Hi,

I've recently noticed an increase in quite convincing fakes of scene releases, poisoned with trojan malware.

Unlike many other fake posts these actually contain the release but typically they have been repacked with a trojan inserted into the iso. Sometimes the only way to tell is to check the file hashes of the post as the trojan distributors are increasingly paying attention to scene rules about file size and taking care to match file names and extensions precisely to the genuine release.

Take for example these two posts (https://www.binsearch.info/?q=rld-dhbrig&max=250&adv_age=1100&server=) purporting to be a DLC update for the game Dishonored.

The first post to a.b.games.dox is the genuine scene release. The second post to a.b.boneless and a.b.games is the same release repacked with a trojan that will install if you run the included setup.exe....

Here it's quite easy to tell that one of the posts is fake due to the different number of rar files (the fake post does get the file size right though). Sometimes it's not so simple such as when the genuine release is only posted with an encrypted filename so only the fake shows up in a search. Relying on the date a file was posted isn't a good idea, here the infected release was posted 2 days before the genuine release. Telling which is the genuine release without further information is trickier. Downloading and extracting them both showed that the fake release iso was larger (by a few kilobytes) than the genuine. Looking at the contents of the iso revealed an extra "setup.exe" that was flagged as a trojan installer by virustotal.

Even if you're using an nzb from a usually reliable source, never just trust that a post is what it claims to be. Take the time to read the scene rules and ignore any posts that don't conform exactly to them (filesize, compression etc). Even then track down the file hashes if at all possible. Always virus scan and run the executable through virus total or another on-line virus scanning engine (EDIT: though remember just because a file is clean in virustotal doesn't mean it's 100% ok, advanced trojan writers use polymorphic coding techniques to keep ahead of the AV companies, see the reddit AMA (https://pay.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500) linked in post 6 by piercerseth (http://filesharingtalk.com/threads/455604-Warning-convincing-trojan-posioned-posts-some-safety-tips?p=3730157&viewfull=1#post3730157) for a malware coder boasting about this)

If anyone else has additional tips for avoiding the fake/malware ridden posts I'd be glad to hear them....

EDIT: my original example analysis was confusing, updated with better information.

Good post, I'd like to know as well.

I find srrdb.com useful for getting file hashes, to help identify the genuine post out of all the fakes. It has not let me down so far though of course a hash from there doesn't prove a post is safe - you still need to virus scan the download.

I always test an exe in a Sandbox as should everyone else.

I always test an exe in a Sandbox as should everyone else.

Coincidentally, I buried my ex- in a sandbox. :sneaky:

Watching where and when they're posted is half of it. Spend enough time in a group you'll learn pretty quick what's shit and what's not.

https://pay.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500 (https://pay.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500) ctrl-f "usenet" for some laughs

I always test an exe in a Sandbox as should everyone else.

Even fairly reliable stuff I install to a VM regardless and then copy back out to real machine. I think a good plan with all the Steam based stuff as it runs without any extra config so super easy to do.

If people download posts with no .nfo and a stupid filesize (for what they are getting) then hayho... send your money right now to get your lottery win and good luck

Big up's for the info. Anytime I get the exe file I multi scan it. Sad thing is, too many cracks or by-passes alert Malwarebyte and the such (then it's the end of the d/l because I can't tell if it's just the scanner or the file is truly a baddie). Haven't looked into Sandiebox--sounds interesting ;)

Thank a lot for the info! You probably saved my computer.

Another example of spam/viruses, always [7/7]

http://nzbx.ws/article.php?group=alt.binaries.nl&article=3811943377&action=info

NNTP-Posting-Host: d95e5ee6.news.astraweb.com
X-Trace: DXC=ADeYO<n>Xg]?W?WaA<e5APL?0kYOcDh@ZZ@C;D0CEVQPKHUK7<C=CC\aJO_]QU2XRXU]2=QFhn<b^XXKdI]d2hH\@[U<0E:Hd3Pe;<U3`DH`6^

Just more people report them sooner get acc. closed ;)

Had a case where no virus scanners I tried, probably 5 or more, found a Bitcoin miner in with a game I downloaded. Just goes to show that even if it comes up clean, doesn't mean it is.

I always check exe with a virus checker, thanks for the info about the ISO's.

Question --- what about the opposite where anti-virus software (intentionally?) detect clean cracked dlls and exes as infected? Sometimes they're categorized as potentially unwanted software and I get that ... in a corporate environment I'm sure a business needs to keep their network free of pirated software. What is the easiest and quickest way to tell a "wrongly accused" file from a truly infected file?

Another example of spam/viruses, always [7/7]

http://nzbx.ws/article.php?group=alt.binaries.nl&article=3811943377&action=info

NNTP-Posting-Host: d95e5ee6.news.astraweb.com
X-Trace: DXC=ADeYO<n>Xg]?W?WaA<e5APL?0kYOcDh@ZZ@C;D0CEVQPKHUK7<C=CC\aJO_]QU2XRXU]2=QFhn<b^XXKdI]d2hH\@[U<0E:Hd3Pe;<U3`DH`6^

Just more people report them sooner get acc. closed ;)
nice promoting of your stupid site

oh sorry 2501 i also own google.com i forgot to mention :)

if you love spam/virus posteron usenet leave it, but i hell dont like em so reporting is on.

Good stuff here, luckily I don't do 'games' (ps3/4/xbox you name it) but the amount of '.exe' crap flooding the newsgroups (most of it out of Europe, or at least the euro servers and euro newsgroups) is huge. Most of it, interestingly, looks like p0rn or even ntsc/dvd, you name it.

I keep every machine in my network fully backed up, and do have one in particular I can utilize as a 'sandbox', but really, it's so obvious that it isn't even funny any more. Keep to nzb's, and check to at least make sure the actual files 'exist' in the 'real world' (nzbcc or other means).

Huh, the malware repackagers are getting slightly better at being chameleons
As a side question tho is there some reason the "official" sources don't always have par2?

Poster history.

100++ posts all in a day, all with nearly identical filesizes? Probably malicious. :cry1:

Poster history.

100++ posts all in a day, all with nearly identical filesizes? Probably malicious. :cry1:
You mean .scr doesn't stand for scene release?

Thanks for the tips. I've always been a little paranoid about running pc releases.

It is getting harder and harder to spot poisoned files. That is why I am always hesitant of running any 'exe' files. Scarry stuff. I guess one could always "test" it on VM...