New Bot/ Hack Pack

[lukegt351]

Hey everyone just wanted to let you know one of my friends gave me this new runescape pack that has worked great, there are a couple of problems that have to be sorted out but at the moment works like a charm and hope everyone is happy with it

It has all the latest auto's and some guides in there

[CampStaff]

HAI NEW SKIDDIE! Seems you want to post a trojan too!

Lets get to work on this file:

Downloading it, it does not have any credits, or readme. In fact.. the upload is a exe, not archived into a rar or zip. This is potentially dangerous to those that don't have adequate protection.

Lets reverse it and hex:

Code:

  \\.\PhysicalDriveSCSIDISKSc \ ?ïÞþc_108 .nl  fx221 explorer onfig \United Sta ~Temp9ary Inrnet Filk Te+shlm.  Recycs \~INFO2.tX? fnd  c:
softwž .chk \ping?
  TueQ Éd WR0 2.do1_9 'd  ktvfëautun .dll?
?/  Clas ;vÛsIGCL= {645FF040ÛímÃ-5å-1?B-98-?A?ýð?A?F954E}* 

 B: AMS DOS  ~|ÿLoadLib A+k    l3Œ?? ,?  Debug  m@o & OE<EXPX?m LORE ETiSh t html f9\Q\ _p P mma@-owSu o rHiddèn OFTWAR\Mm ÑJEt#\W d - ovCurr V+BoZ ?A|AdvIc ? 7  EX ƒC 0  c nmÏ? ?%Vt ƒX?(@ r?  A  ËæŠ?À(0  _?JÐWr?#cessvû?ýMemory  VirtualAll  Ex  ?Ã&ûCrea$A  R-  è??  Thd  Geta;??öSizeVolumeFrmý]?h,ô7lstrcpyÁ&@î
!  V/@íaUTo8jp32µ`?ýSnapshb  "  @î  ?ars  Nex  ?  o`'YAddrVÞ-@oÄseH?l?Devi?µÖÞ:IoC?ŠhtÐ?5??:Ñ a,M4`ÉJ4õßS;ìÛ ÉDƒectokL0,6d{tErKr=  ?ÇþModul\Nam`S$Ý^?ÚAt|?'s  ep;ÂÀ?<\-mp??B?Ü?7%o>?Ý   ?_{og?éDb?%s?Ë  ñú  ;Ì

Hmm, seems to be encrypted.. or bound by a binder/crypter. This is a good skiddie, trying to hide the fact that its a trojan. But what can be done, can also be undone.

Lets look at several of its functions, then we can determine if this is ok or not.

Code:

KERNEL32.DLL ADVAPI32.dll MFC42.DLL MSVCRT.dll SHELL32.dll USER32.dll   LoadLibraryA  GetProcAddress  RegOpenKeyA   free  SHGetSpecialFolderPathA   ShowWindow      /?öE    <?             <?  <?  <?  ioslib32.dll

Well we seem to have a few things here. Its trying to access these .dlls from your Operating System. While most cheats can do the same, the RegOpenKey function call is a bit alarming. Also, why is it calling GetSpecialFolder? We need more information from MSDN for those. But lets continue our preliminary examination.

Code:

 KERNEL32.DLL ADVAPI32.dll WININET.dll WS2_32.dll  LoadLibraryA  GetProcAddress  RegCloseKey   InternetOpenA

All of these dll's it access's are apart of your OS. But look at the last entry, InternetOpen. Seems it opens a connection to the net, allowing it access to take information from your computer, and put files onto it

Code:

lA ûËæ ?  À  Sleep  ?PA??µ*hÅSåC{ûn Ite  Wri
ggÛ6
R  d    S.P?mG  ûer  Vœl  ??F8eAlîßJ  ä
lstrcpyI?:??T?ekTà?  uExMæ ?^Ç  PÚ7*?BkNèdPipLd  ?Í>3A    mpAR?,ÙìnAªP  :V  í,
D?~rÉÚïor?De?Ø|É?Mª?"e7?Û?i Sy  em  ???pACP  At.ibu$s?ÃþÍ   ?AddrÞMÚu?ª!ßsHandû6?ëÚ?  F  NexI   ?6?pC4se
  )t
nË??sk`Sàöb?š>  }ve  ~f ?  Logi-lü
ÍÅ  ?ßXCharToMÉÜ
@{BytZ
[Û
k  )aijáS6Á?mvgoObjï

More nonsense.. well, there is a interesting string in this section though, Sleep. Usually it means for a trojan, in this case, an IRC bot, to sleep while not in use. Also, we see the words Address, Handle, and function CharToMe. These are not cheat related, in a good cheating way.

Quote:

essag{ùßúeBoxA#ser32.dllH:mðûš?[ d , M y Ù?Ü?3/d/ ?M A2?Ú?remb;w?
7?{]?o
?t ª? Î5fȵoÀ?ëº Îiv Ùch ïMh9ä:?ó
??Þ{g_WSKG|ï?îC7yC?;3 C?Q21œ?C@C?
1 Krs Z? ?5|i ?ž!ft C;Â{ï?7/'#çtϺ ?È Ì
?7 ; ?ì%ã?W
??Ûƒ@P k.?? CÄ?'ÿÉKDlhttp://11.3|ÙBþ6.229.1 234k ?2 1@@1Yì?Å 4 ?,v3 7 n ?]2 >< ##åv?\$$!!~~|??ªÜ4Ë** ?fx2îÿ?=e /cgi-bin/Clnpp5. BþÝÿ %sCmwhite+GET POST{ÍÅ~Owpq4*+ #?kUh
y/?Üþ docs/mm/PUfC]6i.D3ƒraO?W2**CcŒ> àªI? | àÃÆ DV St ??ÿCodec_WMI #??ÌQ[sR1?î Àj aga þ ?owb3\Þfig\Tempo ??? InJnet Fi ?ßÚle".iau +
ðö \ms?gsvk1n ð?and? .;?Ùmd O6 n?`à yÈ?0 g, ?Û?Ù K: /?_108?ñ?o .nls x_96y6ÞNþ,17909d704Xoß6 S'r+ NtQuìyDe?Û ÀfaÅUIL?guL?r bË \Ƶ à{W ÿÀº[ø32 ?ýÝ
 Me SE
ìÆ998ŠR2;h îÎ95k(Bu d ????!bv?s ?]Ø?
. S
cl? oRV NãWÊk?cOÀst8 IN éöo ƒductTypâSY ? 4~EM\CuC t
[..]
oP?üc? a#Desktopš!Ød?w&e\?\{CVø V?\Expl???Rû\ShegGKd m???Ks 5Lúvã?ÄD\{AEB67?E- 19-1??ÖÞÒ0-9

Yah.. this section definately says alot, even though most of it is gibbish. To a trained eye, it shows that its creating a messagebox, with time ( month, day, year ) and establishing a connection to http: ( direct ip address ). Also we see lower in the section it monitoring desktop / explorer / shell with a registry entry created.

Enough proof just by looks alone prompts us to do more work, but its obivious that this is not a real cheat.

Lets upload this to a more professional sandbox, ThreatExpertt:


TrojanSpy.Agent.DKZR, W32.Xema.A!inf, Trojan-Spy.Win32.Agent.afn

Oh.. this one is a doozie.. just my second major trojan find on this site.. this one is a baddd boy. Lets see why:

Code:

Program is a malicious application that attempts to steal passwords, login details, and other confidential information.

Quote:

A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

We cant stress enough of how it is important to know what it is you are dealing with, before you run any program on your computer.

First, this program creates these files:

Code:

%Programs%\Startup\officexp.exe 
%System%\c_10810.nls 
%System%\c_20462.nls 
%System%\serlibk.exe
%System%\c_19460.nls 
%System%\inter32.dll
%System%\msregsv.exe 
%System%\shell64.dll
%System%\shlmon.exe
%System%\temp1.exe 

Then it creates a new Windows Service:

Code:

msregsv.exe

and then it creates a new registry entry

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32]

After thats completed, it then begins its magic, by connecting to the internet to upload your information. We have located where his FTP is and are currently attempting to hack him, in order to get our accounts back, and stop his IRC bot servers.

[Juicy]

Omg wow that was a nice read

Thanks


Juicy

[Xellos00]

nice find GJ to campstaff

[shadowman16]

wait a minute what was a trojan horse used for?

[spaceman516]

wow that was funny

[faze]

Good work ~~~~!!