Alt.binz users beware! You have been comprimised

http://img216.imageshack.us/img216/3...tbylaespad.jpg

Alt.binz users beware! You have been comprimised

Newsflash for all those ppl that have started various "cracked" versions of Alt.Binz floating on the usenet: They are ALL trojan infected. All firefox, IE, IM, steam passwords are collected and uploaded to attackers site.

Zerosec staffers are responsible for the infected uploads, check sources because you already don't believe this probably??

However we are not that bright so we left our cpanel login data in our leet script so our server got pwned with all logins and some zerosec stuff. :lol:

[#altbin@EFNet]-[Full]-[Alt.Binz.v0.31.1.WinAll.Multilingual-CRD]-[0/8] - "crude.nfo" yEnc

[#altbin@EFNet]-[Full]-[Alt.Binz.v0.31.1.WinAll-iND]-[2/7] - "Alt.Binz.v0.31.1.WinAll-iND.par2" yEnc

[#altbin@EFNet]-[Full]-[Alt.Binz.0.31.1.WinALL.Cracked.REAL-CzW]-[2/7] - "czw.nfo" yEnc


So if this is you? Is it? Looks like Zerosec has some explaining to do?

Still don't believe? Check sources.

:source: Source: Zerosedc staff are a bunch of MF stealers:view: Homepage: alt.binZ

Torrents and trackers give me a healthy dose of e-drama to keep me entertained.
About time newzbin followed suit. :lol:

You mean Usenet? Newzbin is a indexing site :lol:

yeah..Usenet :lol:
/me never had a good reason to use usenet. :P

This stuff seems to avoid virus scanners apparently.

I'm fairly sure I'm not using the compromised version, not the one from that post anyway, but how can I check and if needed, remove the trojan?
ESET doesn't see anything wrong with it.

I do this sort of thing with rapidshare downloads, bind the client with a crack, virtually undetectable, person clicks said crack ?????? PROFIT!

Quote:

---

Originally Posted by srw985

This stuff seems to avoid virus scanners apparently.

I'm fairly sure I'm not using the compromised version, not the one from that post anyway, but how can I check and if needed, remove the trojan?
ESET doesn't see anything wrong with it.

---

ESET does too, I soon as I extracted it it detected trojan.

with trojans such as this, even if it manages to get onto your computer will software such as kaspersky pick it up before it lets the trojan activate?

how has this software got out, im confused - has the groups released software with trojans packed?

My firewall blocked the attempt, and asked for to connect to xxx.xxx and my firewall doesn't let anything out unless ok'd, and it's got a one of the best leak tests out there (Comodo). Plus it was a temp file asking for access not alt.binz because I truly wanted to see what was going on.

Here's a Virustotal analysis:

http://www.virustotal.com/analisis/0...ecf-1245784956

Code:

---

File altbinz.exe received on 2009.06.23 19:22:36 (UTC
Current status:  finished
Result: 22/41 (53.66%)

Antivirus          Version          Last Update          Result
a-squared        4.5.0.18        2009.06.23        Riskware.PSWTool.Win32.Messen!IK
AhnLab-V3        5.0.0.2        2009.06.23        -
AntiVir        7.9.0.193        2009.06.23        DR/PSW.NetPass.FV.4
Antiy-AVL        2.0.3.1        2009.06.23        PSWTool/Win32.NetPass.gen
Authentium        5.1.2.4        2009.06.23        W32/Virut.AI!Generic
Avast        4.8.1335.0        2009.06.23        -
AVG        8.5.0.339        2009.06.23        Dropper.Small
BitDefender        7.2        2009.06.23        -
CAT-QuickHeal        10.00        2009.06.22        -
ClamAV        0.94.1        2009.06.23        -
Comodo        1401        2009.06.23        -
DrWeb        5.0.0.12182        2009.06.23        Tool.PassView.117
eSafe        7.0.17.0        2009.06.23        Win32.PSWTool.NetPas
eTrust-Vet        31.6.6575        2009.06.23        Win32/Inpect.10
F-Prot        4.4.4.56        2009.06.23        W32/Virut.AI!Generic
F-Secure        8.0.14470.0        2009.06.23        PSWTool.Win32.NetPass.fv
Fortinet        3.117.0.0        2009.06.23        HackerTool/Multidr
GData        19        2009.06.23        -
Ikarus        T3.1.1.59.0        2009.06.23        not-a-virus:PSWTool.Win32.Messen
Jiangmin        11.0.706        2009.06.23        -
K7AntiVirus        7.10.768        2009.06.19        -
Kaspersky        7.0.0.125        2009.06.23        not-a-virus:PSWTool.Win32.NetPass.fv
McAfee        5655        2009.06.23        MultiDropper-BU
McAfee+Artemis        5655        2009.06.23        MultiDropper-BU
McAfee-GW-Edition        6.7.6        2009.06.23        Trojan.Dropper.PSW.NetPass.FV.4
Microsoft        1.4803        2009.06.23        -
NOD32        4181        2009.06.23        probably unknown CRYPT.WIN32
Norman        6.01.09        2009.06.23        -
nProtect        2009.1.8.0        2009.06.23        -
Panda        10.0.0.16        2009.06.23        -
PCTools        4.4.2.0        2009.06.22        -
Prevx        3.0        2009.06.23        Medium Risk Malware Dropper
Rising        21.35.14.00        2009.06.23        -
Sophos        4.42.0        2009.06.23        Mal/Generic-A
Sunbelt        3.2.1858.2        2009.06.23        VIPRE.Suspicious
Symantec        1.4.4.12        2009.06.23        -
TheHacker        6.3.4.3.351        2009.06.22        -
TrendMicro        8.950.0.1094        2009.06.23        -
VBA32        3.12.10.7        2009.06.23        -
ViRobot        2009.6.23.1800        2009.06.23        Not_a_virus:PSWTool.Messen.2343936
VirusBuster        4.6.5.0        2009.06.23        Win32.Vundo.EX


Additional information

File size: 2343936 bytes
MD5...: ef8bc3ea83f3989c4b8c196f65c3a4bf
SHA1..: 753e0e7e77f9f1ebed85929f9099a669a88aee13
SHA256: 08d8af59c3c2ec6d2814be7eeb5f3037b1a8de9f6ae9c889a0a45feb8c758ecf
ssdeep: 49152:3zWSyrROgSo0R1OJgna0CAup3a2CFUlhnQycgI8y5AP0jveNU:3zWhRjCn
G3aIVQFJYg
PEiD..: -
TrID..: File type identification
Win32 EXE Yoda's Crypter (64.5%)
Win32 Executable Generic (20.7%)
Win16/32 Executable Delphi generic (5.0%)
Generic Win/DOS Executable (4.8%)
DOS Executable Generic (4.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4760bc
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x32c000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x32d000 0x13b000 0x13a800 8.00 82dada95a1a5032c894e315af113d144
.rsrc 0x468000 0x102000 0x101800 7.99 1404b74b6b616af57b377b1b9bc5f7db

( 15 imports )
> KERNEL32.DLL: GetTempPathA, GetTempFileNameA, CreateFileA, WriteFile, CloseHandle, GetStartupInfoA, CreateProcessA, GetModuleHandleA, LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> advapi32.dll: RegFlushKey
> comctl32.dll: ImageList_Add
> comdlg32.dll: ChooseFontA
> crypt32.dll: CertFreeCertificateContext
> gdi32.dll: SaveDC
> imm32.dll: ImmGetContext
> ole32.dll: DoDragDrop
> oleaut32.dll: VariantCopy
> shell32.dll: DragFinish
> SHFolder.dll: SHGetFolderPathA
> user32.dll: GetDC
> version.dll: VerQueryValueA
> winmm.dll: PlaySoundA
> winspool.drv: OpenPrinterA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): UPX, UPX, UPX, PE_Patch.UPX, UPX, UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=4EAE4F40006F3399C4D023C86CF809001ADD86A1' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=4EAE4F40006F3399C4D023C86CF809001ADD86A1</a>

---

As you can see, only about half the anti-virus apps flagged it.