Skype and Secondlife related virus!

[Inferniel Solvang]

There is a virus making its rounds on SKYPE! If a friend sends you a file that is either with Snapshot or IMG followed by an underscore and some random numbers with "drcs.png" at the end....CANCEL!!!!!!!!! DO NOT ACCEPT IT!!!!!!!!!!!!!

"snapshot_(NUMBERS)drcs.png"

"IMG_(NUMBERS)drcs.png"

 

DO NOT ACCEPT ANYTHING from any friends on Skype unless you ask them and they respond to tell you what it is...

 

Once you download this image the virus takes hold of your computer. It sniffs and shuffles through all your files. It gathers information and photos...The man responsible has a blog with the pictures of all the SL accounts and Computers he's hacked with this virus....he has posted screen names, real names, bank account info, business info, passwords and Second Life account info, and even nude pictures of his victims on his blog to brag about it.

 

DO NOT ACCEPT ANYTHING FROM ANYONE on skype unless they can tell you what it is!!!!!!!!!

 

If you're SL account has been compromised, contact Linden Labs right away!

[Madelaine McMasters]

This is the third mention of this virus over the last day, but I'm unable to find anything about it via Google, which is generally pretty quick to pick up on such things. The description of its operation sounds fishy to me. Can you provide more information?

[Jenni Darkwatch]

1) you get sent a link, not a file. HUGE difference. clicking on unknown links provided by anyone is nearly always dumb.

2) Never click on links anyone provides, EVEN A FRIEND, unless you at 2000% sure the link is safe, _or_ unless you have scripts DISABLED on you browser (on FF look at NoScript, on IE you're more or less screwed, Chrome has a buit in setting for this).

Or, if you're not computer savvy, use a good Antivirus suite and pay the perfomance penalty this incurs.

Btw, that isn't a new virus... the fact that people still get caught by it is a rather sad testament to peoples gullibility.

[Innula Zenovka]

Hmm..   So you warn us not to accept any files and then direct us to what -- from your own warnings- seems to be a rather suspicious site.   I see.

Tell you what, can you direct me to any announcement by Linden Lab, or by Skype, or by any of the main virus trackers (Sophos, Panda or whatever) that describes this exploit?

[Jenni Darkwatch]

Short of having a vulnerable PNG or JPG library, neither a PNG nor a JPG can infect your computer. Not gonna click on some dubious link either, sorry.

[Carl Thibodeaux]

Picture links cannot contain viruses. 

Would have to be a .exe or a website link.

[Inferniel Solvang]

i posted the link to that blog because a few posts above that, someone asked for more info/proof....so i posted proof for that person

 

[Toki Toki]

As someone who got hit by this and now has their account in an Administrative Hold AFTER getting my account recovered and everything reversed, because LL can't do anything right, it's pretty damned real.

 

It's apparently a RAT trojan manually sent around Skype as a file transfer, disguised as an image- except it's really a screensaver file, with Explorer somehow tricked into reading the extension backwards- rcs.png when it really is gnp.scr. It comes from someone you know, so you open it without thinking, and it doesn't work. Bam, the trojan's installed and it'll sit quietly waiting for you to enter a password- or rip them right out of somewhere, I'm not sure.

I lost my Skype and my main SL account to it for a good eight hours until the automated system noticed something wrong and reverted everything.

 

It seems for the most part the guy tries to buy Lindens, grab all of your payment info, and just give away money to random people- and then dig through your inventory for incriminating photos to put on his blog. A good 10-15 of my friends and acquaintences got hit with it too.

 

Now I'm stuck hoping LL will give me my account back, I'm more afraid of them than the **bleep**ing hijacker. What a surprise.

[Inferniel Solvang]

Linden Labs has said the only thing they can do is help sort your account, so they have not made announcements.

Skype just says to NOT accept any files from friends or strangers unless they tell you what it is.

 

But as far as people saying this it not true....2 of my personal friends have been hit....i have several friends that have many friends that was hit bit it...one of my friends that was hit had his person REAL LIFE info posted on that blog along with his bank account info.....

as far as the .png file is....you can change the .exe to a .png and when people try to open it to see it, the computer will execute the process because it is really a .exe....you can do this with any format/extension....so the .png is merely a way to fool the unsuspecting downloaders into opening it

You try to warn people to NOT accept files....something as simple as that....and you get people that are snippy and grumpy and totally ungrateful....i was just trying to warn everyone to not accept files that the sender will not identify for you pre-download... that simple

[Sassy Romano]

---

Carl Thibodeaux wrote:

Picture links cannot contain viruses. 

Would have to be a .exe or a website link.

---

Well, just to be pedantic, a picture can contain virus code, as can a video as can an audio and plenty of other file formats.  However, they are not going to be executable but as far as transport, yes those file formats really can carry malware.

A sophisticated attack could even send a piece of the code in a picture, another piece in a video, a piece in an mp3 and have it re-constructed to the final bad code at a host.

[Madelaine McMasters]

---

Sassy Romano wrote:

---

Carl Thibodeaux wrote:

Picture links cannot contain viruses. 

Would have to be a .exe or a website link.

---

Well, just to be pedantic, a picture can contain virus code, as can a video as can an audio and plenty of other file formats.  However, they are not going to be executable but as far as transport, yes those file formats really can carry malware.

A sophisticated attack could even send a piece of the code in a picture, another piece in a video, a piece in an mp3 and have it re-constructed to the final bad code at a host.

---

Agreed. We discussed this in an answers thread started by someone else who'd apparently heard of this supposed vulnerability...

http://community.secondlife.com/t5/Abuse-and-Griefing/I-keep-hearing-about-IMG-0311205dtrap-rcs-png-Is-this-a-valid/qaq-p/2275599

In the past, it was possible to deliver malware in Office documents, as those could also contain macros. I haven't used Office in ages, but expect that door has been long closed. Nevertheless, I do hear about novel methods for injecting code via mechanisms you'd not expect.

[Jenni Darkwatch]

Then either install a decent antivirus or be more careful next time. Even with the RTL unicode "exploit" the file still shows as executable in Explorer, at least in Win7.

This is not a new exploit by any means. It exploits the lack of knowledge/gullibility of most users, combined with the refusal to shell out some money for a halfway decent virus/malware scanner.

These days, trusting anything any of your friends sends you is suicidal. That goes for SL, and it most certainly goes for every other media out there including Skype.

One small tip (not foolproof but definitely helps): Right-click on whatever folder you use for such downloads. Select "Properties", then go to the "Security" tab. Click on the "Advanced" button in the lower right. Click on "Change Permissions". Select your user and click on "Edit". Then uncheck "Traverse Folder / Execute" and OK out of all those popups.

Now at least you can't accidentally execute anything in that folder. It also means if you do get an executable you DO want to run, you need to copy/move it elsewhere to run.

Not exactly foolproof, but any layer of security helps with Windows (and Mac which is vulnerable just the same, despite Gatekeeper).

In the end only a change of mindset helps. Paranoia is a good thing on the Internet because there ARE people out to get you.

[LepreKhaun]

This is actually a Unicode exploit in that a non-printing character (specifically U+202E, the "RIGHT-TO-LEFT OVERRIDE", see http://www.fileformat.info/info/unicode/char/202E/index.htm) is making one think they are clicking "rcs.png" (which would be an image and cannot have a virus transmitted within it) but they are actually clicking "gnp.scr" (which is an executable screensaver). See http://www.pediy.com/kssd/pediy11/123162.html for how this exploit is used to deliver malicious payloads to the unwary.

 

Bottom line, be careful what one clicks on, even if you feel the source is trustworthy. Kind of like sex, one never knows who might be infected, eh.

[Madelaine McMasters]

---

LepreKhaun wrote:

This is actually a Unicode exploit in that a non-printing character (specifically U+

202E, the "RIGHT-TO-LEFT OVERRIDE", see 

http://www.fileformat.info/info/unicode/char/202E/index.htm

) is making one think they are clicking "

rcs.png"

(which would be an image and cannot have a virus transmitted within it) but they are actually clicking "gnp.scr" (which is

 an executable 

screensaver). See 

http://www.pediy.com/kssd/pediy11/123162.html

 for how this exploit is used to deliver malicious payloads to the unwary.

 

Bottom line, be careful what one clicks on, even if you feel the source is trustworthy. Kind of like sex, one never knows who might be infected, eh.

---

Now that's just clever!

LepreKhaun, that second link goes to something Chinese looking from three years ago. So is that exploit still viable?

[LepreKhaun]

Yes, unfortunately it seems to be exploitable on Skype currently. But, as Jenni Darkwatch pointed out, a good anti-virus program/firewall should catch it. However many people find it too difficult to set up a secure firewall for Skype.

 

But common sense will win out everytime imo. There are numerous traps on the internet for the unwary and it pays to stay on one's toes and never get complacent.

[Madelaine McMasters]

---

LepreKhaun wrote:

Yes, unfortunately it seems to be exploitable on Skype currently. But, as 

Jenni Darkwatch pointed out, a good anti-virus program/firewall should catch it. However many people find it too difficult to set up a secure firewall for Skype.

 

But common sense will win out everytime imo. There are numerous traps on the internet for the unwary and it pays to stay on one's toes and never get complacent.

---

I'm on a Mac, and the first attempted execution of anything downloaded to the computer lofts a permission dialog explaining what's happening and requiring Username/Password to continue.

[jujmental]

The skype is falling!!!!! The skype is falling!!!!!

© The Judge

[Thomas Shikami]

Here's another paper about the right to left override.

[Zarphy Astro]

it is not a png. it only appears to have a png extension. im not sure what it is. its some form of executable. i think a skype addon or plugin, perhaps. if its not that, it may just be an exe. whatever it is, im not downloading it to find out.

[Zarphy Astro]

it has a clever illusion hidden in it. it SAYS png at the end, but its actually an executable. this has been possible to fake since like, windows XP SP3

[Leslie Trihey]

Wow only one thread on this? People should be worried about this more then they are, I have reconized at least 23 people on the list, and there latest attack they just charged 100K lindens to someones account. There outing personal information and using friends skype accounts against people to get that information.

[Syo Emerald]

And thats what you get from clicking random stuff...

The method to infect users via material sended around chatting programs such as Skype is pretty old. Last time I saw such an attempt it was pretty obvious to me.

[Perrie Juran]

---

Leslie Trihey wrote:

Wow only one thread on this? People should be worried about this more then they are, I have reconized at least 23 people on the list, and there latest attack they just charged 100K lindens to someones account. There outing personal information and using friends skype accounts against people to get that information.

---

Counted or actually recognized? 

I did look at his web site and he is targeting specific groups / type of RP.

While the tricks he is using are actually fairly simple, he is very good at deploying them. 

I am surprised that this is the first time I'm seeing this attack brought up, especially seeing how long he has been at it.

Not that we need a hundred threads about it.  One is enough.

I didn't really do much digging on it but my wee little brain says that for as long as this exploit has been around anti-virus software should be catching it.  It is by no means a new trick any more.

 

 

 

[Leslie Trihey]

---

Perrie Juran wrote:

---

Leslie Trihey wrote:

Wow only one thread on this? People should be worried about this more then they are, I have reconized at least 23 people on the list, and there latest attack they just charged 100K lindens to someones account. There outing personal information and using friends skype accounts against people to get that information.

---

Counted or actually recognized? 

I did look at his web site and he is targeting specific groups / type of RP.

While the tricks he is using are actually fairly simple, he is very good at deploying them. 

I am surprised that this is the first time I'm seeing this attack brought up, especially seeing how long he has been at it.

Not that we need a hundred threads about it.  One is enough.

I didn't really do much digging on it but my wee little brain says that for as long as this exploit has been around anti-virus software should be catching it.  It is by no means a new trick any more.

 

 

 

---

Actually reconized, and half them I know personally. The trick about this virus is that there using friends accounts against people, the reason so many people have fallen for it is that they accepted it without thinking when there friends sent it. As far as I know its hard to detect by a virus program.

[jujmental]

---

Leslie Trihey wrote:

 

The trick about this virus is that there using friends accounts against people, the reason so many people have fallen for it is that they accepted it without thinking when there friends sent it.

---

Having listened to the evidence I find that the problem is caused by having friends, which makes the solution simple: don't have friends.

© The Judge