Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Interesting example of social-engineering trojan hook

4 views
Skip to first unread message
Message has been deleted

FromTheRafters

unread,
Oct 14, 2009, 9:23:25 PM10/14/09
to

"Virus Guy" <Vi...@Guy.com> wrote in message
news:4AD65A78...@Guy.com...
>I received a spam from the sys-admin of my domain - well, not really.
> It was forged to look that way. I was being advised to update my
> e-mail
> settings by clicking on this link:
>
> hxxp://nerrasssb.eu/owa/service_directory/settings.php?email=
>
> The full link included my e-mail address, but I've edited it and
> removed
> it.
>
> Now that link doesn't have any exploits built into the page when
> rendered as far as I can tell, but it does offer a link to the file
> -settings-file.exe.
>
> I submitted it to VT earlier today (and VT hadn't seen it before) and
> it
> was being detected by 5 AV vendors.
>
> It appears to be poly-morphic (VT doesn't seem to get the same sample
> twice). It's being identified as a ZBot varient.

Polymorphic? Could you explain?

[...]


Virus Guy

unread,
Oct 14, 2009, 9:58:41 PM10/14/09
to
FromTheRafters wrote:

> > It appears to be poly-morphic (VT doesn't seem to get the same
> > sample twice). It's being identified as a ZBot varient.
>
> Polymorphic? Could you explain?

The executable file is being dynamically generated by the server such
that the file being served up always has a unique MD5 but (I'm thinking)
it always results in the same executable once it's unpacked and running
on the victim's PC.

Message has been deleted
Message has been deleted

Virus Guy

unread,
Oct 14, 2009, 11:08:56 PM10/14/09
to
"David H. Lipman" wrote:

> New Zeus Bot campaign and it is NOT "polymorphic". LOL

I had submitted a sample (to VT) from work, and when I got home I
downloaded another copy and submitted that as well. I was expecting VT
to tell me that it had already received that file - but it didn't. So I
assumed that the two copies I downloaded were different.

If you say you keep getting the same file, then ok, fine - it's not
polymorphic.

BTW, how do you unpack the file ip1.gif?

FromTheRafters

unread,
Oct 14, 2009, 11:21:33 PM10/14/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4AD681D1...@Guy.com...

Okay, polymorphic in the sense that it has many forms. Generally I hear
polymorphic as a spreading mode for viruses, that is to say they
generate their own "many forms" as a matter of their own spreading
(replicating) programmed function.


David H. Lipman

unread,
Oct 14, 2009, 11:37:03 PM10/14/09
to
From: "Virus Guy" <Vi...@Guy.com>

| "David H. Lipman" wrote:

You may get different files based upon User-Agent, time, GEO-IP, etc.

As for decrypting the C&C file, ip1.gif, Not for public discussion, sorry.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


David H. Lipman

unread,
Oct 14, 2009, 11:38:15 PM10/14/09
to
From: "FromTheRafters" <err...@nomail.afraid.org>

>>> Polymorphic? Could you explain?

http://en.wikipedia.org/wiki/Polymorphic_virus

Virus Guy

unread,
Oct 15, 2009, 12:37:29 AM10/15/09
to
"David H. Lipman" wrote:

> As for decrypting the C&C file, ip1.gif, Not for public discussion,
> sorry.

So does that mean that I'm not supposed to know about this:

http://www.malwaredomainlist.com/forums/index.php?PHPSESSID=c747b1e5602c8ea14ff821192210ad71&topic=2494.msg7496#msg7496

Or this:

http://blog.threatexpert.com/2009/09/time-to-revisit-zeus-almighty.html

?

Why is knowing how to decrypt c&c files supposed to be secret?

As you can see, it's no secret.

The more that the "public" knows about the bot-world and their files,
the better (or faster) we can disrupt and interfere with their
operations.

Message has been deleted

FromTheRafters

unread,
Oct 15, 2009, 8:29:09 AM10/15/09
to

"Toxic" <staring@my_hd.tv> wrote in message
news:pan.2009.10...@cdc.gov...

> On Wed, 14 Oct 2009 23:21:33 -0400, FromTheRafters wrote:
>
>
>> Okay, polymorphic in the sense that it has many forms. Generally I
>> hear
>> polymorphic as a spreading mode for viruses, that is to say they
>> generate their own "many forms" as a matter of their own spreading
>> (replicating) programmed function.
>
> Like this? http://tinyurl.com/ylp9f6r

Yes!

...and *not* like this:

http://www.urbandictionary.com/define.php?term=Polymorphic%20Trojan


FromTheRafters

unread,
Oct 15, 2009, 9:25:30 AM10/15/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4AD6A709...@Guy.com...

True, but the antimalware vendors are *still* in competition with one
another.


Virus Guy

unread,
Oct 15, 2009, 10:11:43 AM10/15/09
to
FromTheRafters wrote:

> > Why is knowing how to decrypt c&c files supposed to be secret?
> >
> > As you can see, it's no secret.
> >
> > The more that the "public" knows about the bot-world and their
> > files, the better (or faster) we can disrupt and interfere with
> > their operations.
>
> True, but the antimalware vendors are *still* in competition
> with one another.

Are you saying that Lipman is an AV/AM vendor himself, or is employed by
one?

FromTheRafters

unread,
Oct 15, 2009, 11:11:56 AM10/15/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4AD72D9F...@Guy.com...

No. Had I wanted to say that, I would have said that.

What I am saying is that if he were privy to information about how one
AM tackles a particular malware instance, he might not want to divulge
that information in public.


Ant

unread,
Oct 15, 2009, 9:12:15 PM10/15/09
to
"Virus Guy" wrote:

> "David H. Lipman" wrote:
>> As for decrypting the C&C file, ip1.gif, Not for public discussion,
>> sorry.

> Why is knowing how to decrypt c&c files supposed to be secret?

I'm not sure why Dave said that. In any case, you need an infected PC
and the tool from ThreatExpert to decode the config file.

Alternatively, you can unpack the executable, find the key section
and write your own program to decode the config using the key and the
unrv2b decompression algorithm. That way, you don't infect the PC but
require reverse engineering and programming skills.


Message has been deleted

noauth

unread,
Oct 16, 2009, 3:12:29 PM10/16/09
to
On Fri, 16 Oct 2009 11:20:43 +0000 (UTC), Toxic <staring@my_hd.tv> wrote:

>On Thu, 15 Oct 2009 10:11:43 -0400, Virus Guy wrote:
>
>
>>
>> Are you saying that Lipman is an AV/AM vendor himself, or is employed by
>> one?
>

>I thought he was just an obnoxious joisey jewboi wannabe?

Another world class loser blaming the "jewbois" for his own incompetent,
impotent life.

Message has been deleted
Message has been deleted

The Central Scrutinizer

unread,
Oct 21, 2009, 11:08:50 PM10/21/09
to
Are you?

--

"Virus Guy" <Vi...@Guy.com> wrote in message

news:4AD72D9F...@Guy.com...

Virus Guy

unread,
Oct 22, 2009, 9:25:36 AM10/22/09
to
Don't be a top-poaster.

The Central Scrutinizer wrote:

> >> > Why is knowing how to decrypt c&c files supposed to be secret?

> >> > The more that the "public" knows about the bot-world and
> >> > their files, the better (or faster) we can disrupt and
> >> > interfere with their operations.

> >> True, but the antimalware vendors are *still* in competition
> >> with one another.

> > Are you saying that Lipman is an AV/AM vendor himself, or is
> > employed by one?

> Are you?

If I was, I probably would have already known how to decrypt c&c files,
so I wouldn't have posed the question here.

In any case, it's not clear how that knowledge would give an AV vendor a
competitive advantage, because it deals with aspects of malware
functionality and botnet operation that go far beyond what is needed by
AV vendors to perform malware detection on client machines.

If Lipman is really an AV "insider", he should have known that the
knowledge of how to decode c&c files (or at least this particular class
of file) was already in the public domain, so making the statement that
it couldn't be divulged in public was disingenuous - if not mischievous.

Message has been deleted

Anonymous

unread,
Oct 22, 2009, 8:16:43 PM10/22/09
to

"Manatee Memories" <S...@the.REPLYTO.entry> gobfarted:
> (don't be a top poaster)

And here I was thinking Manypee Mammaries had left us for good!

No such luck!

Message has been deleted

The Central Scrutinizer

unread,
Oct 22, 2009, 11:47:49 PM10/22/09
to
Don't be a f-ing dork!!!

--

"Virus Guy" <Vi...@Guy.com> wrote in message

news:4AE05D50...@Guy.com...


> Don't be a top-poaster.
>
> The Central Scrutinizer wrote:
>
>> >> > Why is knowing how to decrypt c&c files supposed to be secret?
>> >> > The more that the "public" knows about the bot-world and
>> >> > their files, the better (or faster) we can disrupt and
>> >> > interfere with their operations.
>
>> >> True, but the antimalware vendors are *still* in competition
>> >> with one another.
>
>> > Are you saying that Lipman is an AV/AM vendor himself, or is
>> > employed by one?
>
>> Are you?
>
> If I was, I probably would have already known how to decrypt c&c files,
> so I wouldn't have posed the question here.

Right. But just cause this lipman person posts allot does not make him or
her an expert does it?

> In any case, it's not clear how that knowledge would give an AV vendor a
> competitive advantage, because it deals with aspects of malware
> functionality and botnet operation that go far beyond what is needed by
> AV vendors to perform malware detection on client machines.
>
> If Lipman is really an AV "insider", he should have known that the
> knowledge of how to decode c&c files (or at least this particular class
> of file) was already in the public domain, so making the statement that
> it couldn't be divulged in public was disingenuous - if not mischievous.

OK it was a little weird I will give you that ;-) I Mean WTF!


Anonymous

unread,
Oct 23, 2009, 12:44:03 AM10/23/09
to

"Manatee Memories" <S...@the.REPLYTO.entry> wrote in message news:d012e51qm2l6mvcpq...@4ax.com...
> On Fri, 23 Oct 2009 02:16:43 +0200 (CEST), Anonymous Coward
> <cri...@ecn.org> wrote, by way of
> <2009102300164...@www.ecn.org>, in
> alt.comp.virus -->::

>
>>"Manatee Memories" <S...@the.REPLYTO.entry> gobfarted:
>>> (don't be a top poaster)
>>
>>And here I was thinking Manatee Memories had left us for good!
>>
>>No such luck!
>
> Cowards are as cowards do (such as using anon mailers, etc.).

Fuck-wit!

What happened to your "Post was deleted without being read"
bullshit macro? Did you get rid of it because too many people
were calling you a fucking liar, you fucking liar??

I'd rather be an anonymous coward than a superfluous cow turd
like you any day!


Dustin Cook

unread,
Oct 23, 2009, 2:49:33 AM10/23/09
to
Virus Guy <Vi...@Guy.com> wrote in news:4AD6A709...@Guy.com:

It's not something David nor myself are interested in discussing on such
a public forum. Like you, years ago; I thought full disclosure for all
was the best policy. However, I was niave and very foolish back then. :)

--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Dustin Cook

unread,
Oct 23, 2009, 2:50:59 AM10/23/09
to
Virus Guy <Vi...@Guy.com> wrote in news:4AE05D50...@Guy.com:

Let me clear that issue up for you. David lipman works for Malwarebytes
(like me) as a researcher (like me).

Message has been deleted

George Orwell

unread,
Oct 23, 2009, 8:54:09 AM10/23/09
to

"ASCII" <cocks...@privacy.net> wrote in message:

> Dustin Cook wrote:
>>
>>Let me clear that issue up for you. David lipman works for Malwarebytes
>>(like me) as a researcher (like me).
>
> So that explains why you're sucking up to him lately,
> do you share cigarettes too?

Thus spake The Malwarebytes thief!

Had your fudge packed today dear?

Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it

Virus Guy

unread,
Oct 23, 2009, 9:10:55 AM10/23/09
to
Dustin Cook wrote:

> > As you can see, it's no secret.
>

> It's not something David nor myself are interested in discussing
> on such a public forum.

I didn't ask you or prod you, specifically, for an answer.

When I originally asked how to decode the c&c file, Dave didn't have to
say, essentially, "I know how to do it, but it's a secret and I'm not
going to tell you how". Dave didn't have to say anything. He didn't
have to post a reply.

And he stated incorrect information in his reply. He stated that the
method is not, and was not to be known to the general public.

I suspect it was ego that drove his reply. He wanted to tell this
newsgroup that he knew the answer, but for some reason not give the
answer. So he invented the excuse that it wasn't for public disclosure.

I'm sure Dave doesn't enjoy the exposure this issue is getting, but I'm
not the one driving the continuation of this thread. I let it go a
while ago, but for some reason others (now, most notably yourself) keep
bringing it back to life. Do you think rubbing salt in this issue is a
good thing?

> Like you, years ago; I thought full disclosure for all was the
> best policy. However, I was niave and very foolish back then. :)

What examples can you provide that supports your current view that
public disclosure of technical malware information is now "foolish"?

In this case, what are (or could be) the problems or downside in making
this decoding method public (as it obviously has been) ?

Dustin Cook

unread,
Oct 23, 2009, 11:08:41 AM10/23/09
to
ASCII <m...@privacy.net> wrote in news:4ae1630b.914906@EBCDIC:

> Dustin Cook wrote:
>>
>>Let me clear that issue up for you. David lipman works for Malwarebytes
>>(like me) as a researcher (like me).
>

> So that explains why you're sucking up to him lately,
> do you share cigarettes too?

> Losers!
>

sucking up to who? Sorry, I don't kiss anybodies ass; and I'm not known for
doing such things. I do have a professional courtesy towards him, for his
intelligence and evidence of it. I don't know if David even smokes...

George Orwell

unread,
Oct 23, 2009, 12:09:49 PM10/23/09
to

"Dustin Cook" <bughunte...@gmail.com> wrote:
> ASCII <m...@privacy.net> wrote in news:4ae1630b.914906@EBCDIC:
>
>> Dustin Cook wrote:
>>>
>>>Let me clear that issue up for you. David lipman works for Malwarebytes
>>>(like me) as a researcher (like me).
>>
>> So that explains why you're sucking up to him lately,
>> do you share cigarettes too?
>> Losers!
>>
>
> sucking up to who? Sorry, I don't kiss anybodies ass; and I'm not known for
> doing such things. I do have a professional courtesy towards him, for his
> intelligence and evidence of it.

ASSKEY rammed his tongue so far up his boyfriend's ass, the
paramedics had to pull him out by his shoe laces.

> I don't know if David even smokes...

ASSKEY smokes nigga cock.

Message has been deleted

David H. Lipman

unread,
Oct 23, 2009, 3:54:19 PM10/23/09
to
From: "Virus Guy" <Vi...@Guy.com>

| Dustin Cook wrote:


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


David H. Lipman

unread,
Oct 23, 2009, 4:09:10 PM10/23/09
to
From: "Virus Guy" <Vi...@Guy.com>

| Dustin Cook wrote:

I stick by what I wrote... "Not for public discussion".

Just because some others may want to divulge some information does not make it right to be
divulged.

That's all I will say in this matter.

Nomen Nescio

unread,
Oct 23, 2009, 7:56:07 PM10/23/09
to

"Masturbation Memories" <S...@the.REPLYTO.entry> ejaculated:

> alt.comp.virus -->::
>
> <....>
>
> Message unread. Please try again later. Not.

BWAAAHAAAHHHAAAAHHAAHAAHAAAAHAAAAAHHAAAA!!!!!!!

Stupid twat!


The Real Truth MVP

unread,
Oct 24, 2009, 11:13:50 AM10/24/09
to
That explains why MBAM has gone to shits lately. You idiots no longer
recognize valid bugs and complaints from me, and because of that I no longer
have my friends report them to you. I also stopped promoting your product
and you will soon start seeing other manufacturers products disabling yours.
In fact I signed a contract last week to help in those efforts.


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.


"Dustin Cook" <bughunte...@gmail.com> wrote in message
news:Xns9CAD1D4F01C...@69.16.185.250...

Dustin Cook

unread,
Oct 28, 2009, 4:38:54 PM10/28/09
to
"The Real Truth MVP" <t...@void.com> wrote in
news:hbv5jf$42d$1...@leythos.motzarella.org:

> That explains why MBAM has gone to shits lately. You idiots no longer
> recognize valid bugs and complaints from me, and because of that I no
> longer have my friends report them to you. I also stopped promoting
> your product and you will soon start seeing other manufacturers
> products disabling yours. In fact I signed a contract last week to
> help in those efforts.

Wow. I had no idea you mattered to us or anyone else that much, no really.
How you think you can affect our userbase in the slightest is just
impressive and slightly frightening all at the same time. Impressive in the
since you think your important (your not.. heh), and frightening because
you think anybody in their right mind would take you seriously on anything.

Remember the rot thing? C'mon... :)

0 new messages