Hi,
I've recently noticed an increase in quite convincing fakes of scene releases, poisoned with trojan malware.
Unlike many other fake posts these actually contain the release but typically they have been repacked with a trojan inserted into the iso. Sometimes the only way to tell is to check the file hashes of the post as the trojan distributors are increasingly paying attention to scene rules about file size and taking care to match file names and extensions precisely to the genuine release.
Take for example these two posts purporting to be a DLC update for the game Dishonored.
The first post to a.b.games.dox is the genuine scene release. The second post to a.b.boneless and a.b.games is the same release repacked with a trojan that will install if you run the included setup.exe....
Here it's quite easy to tell that one of the posts is fake due to the different number of rar files (the fake post does get the file size right though). Sometimes it's not so simple such as when the genuine release is only posted with an encrypted filename so only the fake shows up in a search. Relying on the date a file was posted isn't a good idea, here the infected release was posted 2 days before the genuine release. Telling which is the genuine release without further information is trickier. Downloading and extracting them both showed that the fake release iso was larger (by a few kilobytes) than the genuine. Looking at the contents of the iso revealed an extra "setup.exe" that was flagged as a trojan installer by virustotal.
Even if you're using an nzb from a usually reliable source, never just trust that a post is what it claims to be. Take the time to read the scene rules and ignore any posts that don't conform exactly to them (filesize, compression etc). Even then track down the file hashes if at all possible. Always virus scan and run the executable through virus total or another on-line virus scanning engine (EDIT: though remember just because a file is clean in virustotal doesn't mean it's 100% ok, advanced trojan writers use polymorphic coding techniques to keep ahead of the AV companies, see the reddit AMA linked in post 6 by piercerseth for a malware coder boasting about this)
If anyone else has additional tips for avoiding the fake/malware ridden posts I'd be glad to hear them....
EDIT: my original example analysis was confusing, updated with better information.
Reply With Quote
Originally Posted by sandman_1
Bookmarks