Jump to content

*IMPORTANT PSA* - There are RATs being distributed through Skype which appear to target SL users.

SZ8700

By SZ8700,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 3797 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

SZ8700

SZ8700

Posted
Posted

I apologize for the first thread which linked to a blog where the information of compromised SL accounts is posted. The link has been removed. No other personal information is displayed either through text, links, or images contained within this post.

____________________________________________________________

I am not a SL user, but I felt compelled to spread this information as my parents and some of their friends have become victims.

The file being distributed is known as a Remote Access Trojan (RAT.) It carries a .SCR extension masked as a .PNG (image) file.

For example:

IMG(numbers)drcs.png

and

Snapshot(numbers)drcs.png

 

Notice the letters "rcs.png" at the end of the filename. The actual filename is gnp.scr. Yep, that's a screensaver/executable. This is being accomplished by using a Unicode trick called RTLO (Right-to-Left Override) which basically flips all text after the invisible Unicode character. In this case that character is inserted after the letter "d" in the filenames above.

____________________________________________________________

More information about the RAT:

This particular RAT is being created using a program called DarkComet. This program will create a RAT which, when opened on the victims machine, creates a backdoor (server) which will give the person (client) who distributed the RAT complete and total access to your computer (webcam, audio, file manager, task manager, registry, etc.) and even has a keylogger and can scan for stored passwords.

____________________________________________________________

Here's a screenshot of the program that creates/controls the RAT:

http://i.imgur.com/Y6KARW2.jpg

I've highlighted key aspects for ease of understanding. FYI, that is v2.0 of the client. Version 5.3.1 is the most recent which carries much more functionality.

As you can see, it's a pretty big deal.

____________________________________________________________

To understand this RAT in more detail, I went ahead and found the program, infected myself, and ran all kinds of tests. All of my tests were conducted inside of a Virtual Machine (VM.) I could download files from the infected machine as well as view all stored passwords for IE, Chrome, Firefox, and viewed my own webcam. Keylogger works but is not "realtime," which is irrelevant. In the "server" (victim) list, there is an option to view screencaps which gives a preview of what the victim is currently doing.

____________________________________________________________

Most A/V software will detect the file. HOWEVER, there are means to avoid detection, called "cryptors". That means the A/V software will not be able to detect it because it carries a brand new, never-before-seen signature.

____________________________________________________________

The person (DarkcoderSC/PhrozenSoft) who created the software which creates these RATs never intended for it to be used maliciously. AFAIK, he is a security analyst and created the program to help companies secure their systems. You have to know how to hack to stop it. Well, he ended development after releasing 5.3.1 for fear of being arrested because another RAT called BlackShades was being used by the Syrian government to target Syrian dissidents/rebels. The creator of BlackShades has been arrested.

Why is this important, you ask? Because the gentleman who created DarkComet also created a program to detect and remove any and everything related to DarkComet. It's called DarkComet RAT Remover. Once again, I tested this program and it works. Then again, I only infected myself with a basic RAT. YMMV. You can find the link to download it here. It never hurts to try.

FYI, if whoever is distributing this RAT is smart enough, he'll create one which replaces OS files. In which case the remover linked above may not be a good choice. It's worth a shot, I suppose.

____________________________________________________________

As for the person distributing this RAT, he has a blog where he is posting RL addresses, SL accounts, billing information, relatives of SL users, nude pictures, and more.

____________________________________________________________

More information on this RAT can be found at the links below:

 

https://malwr.com/analysis/YzgxOWE0Njc2NzQ4NDkzMjgzZjY3NzNmZWY4OWMwOTE/

http://community.secondlife.com/t5/Abuse-and-Griefing/I-keep-hearing-about-IMG-0311205dtrap-rcs-png-...

http://community.secondlife.com/t5/General-Discussion-Forum/Skype-and-Secondlife-related-virus/td-p/...

http://yiffyaffriffraff.tumblr.com/post/65212061451/skype-virus-sweeping-secondlife

 

 

 

 

 

MODS/ADMINS - IF YOU CAN, PLEASE STICKY THIS POST IN A RELEVANT FORUM OR SPREAD THE INFO BY OTHER MEANS. THANK YOU.

Link to comment
Share on other sites
Czari Zenovka

Czari Zenovka

Posted
Posted

There was another thread about this issue not too long ago.  The main concensus was that this is a Skype issue and not a SL issue due to the file that is causing the problems being sent/received via Skype.  Many people in SL do use Skype, sometimes while also running SL, so it's worth noting for awareness, but again, it's really an issue with Skype, same as if info was being disseminated via Yahoo, MSN Messenger, etc.

 ETA:  I found the previous thread on this topic here.

Link to comment
Share on other sites
SZ8700

SZ8700

Posted
  • Author
Posted

I hear you. That link was also posted in the OP. I'm only trying to help. Since this RAT is targetting SL users specifically, I thought it might be a good idea to make everyone aware of what exactly is going on. Hence the inclusion of other Forum links related to this infection.

Link to comment
Share on other sites
SZ8700

SZ8700

Posted
  • Author
Posted

The issue isn't really Skype. The issue is downloading/opening files from someone you don't know. It just so happens that this RAT is being distributed through Skype, it's also a SL problem as well. I don't understand why people are dismissing this as if it's not a problem with SL. I understand that the problem isn't SL directly, but this is indeed a Skype and SL problem together, judging from the means this person is gathering his information and the content within.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

SZ8700 wrote:

The issue isn't really Skype. The issue is downloading/opening files from someone you don't know. It just so happens that this RAT is being distributed through Skype, it's also a SL problem as well. I don't understand why people are dismissing this as if it's not a problem with SL. I understand that the problem isn't SL
directly
, but this is indeed a Skype 
and
SL problem 
together
, judging from the means this person is gathering his information and the content within.

I'm not sure I understand what you are saying here.

I am the one responsible for keeping my computer clean and my password and account information safe.  Not Skype or LL. 

 

Link to comment
Share on other sites
Amethyst Jetaime

Amethyst Jetaime

Posted
Posted

All the reports of hacked SL accounts I've seen involve someone who got the RAT outside of SL by accepting it blindly.  This happens in SKYPE, although maybe it could possibly be passed though other online services that allow file sharing. That is why its not considered a SL issue by most people as LL can do nothing to stop it and it is impossible to pass it through SL itself. 

Warnings of this have been posted here before and I've gotten lots of notices about it in world from various group announcements.  That's all that can be done.  If people accept things blindly they certainly put themselves at risk.

Link to comment
Share on other sites
SZ8700

SZ8700

Posted
  • Author
Posted

I hear what you all are saying. If it weren't for SL, people wouldn't be getting their accounts stolen, funds stolen, inventories wiped clean, etc.. This is obvously someone inside SL doing this. Hacked accounts must be dealt with. That is an issue for LL. I agree it is on the user to be more responsible, but these are all SL accounts. None of that really matters, because not once have I blamed LL. People who's accounts have been compromised are blaming LL. I don't even think it's so much as blaming as it is them calling for their accounts to be recovered. It's not being distributed through SL, just Skype. I reiterate that all of these compromised systems are SL related, and it shows.

 

EDIT: This entire thread is only possible because it's SL accounts who are being targeted. So this is more of a "beware" post for SL users than anything.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

SZ8700 wrote:

I hear what you all are saying. If it weren't for SL, people wouldn't be getting their accounts stolen, funds stolen, inventories wiped clean, etc.. This is obvously someone
inside
SL doing this. Hacked accounts must be dealt with. That is an issue for LL. I agree it is on the 
user
to be more responsible, but these are 
all
 SL accounts. None of that really matters, because not once have I blamed LL. People who's accounts have been compromised are blaming LL. I don't even think it's so much as 
blaming
as it is them calling for their accounts to be recovered. It's not being distributed through SL, just Skype. I reiterate that all of these compromised systems are SL related, and it shows.

 

By "someone inside SL," I am assuming you are meaning someone logging in with a SL account?  This is a bit of a misnomer.  At this point in time he may not even be logging in with his original account.  He is tricking people into accepting the file because they think they are connecting to a trusted friend's account.  He just moves from compromised account to compromised account. 

And for the record, these accounts are not "hacked."  They are "compromised."  There is a slight difference.  Hacking implies that he got into the account without an action of the hacked.

SZ8700 wrote:

EDIT: This entire thread is only possible because it's SL accounts who are being targeted. So this is more of a "beware" post
for
SL users than anything.

I've seen warnings about this going out in various groups.  A good thing for people to be aware of.

 

 

@Innula:  From what I saw on his website it appears his primary target is people who do naked webcam.  He also targets Furries and my guess is it is sexually active Furries.  So it's not just people using Skype as an alternative to SL voice.

 

Link to comment
Share on other sites
Innula Zenovka

Innula Zenovka

Posted
Posted

Perrie Juran wrote:

@Innula:  From what I saw on his website it appears his primary target is people who do naked webcam.  He also targets Furries and my guess is it is sexually active Furries.  So it's not just people using Skype as an alternative to SL voice.

 

 Thanks.  I get that his target are specific groups (though I am not sure I can, or even want to, get my head round sexually active furries doing naked webcam).   But, while his targets are a small subset of SL users who use Skype, my point was that the malware is passed through Skype, not through SL or Voice.

I'm returning, really, to the earlier discussions, where some people had got the story mixed up and made it sound as if you're at risk from accepting textures in SL, which isn't (and I don't think can be) the case.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

Innula Zenovka wrote:

I'm returning, really, to the earlier discussions, where some people had got the story mixed up and made it sound as if you're at risk from accepting textures in SL, which isn't (and I don't think can be) the case.

16 debunked that stuff.

http://community.secondlife.com/t5/General-Discussion-Forum/Texture-Cache-Virus/m-p/1875491/highlight/true#M93930

http://community.secondlife.com/t5/General-Discussion-Forum/My-account-was-hacked-through-a-Second-Life-texture/m-p/1866281/highlight/true#M93273

The conversion of the texture to JPEG2000 would destroy an embedded virus.  And that doesn't even take into account getting past what ever security protocols LL must have to protect the servers to begin with.

Link to comment
Share on other sites
SZ8700

SZ8700

Posted
  • Author
Posted

Perrie Juran wrote:

And for the record, these accounts are not "hacked."  They are "compromised."  There is a slight difference.  Hacking implies that he got into the account without an action of the hacked.

I realize there's a difference, albeit a small one. When an account is compromised, the first thing an average user would say is, it's been "hacked." They would then send out a support email saying "my account has been hacked, pease help" instead of saying compromised. I'm only using the term most users are familiar with and say the most.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

SZ8700 wrote:

Perrie Juran wrote:

And for the record, these accounts are not "hacked."  They are "compromised."  There is a slight difference.  Hacking implies that he got into the account without an action of the hacked.

I realize there's a difference, albeit a small one. When an account is compromised, the first thing an average user would say is, it's been "hacked." They would then send out a support email saying "my account has been hacked, pease help" instead of saying compromised. I'm only using the term most users are familiar with and say the most.

Yep.  But in a sense what happens is people like to absolve themselves from responsibility for what happened.

We've seen it many times in this Forum where people come screaming that they got hacked and they can't understand why LL just doesn't hand them back the $50,000L (that figure may be a bit exagerative) they say disappeared and all their inventory, etc, etc, etc. 

They swear they got hacked, did nothing wrong.  But when we start digging we usually are able to identify the user error.

I'm kind of tough on this stuff but people need to exercise good Internet habits.  It affects all of us.

 

Link to comment
Share on other sites
SZ8700

SZ8700

Posted
  • Author
Posted

You are no doubt correct, and I agree 100%. I must ask, regardless of the circumstances surrounding the situation, whether it be an actual "hack" instead of user error or actual user irresponsibility, what is the protocol they follow to determine whether or not the account even should be restored. Is it a case-by-case basis?

 

For example:

 

  • User #1 downloads malware which compromised their SL account = user-error
  • User #2 truly got "hacked" without their knowledge and now their SL account is compromised. = not user-error 

 

Do both of these circumstances merit account recovery? I am with you all the way when you say people should be more careful, but some things play out in such a way that the user who could be considered at fault didn't know any better. In the defense of my parents, they were sent this malware by a very long-time SL friend who they've talked with on a daily basis. Their friend's account was compromised and was being used to send this file in his name. So they thought it was harmless. Therein lies the issue: It wasn't someone random that sent the file, but someone who controlled a trusted member's account sending the file in their name.

 

 

Link to comment
Share on other sites
jujmental

jujmental

Posted
Posted

Perrie Juran wrote:

 From what I saw on his website it appears his primary target is people who do naked webcam.  He also targets Furries and my guess is it is sexually active Furries. 

 

That's probably why posters are suggesting that "their friends" are being attacked . . .

Although it does beg the question: Why is Phil being targetted?

© The Judge

Link to comment
Share on other sites
Phil Deakins

Phil Deakins

Posted
Posted
Perrie Juran wrote:

And for the record, these accounts are not "hacked."  They are "compromised."  There is a slight difference.  Hacking implies that he got into the account without an action of the hacked. 

I'm not sure what you're saying here, but hacking into a computer can be acheived by doing all sorts of stuff, including finding out RL information about a person, even via wastebins, and trying passwords based on the info, and even breaking into a person's home/office and finding the paswords written down. Hacking isn't only about using technical methods to get in. That's according to a book on hacking that I once read - and probably still have.

So even things like writing passwords down where they can be read are equivalent to accepting a file. In both cases, access is gained by user actions, but they both constitute hacking

 

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

Phil Deakins wrote:

Perrie Juran wrote:

And for the record, these accounts are not "hacked."  They are "compromised."  There is a slight difference.  Hacking implies that he got into the account without an action of the hacked. 

I'm not sure what you're saying here, but hacking into a computer can be acheived by doing all sorts of stuff, including finding out RL information about a person, even via wastebins, and trying passwords based on the info, and even breaking into a person's home/office and finding the paswords written down. Hacking isn't only about using technical methods to get in. That's according to a book on hacking that I once read - and probably still have.

So even things like writing passwords down where they can be read are equivalent to accepting a file. In both cases, access is gained by user actions, but they both constitute hacking

 

I know I'm playing a little bit of semantics here.  The reason I'm doing this is because the people who cry 'hacked' often tend to not want to take responsibility.  They often times claim, "I didn't do anything wrong."

Maybe I'm stretching it a little here by the way I'm applying the terms but I am more concerned with the attitude.

This is not an old exploit.  From the little bit of reading I did on it people's AV should be catching it.  Maybe it's possible it isn't but their AV should be popping up a warning.

 

Link to comment
Share on other sites
SZ8700

SZ8700

Posted
  • Author
Posted

Perrie Juran wrote:

This is not an old exploit.  From the little bit of reading I did on it people's AV should be catching it.  Maybe it's possible it isn't but their AV should be popping up a warning.

 

Actually, the technique used (RAT) is fairly old and common. However, the reason A/V software doesn't always pick RATs up is becuase it carries a brand new "signature" which the A/V software has never seen before. In order for a RAT to be undetectable, or "FUD" (Fully UnDetectable in the BlackHat community,) it must be "crypted", "binded", compressed with UPX, and be given a random MUTEX, among other options. All of these in conjuction with one another pretty much guarantees that it will be undetected even by the most hardened A/V software available.

Link to comment
Share on other sites
Perrie Juran

Perrie Juran

Posted
Posted

SZ8700 wrote:

Perrie Juran wrote:

This is not an old exploit.  From the little bit of reading I did on it people's AV should be catching it.  Maybe it's possible it isn't but their AV should be popping up a warning.

 

Actually, the technique used (RAT) is fairly old and common. However, the reason A/V software doesn't always pick RATs up is becuase it carries a brand new "signature" which the A/V software has never seen before. In order for a RAT to be undetectable, or "FUD" (
F
ully
U
n
D
etectable in the BlackHat community,) it must be "crypted", "binded", compressed with UPX, and be given a random MUTEX, among other options. All of these in conjuction with one another pretty much guarantees that it will be undetected even by the most hardened A/V software available.

Thanks for that info.

 

Link to comment
Share on other sites
Nova Convair

Nova Convair

Posted
Posted

This is pretty old.

If you click on a link and have to login and you perform the login instead of closing the browser - you are too stupid for the internet.

If you receive a file - no matter on what channel - and you click it - you are too stupid for the internet.

If you think your AV software will protect you - you are too stupid for the internet.

If you always try to make someone else responsible for your problems instead of learning something and change your behaviour - you will always be too stupid for the internet.

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 3797 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...