|
Title: A Script Kiddie Wallet Stealer/Keylogger Post by: dark_st3alth on December 03, 2011, 04:04:09 AM As someone has posted, they said their bank details were stolen. I think I've found a lead to that and more.
Today I downloaded one of the most shady exe files I've ever downloaded. It claimed to give a leaked/cracked/free/non-steam version of "Counter Strike: Global Operation". As my usual method goes, I always open it up first in a Virtual Machine. It first gave an error about missing some .dll - which clued me in to something being up. I ran it again, and nothing showed. No menu, funky music, or poorly done GUI. I dug a little further and it was still running - again another clue something was up. I dumped the strings from the process. I was slightly interested to find it done in Visual Basic (I'm joking, I wasn't really) and what it contained.
Bit Coin wallet stealers are real. I want to make that clear. You can see the images below. If you want the maker's (probably didn't make it, just compiled it) email, it's dalareka@gmail.com Anyways, I hope your all following good security practices! If you would like more information on it, post below. :) From left to right: (1)The most skiddy way to load a virus. (2)A few strings showing what the stealer does. (3) Shows the strings you will see, and important ones like the email and password combo. http://img535.imageshack.us/img535/6176/evenmorefail.th.png (http://img535.imageshack.us/img535/6176/evenmorefail.png)http://img196.imageshack.us/img196/6546/hack3d.th.png (http://img196.imageshack.us/img196/6546/hack3d.png)http://img830.imageshack.us/img830/1466/skiddyfails.th.png (http://img830.imageshack.us/img830/1466/skiddyfails.png) P.S I tired using the password for the gmail account, it was changed about 52 days ago. This seems to make the stealer will not work anymore. Title: Re: A Script Kiddie Wallet Stealer/Keylogger Post by: Fingler29 on December 03, 2011, 08:43:06 AM I would be interested to know the particular source and details of this file:
torrents, private FTP, usenet, DDL, etc. was its title name spoofed? eg; was it labeled with some well known release group's titleling format (like using Razor1911 in the filename to convince people its legit?) or on usenet, using the poster handle yenc, posting a.b.mom, or a.b.worms or a.b.u4all people who do this piss me off immensely. I typically just use 3 virus scanners (I run windows, inb4 someone comes down on me for not using linux), followed by a supplement with Jotti, Virscan, and a few other muli-scanners based online. typically the only things that come up dirty are keygens and that is mostly because security companies have usually just assigned ALL keygens to the category of "malware" even though they may be clean. i assume a benign purpose behind this: I seriously doubt there is collusion between the game/software developers and the security companies, but rather its just easier to say that ALL keygens are malware since its a good chance they are (given the fact that 99% of people are going to download it from a suspect source without good background checks anyway). Title: Re: A Script Kiddie Wallet Stealer/Keylogger Post by: gigantic on December 03, 2011, 01:18:08 PM Thanks for the info.
Title: Re: A Script Kiddie Wallet Stealer/Keylogger Post by: dark_st3alth on December 03, 2011, 05:04:44 PM I would be interested to know the particular source and details of this file: torrents, private FTP, usenet, DDL, etc. From a public file sharing site, not from a usual site. I won't give the link out for safety, but it was not from: - Filefactory - Mediafire - Rapid share - File dropper - Mega upload Now, I have not looked further as I will be doing server things today. It might be rooted in multiple places. was its title name spoofed? eg; was it labeled with some well known release group's titleling format (like using Razor1911 in the filename to convince people its legit?) or on usenet, using the poster handle yenc, posting a.b.mom, or a.b.worms or a.b.u4all people who do this piss me off immensely. Not a faked author, there was no group related to this file. I believed since it was an exe file, it was an self extracting archive. However the file size made me think twice, as it was under 1Gb, and most games are quite large these days. I typically just use 3 virus scanners (I run windows, inb4 someone comes down on me for not using linux), followed by a supplement with Jotti, Virscan, and a few other muli-scanners based online. typically the only things that come up dirty are keygens and that is mostly because security companies have usually just assigned ALL keygens to the category of "malware" even though they may be clean. i assume a benign purpose behind this: I seriously doubt there is collusion between the game/software developers and the security companies, but rather its just easier to say that ALL keygens are malware since its a good chance they are (given the fact that 99% of people are going to download it from a suspect source without good background checks anyway). I believe there is no connection to anything really, just an independent author used a kit, compiled it, changed the name and shipped it off. The file is packaged claiming to give a copy of a leaked closed beta game. There would be no keygen for this product, it just entices the user to run it. On the Anti Virus subject, here's a scan: http://www.virustotal.com/file-scan/report.html?id=87a2f697ec54e72bc9aae6ad5206900f44ebd6c36dbe6a8ed224ff014ee15494-1322931296 It was already scanned before, not surprised. However, they are all giving generic (a.k.a heuristic) responses to it. Many users would just blow this off. Quote Thanks for the info. No probs. I like to keep people informed. :) |
