Jump to content

SZ8700

Resident
  • Posts

    14
  • Joined

  • Last visited

Everything posted by SZ8700

  1. All of that is irrelevant. This particular situation is more complex than you're making it out to seem. I refer you to my previous reply. Now, given that information, it can be concluded that it started with one user accepting a file from someone they didn't know, but the subsequent accounts to be compromised were done so by being tricked into believing they are being sent this malware by trusted friends, not by the doing of someone with malicious intent. There is a big difference here. People aren't accepting files from someone they don't know. Instead, the person doing the actual "hacking' is using these trusted accounts to send their "friends" this malware. Again, there is a huge difference.
  2. Perrie Juran wrote: This is not an old exploit. From the little bit of reading I did on it people's AV should be catching it. Maybe it's possible it isn't but their AV should be popping up a warning. Actually, the technique used (RAT) is fairly old and common. However, the reason A/V software doesn't always pick RATs up is becuase it carries a brand new "signature" which the A/V software has never seen before. In order for a RAT to be undetectable, or "FUD" (Fully UnDetectable in the BlackHat community,) it must be "crypted", "binded", compressed with UPX, and be given a random MUTEX, among other options. All of these in conjuction with one another pretty much guarantees that it will be undetected even by the most hardened A/V software available.
  3. You are no doubt correct, and I agree 100%. I must ask, regardless of the circumstances surrounding the situation, whether it be an actual "hack" instead of user error or actual user irresponsibility, what is the protocol they follow to determine whether or not the account even should be restored. Is it a case-by-case basis? For example: User #1 downloads malware which compromised their SL account = user-error User #2 truly got "hacked" without their knowledge and now their SL account is compromised. = not user-error Do both of these circumstances merit account recovery? I am with you all the way when you say people should be more careful, but some things play out in such a way that the user who could be considered at fault didn't know any better. In the defense of my parents, they were sent this malware by a very long-time SL friend who they've talked with on a daily basis. Their friend's account was compromised and was being used to send this file in his name. So they thought it was harmless. Therein lies the issue: It wasn't someone random that sent the file, but someone who controlled a trusted member's account sending the file in their name.
  4. Perrie Juran wrote: And for the record, these accounts are not "hacked." They are "compromised." There is a slight difference. Hacking implies that he got into the account without an action of the hacked. I realize there's a difference, albeit a small one. When an account is compromised, the first thing an average user would say is, it's been "hacked." They would then send out a support email saying "my account has been hacked, pease help" instead of saying compromised. I'm only using the term most users are familiar with and say the most.
  5. I hear what you all are saying. If it weren't for SL, people wouldn't be getting their accounts stolen, funds stolen, inventories wiped clean, etc.. This is obvously someone inside SL doing this. Hacked accounts must be dealt with. That is an issue for LL. I agree it is on the user to be more responsible, but these are all SL accounts. None of that really matters, because not once have I blamed LL. People who's accounts have been compromised are blaming LL. I don't even think it's so much as blaming as it is them calling for their accounts to be recovered. It's not being distributed through SL, just Skype. I reiterate that all of these compromised systems are SL related, and it shows. EDIT: This entire thread is only possible because it's SL accounts who are being targeted. So this is more of a "beware" post for SL users than anything.
  6. The issue isn't really Skype. The issue is downloading/opening files from someone you don't know. It just so happens that this RAT is being distributed through Skype, it's also a SL problem as well. I don't understand why people are dismissing this as if it's not a problem with SL. I understand that the problem isn't SL directly, but this is indeed a Skype and SL problem together, judging from the means this person is gathering his information and the content within.
  7. I hear you. That link was also posted in the OP. I'm only trying to help. Since this RAT is targetting SL users specifically, I thought it might be a good idea to make everyone aware of what exactly is going on. Hence the inclusion of other Forum links related to this infection.
  8. True, the malware is being dirstributed through Skype, however the blog that this person runs contains only SL accounts and information. So it's safe to assume this is also a SL issue.
  9. AFAIK, Skype seems to be the medium of choice for distributing this RAT. Whoever made it is specifically targeting SL users. There are probably other ways of it being distributed, but I haven't run across any yet.
  10. You and many others. Please read the thread I just posted here. You may have fell victim to a RAT.
  11. I apologize for the first thread which linked to a blog where the information of compromised SL accounts is posted. The link has been removed. No other personal information is displayed either through text, links, or images contained within this post. ____________________________________________________________ I am not a SL user, but I felt compelled to spread this information as my parents and some of their friends have become victims. The file being distributed is known as a Remote Access Trojan (RAT.) It carries a .SCR extension masked as a .PNG (image) file. For example: IMG(numbers)drcs.png and Snapshot(numbers)drcs.png Notice the letters "rcs.png" at the end of the filename. The actual filename is gnp.scr. Yep, that's a screensaver/executable. This is being accomplished by using a Unicode trick called RTLO (Right-to-Left Override) which basically flips all text after the invisible Unicode character. In this case that character is inserted after the letter "d" in the filenames above. ____________________________________________________________ More information about the RAT: This particular RAT is being created using a program called DarkComet. This program will create a RAT which, when opened on the victims machine, creates a backdoor (server) which will give the person (client) who distributed the RAT complete and total access to your computer (webcam, audio, file manager, task manager, registry, etc.) and even has a keylogger and can scan for stored passwords. ____________________________________________________________ Here's a screenshot of the program that creates/controls the RAT: http://i.imgur.com/Y6KARW2.jpg I've highlighted key aspects for ease of understanding. FYI, that is v2.0 of the client. Version 5.3.1 is the most recent which carries much more functionality. As you can see, it's a pretty big deal. ____________________________________________________________ To understand this RAT in more detail, I went ahead and found the program, infected myself, and ran all kinds of tests. All of my tests were conducted inside of a Virtual Machine (VM.) I could download files from the infected machine as well as view all stored passwords for IE, Chrome, Firefox, and viewed my own webcam. Keylogger works but is not "realtime," which is irrelevant. In the "server" (victim) list, there is an option to view screencaps which gives a preview of what the victim is currently doing. ____________________________________________________________ Most A/V software will detect the file. HOWEVER, there are means to avoid detection, called "cryptors". That means the A/V software will not be able to detect it because it carries a brand new, never-before-seen signature. ____________________________________________________________ The person (DarkcoderSC/PhrozenSoft) who created the software which creates these RATs never intended for it to be used maliciously. AFAIK, he is a security analyst and created the program to help companies secure their systems. You have to know how to hack to stop it. Well, he ended development after releasing 5.3.1 for fear of being arrested because another RAT called BlackShades was being used by the Syrian government to target Syrian dissidents/rebels. The creator of BlackShades has been arrested. Why is this important, you ask? Because the gentleman who created DarkComet also created a program to detect and remove any and everything related to DarkComet. It's called DarkComet RAT Remover. Once again, I tested this program and it works. Then again, I only infected myself with a basic RAT. YMMV. You can find the link to download it here. It never hurts to try. FYI, if whoever is distributing this RAT is smart enough, he'll create one which replaces OS files. In which case the remover linked above may not be a good choice. It's worth a shot, I suppose. ____________________________________________________________ As for the person distributing this RAT, he has a blog where he is posting RL addresses, SL accounts, billing information, relatives of SL users, nude pictures, and more. ____________________________________________________________ More information on this RAT can be found at the links below: https://malwr.com/analysis/YzgxOWE0Njc2NzQ4NDkzMjgzZjY3NzNmZWY4OWMwOTE/ http://community.secondlife.com/t5/Abuse-and-Griefing/I-keep-hearing-about-IMG-0311205dtrap-rcs-png-... http://community.secondlife.com/t5/General-Discussion-Forum/Skype-and-Secondlife-related-virus/td-p/... http://yiffyaffriffraff.tumblr.com/post/65212061451/skype-virus-sweeping-secondlife MODS/ADMINS - IF YOU CAN, PLEASE STICKY THIS POST IN A RELEVANT FORUM OR SPREAD THE INFO BY OTHER MEANS. THANK YOU.
×
×
  • Create New...