Warning - convincing trojan-posioned posts, some safety tips.
Hi,
I've recently noticed an increase in quite convincing fakes of scene releases, poisoned with trojan malware.
Unlike many other fake posts these actually contain the release but typically they have been repacked with a trojan inserted into the iso. Sometimes the only way to tell is to check the file hashes of the post as the trojan distributors are increasingly paying attention to scene rules about file size and taking care to match file names and extensions precisely to the genuine release.
Take for example these two posts purporting to be a DLC update for the game Dishonored.
The first post to a.b.games.dox is the genuine scene release. The second post to a.b.boneless and a.b.games is the same release repacked with a trojan that will install if you run the included setup.exe....
Here it's quite easy to tell that one of the posts is fake due to the different number of rar files (the fake post does get the file size right though). Sometimes it's not so simple such as when the genuine release is only posted with an encrypted filename so only the fake shows up in a search. Relying on the date a file was posted isn't a good idea, here the infected release was posted 2 days before the genuine release. Telling which is the genuine release without further information is trickier. Downloading and extracting them both showed that the fake release iso was larger (by a few kilobytes) than the genuine. Looking at the contents of the iso revealed an extra "setup.exe" that was flagged as a trojan installer by virustotal.
Even if you're using an nzb from a usually reliable source, never just trust that a post is what it claims to be. Take the time to read the scene rules and ignore any posts that don't conform exactly to them (filesize, compression etc). Even then track down the file hashes if at all possible. Always virus scan and run the executable through virus total or another on-line virus scanning engine (EDIT: though remember just because a file is clean in virustotal doesn't mean it's 100% ok, advanced trojan writers use polymorphic coding techniques to keep ahead of the AV companies, see the reddit AMA linked in post 6 by piercerseth for a malware coder boasting about this)
If anyone else has additional tips for avoiding the fake/malware ridden posts I'd be glad to hear them....
EDIT: my original example analysis was confusing, updated with better information.
Re: Warning - convincing trojan-posioned posts, some safety tips.
Good post, I'd like to know as well.
Re: Warning - convincing trojan-posioned posts, some safety tips.
I find srrdb.com useful for getting file hashes, to help identify the genuine post out of all the fakes. It has not let me down so far though of course a hash from there doesn't prove a post is safe - you still need to virus scan the download.
Re: Warning - convincing trojan-posioned posts, some safety tips.
I always test an exe in a Sandbox as should everyone else.
Re: Warning - convincing trojan-posioned posts, some safety tips.
Quote:
Originally Posted by
sandman_1
I always test an exe in a Sandbox as should everyone else.
Coincidentally, I buried my ex- in a sandbox. :sneaky:
Re: Warning - convincing trojan-posioned posts, some safety tips.
Watching where and when they're posted is half of it. Spend enough time in a group you'll learn pretty quick what's shit and what's not.
https://pay.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500 ctrl-f "usenet" for some laughs
Re: Warning - convincing trojan-posioned posts, some safety tips.
Quote:
Originally Posted by
sandman_1
I always test an exe in a Sandbox as should everyone else.
Even fairly reliable stuff I install to a VM regardless and then copy back out to real machine. I think a good plan with all the Steam based stuff as it runs without any extra config so super easy to do.
If people download posts with no .nfo and a stupid filesize (for what they are getting) then hayho... send your money right now to get your lottery win and good luck
Re: Warning - convincing trojan-posioned posts, some safety tips.
Big up's for the info. Anytime I get the exe file I multi scan it. Sad thing is, too many cracks or by-passes alert Malwarebyte and the such (then it's the end of the d/l because I can't tell if it's just the scanner or the file is truly a baddie). Haven't looked into Sandiebox--sounds interesting ;)
Re: Warning - convincing trojan-posioned posts, some safety tips.
Thank a lot for the info! You probably saved my computer.
Re: Warning - convincing trojan-posioned posts, some safety tips.
Another example of spam/viruses, always [7/7]
http://nzbx.ws/article.php?group=alt...77&action=info
NNTP-Posting-Host: d95e5ee6.news.astraweb.com
X-Trace: DXC=ADeYO<n>Xg]?W?WaA<e5APL?0kYOcDh@ZZ@C;D0CEVQPKHUK7<C=CC\aJO_]QU2XRXU]2=QFhn<b^XXKdI]d2hH\@[U<0E:Hd3Pe;<U3`DH`6^
Just more people report them sooner get acc. closed ;)
