open All Channels
seplocked EVE General Discussion
blankseplocked Trojans and spammers
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: [1] 2 3 4 5

Author Topic

Suvetar


ISD YARR
Interstellar Services Department
Posted - 2006.10.09 15:37:00 - [1]
 

Hi Everyone,

As you probably noticed, we've had a surfeit of posts linking to a shady looking URL recently; as you will no doubt imagine this is indeed a piece of malware that is designed to steal your Username and Password and who knows what else.

So surf safe, don't click any links tempting you to hack EVE and rest assured that your friendly local mod team are doing everything we can to get the forums back on track!

Thanks!

Note From Kaemonn:

Some of the victims of this attack are having problems with the petition link on the web site. If you we're a victim of the attack and had your account comprimised, please email [email protected]. This is the address to contact the GMs through email instead of petition. Please include as much detail as possible.


Unfamed II
Caldari
NPC Corporation
Paisti Syndicate
Posted - 2006.10.09 15:43:00 - [2]
 

Edited by: Unfamed II on 09/10/2006 15:43:31
Keep up the good work, was about to report one linky, but it had already disappeared while I was writing about it to you. Cool

GC13
Caldari
Species 5618
R0ADKILL
Posted - 2006.10.09 15:55:00 - [3]
 

A trojan? O RLY?

*chalks one up for intuition*

Twisted Evil

Daald
Priori Inc
Posted - 2006.10.09 16:03:00 - [4]
 

Edited by: Daald on 09/10/2006 16:02:53
Look for a file in you C: drive called autoexec.exe

That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.

Verite Rendition
Caldari
F.R.E.E. Explorer
EVE Animal Control
Posted - 2006.10.09 16:08:00 - [5]
 

Originally by: Daald
Edited by: Daald on 09/10/2006 16:02:53
Look for a file in you C: drive called autoexec.exe

That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.
I'm assuming he's trying to use a 0-day IE exploit?

Daald
Priori Inc
Posted - 2006.10.09 16:10:00 - [6]
 

The code is obfuscated. I'm deobfuscating by hand and trying to insert meaning as I see it.

I'll let you know as I learn more.

Quin Tal
Ex Nihilo Dignitas
Expeto Libertas Foedus
Posted - 2006.10.09 16:13:00 - [7]
 

Thanks for the heads up Suvetar.

Do you know what one of the URL's is so we know what to look for?

keepiru
Omega Fleet Enterprises
Executive Outcomes
Posted - 2006.10.09 16:15:00 - [8]
 

Btw, the spamming and cleanup broke the glue on the stickyes in ships & modules, could you slap some new blue-tack on them? :D

Jenny Spitfire
Caldari
Posted - 2006.10.09 16:15:00 - [9]
 

Originally by: Quin Tal
Thanks for the heads up Suvetar.

Do you know what one of the URL's is so we know what to look for?


Ukrainian website, somename.something.somewhere.ua.

Daald
Priori Inc
Posted - 2006.10.09 16:17:00 - [10]
 

I would block anything going to advertology.net

That is where one of the attack vectors is coming from.

Mortok Tristan
Posted - 2006.10.09 16:18:00 - [11]
 

Originally by: Daald
Edited by: Daald on 09/10/2006 16:02:53
Look for a file in you C: drive called autoexec.exe

That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.


The second part is c:\windows\crss.exe fixed as in Jenny's version - Xorus
get rid of it, and references to it in the registry

Tharrn
Amarr
Epitoth Fleet Yards
Curatores Veritatis Alliance
Posted - 2006.10.09 16:32:00 - [12]
 

Wohoo... 'Stop Scams' is the newest spambot.

spurious signal
Caldari
Brainiacs
Posted - 2006.10.09 16:36:00 - [13]
 

Surely now it's time to start curbing the posting rights of trial accounts?

Heck, seems to me that 90% of the uses of trial accounts in general are bad. When 10% of the people logged on at any one time are trial accounts you have to question if they're being used as intended.

Tsanse Kinske
WeMeanYouKnowHarm
Posted - 2006.10.09 16:38:00 - [14]
 

Originally by: Tharrn
Wohoo... 'Stop Scams' is the newest spambot.



http://myeve.eve-online.com/ingameboard.asp?a=topic&threadID=300394
for an example. Mad

Tharrn
Amarr
Epitoth Fleet Yards
Curatores Veritatis Alliance
Posted - 2006.10.09 16:39:00 - [15]
 

It's not trial accounts - they are using hacked accounts. the last two bots posted using characters that are over a year old.

Jenny Spitfire
Caldari
Posted - 2006.10.09 16:39:00 - [16]
 

Originally by: Tsanse Kinske
Originally by: Tharrn
Wohoo... 'Stop Scams' is the newest spambot.



http://myeve.eve-online.com/ingameboard.asp?a=topic&threadID=300394
for an example. Mad



Spammmer has a political agenda againsts trial accounts. Rolling Eyes

Karass Sayfo


ISD YARR
Interstellar Services Department
Posted - 2006.10.09 16:40:00 - [17]
 

Before you click on URLs, put your mouse over first to see the address. When in doubt, dont click! Cool

Caerleus
Achmed-Terrorist
IUS PRIMAE N0CTIS
Posted - 2006.10.09 16:41:00 - [18]
 

Changing trial account rights will have very little effect.
This spammage is coming from accounts that are NOT trial accounts, but either hacked accouts or paid for accounts.
This is how they are able to access certain parts of the forums that trial accounts already have no access to.


Post count limters, say 1 post per minute. That would slow them down considerably.

Jenny Spitfire
Caldari
Posted - 2006.10.09 16:42:00 - [19]
 

Edited by: Jenny Spitfire on 09/10/2006 16:42:08
Originally by: Mortok Tristan
Originally by: Daald
Edited by: Daald on 09/10/2006 16:02:53
Look for a file in you C: drive called autoexec.exe

That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.


The second part is c:\windows\csrss.exe crss.exe
get rid of it, and references to it in the registry


Fixed.

GC13
Caldari
Species 5618
R0ADKILL
Posted - 2006.10.09 16:44:00 - [20]
 

You'd figure people wouldn't be stupid enough to click on a link in an obvious spam post. Oh well, I guess the dumbos a few standard deviations below the median for intelligence are making the lives of forumers difficult.

Xorus


Deep Core Mining Inc.
Posted - 2006.10.09 16:45:00 - [21]
 

With the recent postings of links to keyloggers on the internet we have the following advice to give our forum users, firstly if you don't already have an Anti-Virue program we suggest you get one, there are a number of free products for home users including AVG Free Edition, Avast Home Edition and Avira AntiVir, all of these are free for home users, if you already have an Anti-Virus program make sure its up to date as having an out of date AV program is almost as bad as not having one at all.

Always be careful what you download on the EVE Forums as you never know what it might contain, things like EVEMon and Quickfit are safe to download as they have been tested and are from trusted sources, always be careful of any links posted on these forums as you never know what it may contain, ensure all your security software is up to date before clicking links.

Cool

Sean Dillon
Caldari
Surreal corp
Posted - 2006.10.09 16:46:00 - [22]
 

I think people who do this are pathetic.

But Imho every link thats posted somewhere should be approached with caution, I have played other mmorpg where the fenomenon of keyloggers is alot bigger then in eve online. Part of this is because the market system makes it very easy to check market transactions. Nonetheless this doesn't mean people won't give it a try. Aslong people are willing to pay $ for isk on ebay you will see this keep happening.

Fleeeeeeeeeee
Posted - 2006.10.09 16:49:00 - [23]
 

keep jumping up and down on them i'm sure they'll sod offf eventually

Baleorg
Gallente
Guys of Sarcasm
Posted - 2006.10.09 16:57:00 - [24]
 

Edited by: Baleorg on 09/10/2006 16:58:09
*cough* clicking links that promise to "gain unfair advantage" ye...
btw.. why are *YOU* still using IE ?! :-P you like risks?



Daald
Priori Inc
Posted - 2006.10.09 17:01:00 - [25]
 

Edited by: Daald on 09/10/2006 17:13:16
Originally by: Jenny Spitfire
Edited by: Jenny Spitfire on 09/10/2006 16:42:08
Originally by: Mortok Tristan
Originally by: Daald
Edited by: Daald on 09/10/2006 16:02:53
Look for a file in you C: drive called autoexec.exe

That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.


The second part is c:\windows\csrss.exe crss.exe
get rid of it, and references to it in the registry


Fixed.


I didn't see that. It seems that the second portion sets up autoexec.exe to gain elevated privileges. I guess there was another attack vector that I didn't follow?

The second portion of that code seems to do this:
http://www.snort.org/pub-bin/sigs.cgi?sid=7988


*edit* Got to look at the autoexec.exe program though a debugger. It seems that it has an ecrypted data and code section. I don't really feel like decompiling it any further especially at work.

Greyshadow
Guardians of Hell's Gate
Posted - 2006.10.09 17:18:00 - [26]
 

Jesus this spamming thing is getting out of hand, I feel sorry for the mods having to sort it out.
I'm sure everyone will agree we are behind the mods sorting it out. Very Happy

splattercat
League of Gentlemen
Systematic-Chaos
Posted - 2006.10.09 17:18:00 - [27]
 

new one name> Traderia

DONT click on the link ppl.

keepiru
Omega Fleet Enterprises
Executive Outcomes
Posted - 2006.10.09 17:19:00 - [28]
 

Gotta give them one thing, theyre persistent.

ElCoCo
KIA Corp
KIA Alliance
Posted - 2006.10.09 17:19:00 - [29]
 

Jee what a mess Crying or Very sad

Ozzie Asrail
Caldari Provisions
Posted - 2006.10.09 17:20:00 - [30]
 

geez, poor mods :(


Pages: [1] 2 3 4 5

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only