "remote administration" tools is perfectly legal. Yet DarkCoderSc's Website makes mention of a desire to do "partnerships." If through these "partners" the intent is to unleash DarkComet RT on the general public, we could be witnessing the birth of a new family of Trojan that, like Zeus or countless others, could aid and abet data theft from private computer networks.

You'd think DarkCoderSc's employer might like to know about his extracurricular activities. He describes himself as "working in a French IT company as Web/System and misc programer" (sic). Although many companies would be happy to hire talented coders who think it's fun to dream up new applications in their free time, DarkCoderSc's activities might not be what they had in mind. Recent history shows that it's a short leap from developing malicious programs to being involved in illegal schemes that leverage them. Look no further than Stephen Watt, the talented programmer who was working for Morgan Stanley during the day, while coding a sniffer program that Albert Gonzalez used to siphon credit card numbers from the network of TJX and other firms. Tweet that.

Paul F. Roberts is a senior analyst covering enterprise security for The 451 Group.

This article, "Your favorite malware authors: Now on Twitter!" was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.