Jump to content
Sign in to follow this  
Inferniel Solvang

Skype and Secondlife related virus!

Recommended Posts

There is a virus making its rounds on SKYPE! If a friend sends you a file that is either with Snapshot or IMG followed by an underscore and some random numbers with "drcs.png" at the end....CANCEL!!!!!!!!! DO NOT ACCEPT IT!!!!!!!!!!!!!


"snapshot_(NUMBERS)drcs.png"

"IMG_(NUMBERS)drcs.png"

 

DO NOT ACCEPT ANYTHING from any friends on Skype unless you ask them and they respond to tell you what it is...

 

Once you download this image the virus takes hold of your computer. It sniffs and shuffles through all your files. It gathers information and photos...The man responsible has a blog with the pictures of all the SL accounts and Computers he's hacked with this virus....he has posted screen names, real names, bank account info, business info, passwords and Second Life account info, and even nude pictures of his victims on his blog to brag about it.

 

DO NOT ACCEPT ANYTHING FROM ANYONE on skype unless they can tell you what it is!!!!!!!!!

 

If you're SL account has been compromised, contact Linden Labs right away!

Share this post


Link to post
Share on other sites

This is the third mention of this virus over the last day, but I'm unable to find anything about it via Google, which is generally pretty quick to pick up on such things. The description of its operation sounds fishy to me. Can you provide more information?

Share this post


Link to post
Share on other sites

1) you get sent a link, not a file. HUGE difference. clicking on unknown links provided by anyone is nearly always dumb.

2) Never click on links anyone provides, EVEN A FRIEND, unless you at 2000% sure the link is safe, _or_ unless you have scripts DISABLED on you browser (on FF look at NoScript, on IE you're more or less screwed, Chrome has a buit in setting for this).

Or, if you're not computer savvy, use a good Antivirus suite and pay the perfomance penalty this incurs.

Btw, that isn't a new virus... the fact that people still get caught by it is a rather sad testament to peoples gullibility.

Share this post


Link to post
Share on other sites

Hmm..   So you warn us not to accept any files and then direct us to what -- from your own warnings- seems to be a rather suspicious site.   I see.

Tell you what, can you direct me to any announcement by Linden Lab, or by Skype, or by any of the main virus trackers (Sophos, Panda or whatever) that describes this exploit?

Share this post


Link to post
Share on other sites

As someone who got hit by this and now has their account in an Administrative Hold AFTER getting my account recovered and everything reversed, because LL can't do anything right, it's pretty damned real.

 

It's apparently a RAT trojan manually sent around Skype as a file transfer, disguised as an image- except it's really a screensaver file, with Explorer somehow tricked into reading the extension backwards- rcs.png when it really is gnp.scr. It comes from someone you know, so you open it without thinking, and it doesn't work. Bam, the trojan's installed and it'll sit quietly waiting for you to enter a password- or rip them right out of somewhere, I'm not sure.

I lost my Skype and my main SL account to it for a good eight hours until the automated system noticed something wrong and reverted everything.

 

It seems for the most part the guy tries to buy Lindens, grab all of your payment info, and just give away money to random people- and then dig through your inventory for incriminating photos to put on his blog. A good 10-15 of my friends and acquaintences got hit with it too.

 

Now I'm stuck hoping LL will give me my account back, I'm more afraid of them than the **bleep**ing hijacker. What a surprise.

Share this post


Link to post
Share on other sites

Linden Labs has said the only thing they can do is help sort your account, so they have not made announcements.

Skype just says to NOT accept any files from friends or strangers unless they tell you what it is.

 

But as far as people saying this it not true....2 of my personal friends have been hit....i have several friends that have many friends that was hit bit it...one of my friends that was hit had his person REAL LIFE info posted on that blog along with his bank account info.....

as far as the .png file is....you can change the .exe to a .png and when people try to open it to see it, the computer will execute the process because it is really a .exe....you can do this with any format/extension....so the .png is merely a way to fool the unsuspecting downloaders into opening it

You try to warn people to NOT accept files....something as simple as that....and you get people that are snippy and grumpy and totally ungrateful....i was just trying to warn everyone to not accept files that the sender will not identify for you pre-download... that simple

Share this post


Link to post
Share on other sites


Carl Thibodeaux wrote:

Picture links cannot contain viruses. 

Would have to be a .exe or a website link.

Well, just to be pedantic, a picture can contain virus code, as can a video as can an audio and plenty of other file formats.  However, they are not going to be executable but as far as transport, yes those file formats really can carry malware.

A sophisticated attack could even send a piece of the code in a picture, another piece in a video, a piece in an mp3 and have it re-constructed to the final bad code at a host.

Share this post


Link to post
Share on other sites


Sassy Romano wrote:


Carl Thibodeaux wrote:

Picture links cannot contain viruses. 

Would have to be a .exe or a website link.

Well, just to be pedantic, a picture can contain virus code, as can a video as can an audio and plenty of other file formats.  However, they are not going to be executable but as far as transport, yes those file formats really can carry malware.

A sophisticated attack could even send a piece of the code in a picture, another piece in a video, a piece in an mp3 and have it re-constructed to the final bad code at a host.

Agreed. We discussed this in an answers thread started by someone else who'd apparently heard of this supposed vulnerability...

http://community.secondlife.com/t5/Abuse-and-Griefing/I-keep-hearing-about-IMG-0311205dtrap-rcs-png-Is-this-a-valid/qaq-p/2275599

In the past, it was possible to deliver malware in Office documents, as those could also contain macros. I haven't used Office in ages, but expect that door has been long closed. Nevertheless, I do hear about novel methods for injecting code via mechanisms you'd not expect.

Share this post


Link to post
Share on other sites

Then either install a decent antivirus or be more careful next time. Even with the RTL unicode "exploit" the file still shows as executable in Explorer, at least in Win7.

This is not a new exploit by any means. It exploits the lack of knowledge/gullibility of most users, combined with the refusal to shell out some money for a halfway decent virus/malware scanner.

These days, trusting anything any of your friends sends you is suicidal. That goes for SL, and it most certainly goes for every other media out there including Skype.

One small tip (not foolproof but definitely helps): Right-click on whatever folder you use for such downloads. Select "Properties", then go to the "Security" tab. Click on the "Advanced" button in the lower right. Click on "Change Permissions". Select your user and click on "Edit". Then uncheck "Traverse Folder / Execute" and OK out of all those popups.

Now at least you can't accidentally execute anything in that folder. It also means if you do get an executable you DO want to run, you need to copy/move it elsewhere to run.

Not exactly foolproof, but any layer of security helps with Windows (and Mac which is vulnerable just the same, despite Gatekeeper).

In the end only a change of mindset helps. Paranoia is a good thing on the Internet because there ARE people out to get you.

Share this post


Link to post
Share on other sites

This is actually a Unicode exploit in that a non-printing character (specifically U+202E, the "RIGHT-TO-LEFT OVERRIDE", see http://www.fileformat.info/info/unicode/char/202E/index.htm) is making one think they are clicking "rcs.png" (which would be an image and cannot have a virus transmitted within it) but they are actually clicking "gnp.scr" (which is an executable screensaver). See http://www.pediy.com/kssd/pediy11/123162.html for how this exploit is used to deliver malicious payloads to the unwary.

 

Bottom line, be careful what one clicks on, even if you feel the source is trustworthy. Kind of like sex, one never knows who might be infected, eh.

Share this post


Link to post
Share on other sites


LepreKhaun wrote:

This is actually a Unicode exploit in that a non-printing character (specifically U+
202E, the "RIGHT-TO-LEFT OVERRIDE", see 
) is making one think they are clicking "
rcs.png"
(which would be an image and cannot have a virus transmitted within it) but they are actually clicking "gnp.scr" (which is
 an executable 
screensaver). See 
 for how this exploit is used to deliver malicious payloads to the unwary.

 

Bottom line, be careful what one clicks on, even if you feel the source is trustworthy. Kind of like sex, one never knows who might be infected, eh.

Now that's just clever!

LepreKhaun, that second link goes to something Chinese looking from three years ago. So is that exploit still viable?

Share this post


Link to post
Share on other sites

Yes, unfortunately it seems to be exploitable on Skype currently. But, as Jenni Darkwatch pointed out, a good anti-virus program/firewall should catch it. However many people find it too difficult to set up a secure firewall for Skype. :(

 

But common sense will win out everytime imo. There are numerous traps on the internet for the unwary and it pays to stay on one's toes and never get complacent.

Share this post


Link to post
Share on other sites


LepreKhaun wrote:

Yes, unfortunately it seems to be exploitable on Skype currently. But, as 
Jenni Darkwatch pointed out, a good anti-virus program/firewall should catch it. However many people find it too difficult to set up a secure firewall for Skype.
:(

 

But common sense will win out everytime imo. There are numerous traps on the internet for the unwary and it pays to stay on one's toes and never get complacent.

I'm on a Mac, and the first attempted execution of anything downloaded to the computer lofts a permission dialog explaining what's happening and requiring Username/Password to continue.

Share this post


Link to post
Share on other sites

it is not a png. it only appears to have a png extension. im not sure what it is. its some form of executable. i think a skype addon or plugin, perhaps. if its not that, it may just be an exe. whatever it is, im not downloading it to find out.

Share this post


Link to post
Share on other sites

Wow only one thread on this? People should be worried about this more then they are, I have reconized at least 23 people on the list, and there latest attack they just charged 100K lindens to someones account. There outing personal information and using friends skype accounts against people to get that information.

Share this post


Link to post
Share on other sites

And thats what you get from clicking random stuff...

The method to infect users via material sended around chatting programs such as Skype is pretty old. Last time I saw such an attempt it was pretty obvious to me.

Share this post


Link to post
Share on other sites


Leslie Trihey wrote:

Wow only one thread on this? People should be worried about this more then they are, I have reconized at least 23 people on the list, and there latest attack they just charged 100K lindens to someones account. There outing personal information and using friends skype accounts against people to get that information.

Counted or actually recognized? 

I did look at his web site and he is targeting specific groups / type of RP.

While the tricks he is using are actually fairly simple, he is very good at deploying them. 

I am surprised that this is the first time I'm seeing this attack brought up, especially seeing how long he has been at it.

Not that we need a hundred threads about it.  One is enough.

I didn't really do much digging on it but my wee little brain says that for as long as this exploit has been around anti-virus software should be catching it.  It is by no means a new trick any more.

 

 

 

Share this post


Link to post
Share on other sites


Perrie Juran wrote:


Leslie Trihey wrote:

Wow only one thread on this? People should be worried about this more then they are, I have reconized at least 23 people on the list, and there latest attack they just charged 100K lindens to someones account. There outing personal information and using friends skype accounts against people to get that information.

Counted or actually recognized? 

I did look at his web site and he is targeting specific groups / type of RP.

While the tricks he is using are actually fairly simple, he is very good at deploying them. 

I am surprised that this is the first time I'm seeing this attack brought up, especially seeing how long he has been at it.

Not that we need a hundred threads about it.  One is enough.

I didn't really do much digging on it but my wee little brain says that for as long as this exploit has been around anti-virus software should be catching it.  It is by no means a new trick any more.

 

 

 

Actually reconized, and half them I know personally. The trick about this virus is that there using friends accounts against people, the reason so many people have fallen for it is that they accepted it without thinking when there friends sent it. As far as I know its hard to detect by a virus program.

Share this post


Link to post
Share on other sites


Leslie Trihey wrote:

 

The trick about this virus is that there using friends accounts against people, the reason so many people have fallen for it is that they accepted it without thinking when there friends sent it.


Having listened to the evidence I find that the problem is caused by having friends, which makes the solution simple: don't have friends.

© The Judge

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...