Warning! New Keylogging Trojan on the loose! (Federalpolice)

[CrackaLackaZe]

k, but then what do I do with my 17 inch sony lcd and my 5.1 speakers?

 

[jfall]

I clicked on the link.. housecall.antivirus.com reports that I have JAVA.BYTEVER.A which is non-cleanable

 

[spidey07]

mods, op

edit those links! Just throw some characters in the middle of the string.

cheers!

 

[Brutuskend]

Originally posted by: CrackaLackaZe
k, but then what do I do with my 17 inch sony lcd and my 5.1 speakers?

Send them to me...

I'll run tests and make sure they are safe to use. (For ME to use that is)

 

[hevnsnt]

Originally posted by: spidey07
mods, op

edit those links! Just throw some characters in the middle of the string.

cheers!

Sorry, I have edited them, when I posted I forgot to uncheck the "Auto parse URLs"

DOH

 

[Ketteringo]

Awesome virus I wish I could write something like that!

 

[Entity]

Man, that's very clever -- and dangerous.

Rob

 

[yukichigai]

Clever, though the marginal grammar and flagrant lack of legal-ese gives it away as a fake. The idea is scary though.

 

[everman]

Is this really multi-platform? Linux, unix, bsd, mac, win32...? Anything running Java?

 

[EyeMWing]

Originally posted by: Scarpozzi
Here's a link from the test machine I infected. I went ahead and deleted it, but I may do some port scans and throw it on a hub to do some real packet sniffing and see if there is anything else we can learn of this new exploit. (how often it tries to contact the mothership, etc)
Link

If you email me the class files
eyemwing@earthlink.net
I'll run them through the decompiler and pick it apart (or try to)

 

[slick230]

Jesus F'ing Christ, if anyone falls for this sh|t they DESERVE to have their fvcking money stolen!!! Unless your friends are illiterate morons who can't compose coherent sentences in English, WHY would you bother even reading some sh|t like this?????

These kinds of things just prey on the people who are fvcking stupid to begin with. They deserve to have their information stolen. :|:|:|:|:|

 

[EyeMWing]

Java developers (Those of us with the SDK installed rather than the runtime environment):
C:\Documents and Settings\<yourusername>\.jpi_cache\file\1.0 contains the files instead of the directories referenced in Scarpozzi's screenshot

Now to tear this baby apart.

 

[no0b]

Originally posted by: slick230
Jesus F'ing Christ, if anyone falls for this sh|t they DESERVE to have their fvcking money stolen!!! Unless your friends are illiterate morons who can't compose coherent sentences in English, WHY would you bother even reading some sh|t like this?????

These kinds of things just prey on the people who are fvcking stupid to begin with. They deserve to have their information stolen. :|:|:|:|:|

woa, calm down there. No one deserves anything.

Why the fvck are you upset with the victim's and not the perp's?

 

[EyeMWing]

Confirmed: Multiplatform, multibrowser. Firebird for Windows and Netscape for Mac OS 8 tested. This is nasty.

 

[ViRGE]

I'm not quite sure I understand what's being exploited here. Java applets are downloaded by default with no user check, but what kind of protection is supposed to keep applets from doing this? Shouldn't the applet be forced to close itself out when the window closes?

 

[Shockwave]

This is from EyeMWing, he's not sure how to post in threads anymore...

This is more than a keylogger, boys. Lookie at this here netstat

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Tony>netstat

Active Connections

Proto Local Address Foreign Address State
TCP wingcorp-k65dg9:1311 localhost:1312 ESTABLISHED
TCP wingcorp-k65dg9:1312 localhost:1311 ESTABLISHED
TCP wingcorp-k65dg9:1046 216.155.193.167:5050 ESTABLISHED
TCP wingcorp-k65dg9:1052 205.188.8.127:5190 ESTABLISHED
TCP wingcorp-k65dg9:1060 64.12.27.247:5190 ESTABLISHED
TCP wingcorp-k65dg9:1310 208.178.231.189:6666 ESTABLISHED
TCP wingcorp-k65dg9:1856 168.143.107.165:http TIME_WAIT
TCP wingcorp-k65dg9:1859 168.143.107.165:http TIME_WAIT
TCP wingcorp-k65dg9:1875 a209-249-123-159.deploy.akamaitechnologies.com:h
ttp ESTABLISHED
TCP wingcorp-k65dg9:1876 a209-249-123-159.deploy.akamaitechnologies.com:h
ttp ESTABLISHED
TCP wingcorp-k65dg9:1929 mirrors.blue.aol.com:ftp ESTABLISHED
TCP wingcorp-k65dg9:1930 mirrors.blue.aol.com:52624 ESTABLISHED
TCP wingcorp-k65dg9:1935 168.143.107.163:http ESTABLISHED
TCP wingcorp-k65dg9:1937 168.143.107.183:http TIME_WAIT
TCP wingcorp-k65dg9:1938 168.143.107.183:http TIME_WAIT
TCP wingcorp-k65dg9:1939 64.94.178.68:http TIME_WAIT
TCP wingcorp-k65dg9:1940 168.143.107.183:http TIME_WAIT
TCP wingcorp-k65dg9:1945 216.239.41.104:http ESTABLISHED
TCP wingcorp-k65dg9:netbios-ssn 192.168.0.1:1041 ESTABLISHED
TCP wingcorp-k65dg9:netbios-ssn 192.168.0.7:3005 ESTABLISHED
TCP wingcorp-k65dg9:3389 192.168.0.1:1046 ESTABLISHED

C:\Documents and Settings\Tony>

I'll have to wait a minute to close down everything legit and find out exactly what SHOULDN'T be there, I'm still downloading the decompiler.

 

[EyeMWing]

Code is well beyond my level. BlackBox appears to be the main works of the code, Dummy is empty (with one stray variable that BlackBox utilizes) and VerifierBug appears to do somthing. I'd assume it's the part that exploits somthing or other to get around the JRE's restrictions

 

[EyeMWing]

Originally posted by: Shockwave
This is from EyeMWing, he's not sure how to post in threads anymore...

This is more than a keylogger, boys. Lookie at this here netstat

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Tony>netstat

Active Connections

Proto Local Address Foreign Address State
TCP wingcorp-k65dg9:1311 localhost:1312 ESTABLISHED
TCP wingcorp-k65dg9:1312 localhost:1311 ESTABLISHED
TCP wingcorp-k65dg9:1046 216.155.193.167:5050 ESTABLISHED
TCP wingcorp-k65dg9:1052 205.188.8.127:5190 ESTABLISHED
TCP wingcorp-k65dg9:1060 64.12.27.247:5190 ESTABLISHED
TCP wingcorp-k65dg9:1310 208.178.231.189:6666 ESTABLISHED
TCP wingcorp-k65dg9:1856 168.143.107.165:http TIME_WAIT
TCP wingcorp-k65dg9:1859 168.143.107.165:http TIME_WAIT
TCP wingcorp-k65dg9:1875 a209-249-123-159.deploy.akamaitechnologies.com:h
ttp ESTABLISHED
TCP wingcorp-k65dg9:1876 a209-249-123-159.deploy.akamaitechnologies.com:h
ttp ESTABLISHED
TCP wingcorp-k65dg9:1929 mirrors.blue.aol.com:ftp ESTABLISHED
TCP wingcorp-k65dg9:1930 mirrors.blue.aol.com:52624 ESTABLISHED
TCP wingcorp-k65dg9:1935 168.143.107.163:http ESTABLISHED
TCP wingcorp-k65dg9:1937 168.143.107.183:http TIME_WAIT
TCP wingcorp-k65dg9:1938 168.143.107.183:http TIME_WAIT
TCP wingcorp-k65dg9:1939 64.94.178.68:http TIME_WAIT
TCP wingcorp-k65dg9:1940 168.143.107.183:http TIME_WAIT
TCP wingcorp-k65dg9:1945 216.239.41.104:http ESTABLISHED
TCP wingcorp-k65dg9:netbios-ssn 192.168.0.1:1041 ESTABLISHED
TCP wingcorp-k65dg9:netbios-ssn 192.168.0.7:3005 ESTABLISHED
TCP wingcorp-k65dg9:3389 192.168.0.1:1046 ESTABLISHED

C:\Documents and Settings\Tony>

I'll have to wait a minute to close down everything legit and find out exactly what SHOULDN'T be there, I'm still downloading the decompiler.

How'd I manage that? Reply to the wrong thread? I thoguht I axed that message, I confused my own LAN's normal working and a few file transfers I had going with suspicious activity

 

[Shockwave]

Eye...Check my oil filter thread...

 

[dighn]

is this in the form of java applets?! :Q

 

[EyeMWing]

Originally posted by: ViRGE
I'm not quite sure I understand what's being exploited here. Java applets are downloaded by default with no user check, but what kind of protection is supposed to keep applets from doing this? Shouldn't the applet be forced to close itself out when the window closes?

The JRE features some inbuilt protections to keep applets from doing anything but with their own browser window (And restricts function even within that)

Those protections don't work (if this works)

 

[EyeMWing]

Originally posted by: Shockwave
Eye...Check my oil filter thread...

OOPS. That's what happens when you have two ATOT windows open, both scrolled down to quick reply

 

[simms]

http://64.29.173.901 is still valid in the OP's post.. wanna edit that out, because I would've just gotten the virus ....

 

[Shockwave]

Originally posted by: simms
64.29.173.901 is still valid in the OP's post.. wanna edit that out, because I would've just gotten the virus ....

Its funny you link to that which your complaining about being linked too.... Ironic eh?

 

[iwearnosox]

Meh I visited it, didn't install or run any applet. Something must be protecting me.