Author

Topic: A Script Kiddie Wallet Stealer/Keylogger (Read 2138 times)

newbie
Activity: 33
Merit: 0
December 03, 2011, 12:04:44 PM
#4
I would be interested to know the particular source and details of this file:

torrents, private FTP, usenet, DDL, etc.


From a public file sharing site, not from a usual site. I won't give the link out for safety, but it was not from:

- Filefactory
- Mediafire
- Rapid share
- File dropper
- Mega upload

Now, I have not looked further as I will be doing server things today. It might be rooted in multiple places.

was its title name spoofed?


eg;  was it labeled with some well known release group's titleling format (like using Razor1911 in the filename to convince people its legit?)

or on usenet, using the poster handle yenc, posting a.b.mom, or a.b.worms or a.b.u4all



people who do this piss me off immensely.

Not a faked author, there was no group related to this file.

I believed since it was an exe file, it was an self extracting archive. However the file size made me think twice, as it was under 1Gb, and most games are quite large these days.

I typically just use 3 virus scanners (I run windows, inb4 someone comes down on me for not using linux), followed by a supplement with Jotti, Virscan, and a few other muli-scanners based online.


typically the only things that come up dirty are keygens and that is mostly because security companies have usually just assigned ALL keygens to the category of "malware" even though they may be clean.


i assume a benign purpose behind this:  I seriously doubt there is collusion between the game/software developers and the security companies, but rather its just easier to say that ALL keygens are malware since its a good chance they are (given the fact that 99% of people are going to download it from a suspect source without good background checks anyway).


I believe there is no connection to anything really, just an independent author used a kit, compiled it, changed the name and shipped it off. The file is packaged claiming to give a copy of a leaked closed beta game. There would be no keygen for this product, it just entices the user to run it.

On the Anti Virus subject, here's a scan:

http://www.virustotal.com/file-scan/report.html?id=87a2f697ec54e72bc9aae6ad5206900f44ebd6c36dbe6a8ed224ff014ee15494-1322931296

It was already scanned before, not surprised. However, they are all giving generic (a.k.a heuristic) responses to it. Many users would just blow this off.


Quote
Thanks for the info.

No probs. I like to keep people informed. Smiley
member
Activity: 89
Merit: 10
December 03, 2011, 08:18:08 AM
#3
Thanks for the info.
newbie
Activity: 11
Merit: 0
December 03, 2011, 03:43:06 AM
#2
I would be interested to know the particular source and details of this file:

torrents, private FTP, usenet, DDL, etc.


was its title name spoofed?


eg;  was it labeled with some well known release group's titleling format (like using Razor1911 in the filename to convince people its legit?)

or on usenet, using the poster handle yenc, posting a.b.mom, or a.b.worms or a.b.u4all



people who do this piss me off immensely.


I typically just use 3 virus scanners (I run windows, inb4 someone comes down on me for not using linux), followed by a supplement with Jotti, Virscan, and a few other muli-scanners based online.


typically the only things that come up dirty are keygens and that is mostly because security companies have usually just assigned ALL keygens to the category of "malware" even though they may be clean.


i assume a benign purpose behind this:  I seriously doubt there is collusion between the game/software developers and the security companies, but rather its just easier to say that ALL keygens are malware since its a good chance they are (given the fact that 99% of people are going to download it from a suspect source without good background checks anyway).
newbie
Activity: 33
Merit: 0
December 02, 2011, 11:04:09 PM
#1
As someone has posted, they said their bank details were stolen. I think I've found a lead to that and more.

Today I downloaded one of the most shady exe files I've ever downloaded. It claimed to give a leaked/cracked/free/non-steam version of "Counter Strike: Global Operation".

As my usual method goes, I always open it up first in a Virtual Machine. It first gave an error about missing some .dll - which clued me in to something being up.
I ran it again, and nothing showed. No menu, funky music, or poorly done GUI. I dug a little further and it was still running - again another clue something was up.
I dumped the strings from the process. I was slightly interested to find it done in Visual Basic (I'm joking, I wasn't really) and what it contained.

  • A BitCoin wallet stealer, an interest to this community.
  • Minecraft account stealer, somehow >.>
  • Runescape account stealer
  • And a general key-logger with email reporting.

Bit Coin wallet stealers are real. I want to make that clear.

You can see the images below. If you want the maker's (probably didn't make it, just compiled it) email, it's [email protected]

Anyways, I hope your all following good security practices! If you would like more information on it, post below. Smiley


From left to right:
(1)The most skiddy way to load a virus.
(2)A few strings showing what the stealer does.
(3) Shows the strings you will see, and important ones like the email and password combo.

http://img535.imageshack.us/img535/6176/evenmorefail.th.pnghttp://img196.imageshack.us/img196/6546/hack3d.th.pnghttp://img830.imageshack.us/img830/1466/skiddyfails.th.png

P.S I tired using the password for the gmail account, it was changed about 52 days ago. This seems to make the stealer will not work anymore.
Jump to: