http://img216.imageshack.us/img216/3620/altbinziconsetbylaespad.jpgAlt.binz users beware! You have been comprimised

Newsflash for all those ppl that have started various "cracked" versions of Alt.Binz floating on the usenet: They are ALL trojan infected. All firefox, IE, IM, steam passwords are collected and uploaded to attackers site.

Zerosec staffers are responsible for the infected uploads, check sources because you already don't believe this probably??

However we are not that bright so we left our cpanel login data in our leet script so our server got pwned with all logins and some zerosec stuff. :lol:

[#altbin@EFNet]-[Full]-[Alt.Binz.v0.31.1.WinAll.Multilingual-CRD]-[0/8] - "crude.nfo" yEnc

[#altbin@EFNet]-[Full]-[Alt.Binz.v0.31.1.WinAll-iND]-[2/7] - "Alt.Binz.v0.31.1.WinAll-iND.par2" yEnc

[#altbin@EFNet]-[Full]-[Alt.Binz.0.31.1.WinALL.Cracked.REAL-CzW]-[2/7] - "czw.nfo" yEnc


So if this is you? Is it? Looks like Zerosec has some explaining to do?

Still don't believe? Check sources.

:source: Source: Zerosedc staff are a bunch of MF stealers (http://sourceachievements.com/nfo/zerosec_ws_staff_are_bunch_of_mf_stealers.html):view: Homepage: alt.binZ (http://www.altbinz.net/)

Torrents and trackers give me a healthy dose of e-drama to keep me entertained.
About time newzbin followed suit. :lol:

You mean Usenet? Newzbin is a indexing site :lol:

yeah..Usenet :lol:
/me never had a good reason to use usenet. :P

This stuff seems to avoid virus scanners apparently.

I'm fairly sure I'm not using the compromised version, not the one from that post anyway, but how can I check and if needed, remove the trojan?
ESET doesn't see anything wrong with it.

I do this sort of thing with rapidshare downloads, bind the client with a crack, virtually undetectable, person clicks said crack ?????? PROFIT!

This stuff seems to avoid virus scanners apparently.

I'm fairly sure I'm not using the compromised version, not the one from that post anyway, but how can I check and if needed, remove the trojan?
ESET doesn't see anything wrong with it.


ESET does too, I soon as I extracted it it detected trojan.

with trojans such as this, even if it manages to get onto your computer will software such as kaspersky pick it up before it lets the trojan activate?

how has this software got out, im confused - has the groups released software with trojans packed?

My firewall blocked the attempt, and asked for to connect to xxx.xxx and my firewall doesn't let anything out unless ok'd, and it's got a one of the best leak tests out there (Comodo). Plus it was a temp file asking for access not alt.binz because I truly wanted to see what was going on.

Here's a Virustotal analysis:

http://www.virustotal.com/analisis/08d8af59c3c2ec6d2814be7eeb5f3037b1a8de9f6ae9c889a0a45feb8c758ecf-1245784956



File altbinz.exe received on 2009.06.23 19:22:36 (UTC
Current status: finished
Result: 22/41 (53.66%)

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.23 Riskware.PSWTool.Win32.Messen!IK
AhnLab-V3 5.0.0.2 2009.06.23 -
AntiVir 7.9.0.193 2009.06.23 DR/PSW.NetPass.FV.4
Antiy-AVL 2.0.3.1 2009.06.23 PSWTool/Win32.NetPass.gen
Authentium 5.1.2.4 2009.06.23 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.06.23 -
AVG 8.5.0.339 2009.06.23 Dropper.Small
BitDefender 7.2 2009.06.23 -
CAT-QuickHeal 10.00 2009.06.22 -
ClamAV 0.94.1 2009.06.23 -
Comodo 1401 2009.06.23 -
DrWeb 5.0.0.12182 2009.06.23 Tool.PassView.117
eSafe 7.0.17.0 2009.06.23 Win32.PSWTool.NetPas
eTrust-Vet 31.6.6575 2009.06.23 Win32/Inpect.10
F-Prot 4.4.4.56 2009.06.23 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.06.23 PSWTool.Win32.NetPass.fv
Fortinet 3.117.0.0 2009.06.23 HackerTool/Multidr
GData 19 2009.06.23 -
Ikarus T3.1.1.59.0 2009.06.23 not-a-virus:PSWTool.Win32.Messen
Jiangmin 11.0.706 2009.06.23 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.23 not-a-virus:PSWTool.Win32.NetPass.fv
McAfee 5655 2009.06.23 MultiDropper-BU
McAfee+Artemis 5655 2009.06.23 MultiDropper-BU
McAfee-GW-Edition 6.7.6 2009.06.23 Trojan.Dropper.PSW.NetPass.FV.4
Microsoft 1.4803 2009.06.23 -
NOD32 4181 2009.06.23 probably unknown CRYPT.WIN32
Norman 6.01.09 2009.06.23 -
nProtect 2009.1.8.0 2009.06.23 -
Panda 10.0.0.16 2009.06.23 -
PCTools 4.4.2.0 2009.06.22 -
Prevx 3.0 2009.06.23 Medium Risk Malware Dropper
Rising 21.35.14.00 2009.06.23 -
Sophos 4.42.0 2009.06.23 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.06.23 VIPRE.Suspicious
Symantec 1.4.4.12 2009.06.23 -
TheHacker 6.3.4.3.351 2009.06.22 -
TrendMicro 8.950.0.1094 2009.06.23 -
VBA32 3.12.10.7 2009.06.23 -
ViRobot 2009.6.23.1800 2009.06.23 Not_a_virus:PSWTool.Messen.2343936
VirusBuster 4.6.5.0 2009.06.23 Win32.Vundo.EX


Additional information

File size: 2343936 bytes
MD5...: ef8bc3ea83f3989c4b8c196f65c3a4bf
SHA1..: 753e0e7e77f9f1ebed85929f9099a669a88aee13
SHA256: 08d8af59c3c2ec6d2814be7eeb5f3037b1a8de9f6ae9c889a0a45feb8c758ecf
ssdeep: 49152:3zWSyrROgSo0R1OJgna0CAup3a2CFUlhnQycgI8y5AP0jveNU:3zWhRjCn
G3aIVQFJYg
PEiD..: -
TrID..: File type identification
Win32 EXE Yoda's Crypter (64.5%)
Win32 Executable Generic (20.7%)
Win16/32 Executable Delphi generic (5.0%)
Generic Win/DOS Executable (4.8%)
DOS Executable Generic (4.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4760bc
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x32c000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x32d000 0x13b000 0x13a800 8.00 82dada95a1a5032c894e315af113d144
.rsrc 0x468000 0x102000 0x101800 7.99 1404b74b6b616af57b377b1b9bc5f7db

( 15 imports )
> KERNEL32.DLL: GetTempPathA, GetTempFileNameA, CreateFileA, WriteFile, CloseHandle, GetStartupInfoA, CreateProcessA, GetModuleHandleA, LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> advapi32.dll: RegFlushKey
> comctl32.dll: ImageList_Add
> comdlg32.dll: ChooseFontA
> crypt32.dll: CertFreeCertificateContext
> gdi32.dll: SaveDC
> imm32.dll: ImmGetContext
> ole32.dll: DoDragDrop
> oleaut32.dll: VariantCopy
> shell32.dll: DragFinish
> SHFolder.dll: SHGetFolderPathA
> user32.dll: GetDC
> version.dll: VerQueryValueA
> winmm.dll: PlaySoundA
> winspool.drv: OpenPrinterA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): UPX, UPX, UPX, PE_Patch.UPX, UPX, UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=4EAE4F40006F3399C4D023C86CF809001ADD86A1' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=4EAE4F40006F3399C4D023C86CF809001ADD86A1</a>


As you can see, only about half the anti-virus apps flagged it.

I'm using 0.28.4. Any chance its infected too? FWIW, I use keyscrambler for my browsers and I never ever open AltBinz in admin mode.

1/37

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.23 -
AntiVir 7.9.0.193 2009.06.23 -
Antiy-AVL 2.0.3.1 2009.06.23 -
Authentium 5.1.2.4 2009.06.23 -
Avast 4.8.1335.0 2009.06.23 -
AVG 8.5.0.339 2009.06.23 -
BitDefender 7.2 2009.06.23 -
CAT-QuickHeal 10.00 2009.06.22 -
ClamAV 0.94.1 2009.06.23 -
Comodo 1401 2009.06.23 -
DrWeb 5.0.0.12182 2009.06.23 -
eSafe 7.0.17.0 2009.06.23 Suspicious File
eTrust-Vet 31.6.6575 2009.06.23 -
F-Prot 4.4.4.56 2009.06.23 -
F-Secure 8.0.14470.0 2009.06.23 -
Fortinet 3.117.0.0 2009.06.23 -
GData 19 2009.06.23 -
Ikarus T3.1.1.59.0 2009.06.23 -
Kaspersky 7.0.0.125 2009.06.23 -
McAfee 5655 2009.06.23 -
McAfee+Artemis 5655 2009.06.23 -
McAfee-GW-Edition 6.7.6 2009.06.23 -
Microsoft 1.4803 2009.06.23 -
Norman 6.01.09 2009.06.23 -
nProtect 2009.1.8.0 2009.06.23 -
Panda 10.0.0.16 2009.06.23 -
PCTools 4.4.2.0 2009.06.22 -
Prevx 3.0 2009.06.23 -
Rising 21.35.14.00 2009.06.23 -
Sophos 4.42.0 2009.06.23 -
Sunbelt 3.2.1858.2 2009.06.23 -
Symantec 1.4.4.12 2009.06.23 -
TheHacker 6.3.4.3.351 2009.06.22 -
TrendMicro 8.950.0.1094 2009.06.23 -
VBA32 3.12.10.7 2009.06.23 -
ViRobot 2009.6.23.1800 2009.06.23 -
VirusBuster 4.6.5.0 2009.06.23 -

@r_black

that Virustotal result - 1 out of 37 - is about as clean as you'll ever find :lol:

The infected versions started at 0.30 (when alt.binz started using online login verification) ... but that could always change.

Just to be safe, you could also set up your firewall so altbinz is only allowed to connect to your usenet server and nowhere else.

Meanwhile, those of us donors to alt.binz are fine same as the users of the free version. (.25)

Since the official payware version "calls home" and sets up a connection (presumably encrypted) to a 'secret' server, we just have to trust that it's not rifling through our personal files and sending them out.

That's why I don't like using software that calls home. It's not just about being paranoid, there have actually been some software developers that violated users' privacy and trust.

Wth reegeed, shame on them... such a let down...
Thx SonsOfLiberty

how has this software got out, im confused - has the groups released software with trojans packed?
looking on orlydb, these scene groups (Crude and CzW) have not released any cracked version of altbinz...
http://www.orlydb.com/?q=-crd
http://www.orlydb.com/?q=-czw

So these releases seem to be complete creations of those 2 bloodsuckers at Zerosec :angry:

@ r_black: i'm using that 0.28.4 version as well, there was no need for a crack back then, as it was just leaked from the "contributors" forum and no protection had been implemented into alt.binz yet... The official 0.25 also has a 1/40 result on virustotal.

Yep CRD has not officially released it. I also checked some release sites and Alt.Binz did not come up. So they are just fake releases. No one has really stepped forward to actually crack this app.

if there were any infected files on your system after running the program would things such as malware bytes detect and remove it?

Why would anyone get a "cracked" version of Alt Binz, It's a free app (http://www.altbinz.net/). What "payware" versions do you guys mean?

.25 is the last free one. To officially get the latest version, which is .31.1, you need to make a donation to the devs of alt.binz.

I wonder if those scene groups realize that their NFOs have been counterfeited?

A few years ago, a cracker/keygen maker named Ivanopulo, who founded the group DAMN, decided to do something about the imposters, lamers and saboteurs falsely using his name.

So he signed all his releases with an encryption key. Fake DAMN releases would fail the key check. Problem solved.

Yeah I remember that DAMN was a awesome group and not to mention he "coded" the best DAMN NFO Viewer out there :lol:

Agreed. I always thought Ivanopulo/DAMN was one of the best crackers, and many times the DAMN releases worked when all others did not. Too bad Ivanopulo left the scene.

Looks like Zerosec finally did something with regards to the person posting the cracked alt.binz files: http://www.zerosec.ws/regarding-recent-concerns/

Looks like Zerosec finally did something with regards to the person posting the cracked alt.binz files: http://www.zerosec.ws/regarding-recent-concerns/

That thread is full of lies. The logs clearly show mupet0000 accessing the stolen passwords. They've deleted posts pointing this out. Also, they were told about this as soon as the source of the trojan was identified, who knows why they decided to sit on it for so long. You can see for yourselves what kind of idiots run things there - stay away, is my advice.

-Hecks