Spammed-out malware campaign contains offensive hidden message for anti-virus CEO

[David B]

Quote!
*****

There is no love lost between the people who write malware and the
anti-virus companies who work hard to protect innocent users against them.

And occasionally that animosity spills out into the actual malicious
code written by online criminals. Sometimes it might present itself in
the form of code to attempt to avoid detection by a particular product,
or techniques to avoid analysis in malware labs.

But sometimes… well, it just gets a lot more personal than that. And
that’s what seems to have happened in a current malware campaign
arriving in many users’ email inboxes today.

Here is what a typical malicious email looks like:

http://www.hotforsecurity.com/blog/spammed-out-malware-campaign-contains-offensive-hidden-message-for-anti-virus-ceo-13820.html

--
David B.

[RandyM]

"David B" <Dav...@nomail.invalid> wrote in message
news:nfvij8$f8r$1...@boaterdave.dont-email.me...

> Quote!
> *****
>
> There is no love lost between the people who write malware and the
> anti-virus companies who work hard to protect innocent users against them.
>
> And occasionally that animosity spills out into the actual malicious code
> written by online criminals. Sometimes it might present itself in the form
> of code to attempt to avoid detection by a particular product, or
> techniques to avoid analysis in malware labs.
>

> But sometimes. well, it just gets a lot more personal than that. And that's

> what seems to have happened in a current malware campaign arriving in many
> users' email inboxes today.
>
> Here is what a typical malicious email looks like:
>

> [link]
>

Why am I reluctant to click on that link? Because I'm afraid of ransomware.
It's an unknown domain with some possible random numbers at the end, reminds
me of badware links that used to come up in google searches. Maybe it's fine
but I'm not that curious. Thanks anyway. I'm already cautious about *all*
incoming emails, and also moderately cautious about links in NG messages
which I've heard can carry the same payloads. Plus I always try to practice
safe hex - when it doubt, dont! And yes, I treat my sister's emails with
similar caution, so it's not personal. It's just business... :)
--
RandyM
(Paranoid Pete)

[David B]

I understand! :-)

Here's the rest of the text at that link:

Here is what a typical malicious email looks like:

Spammed-out malware campaign contains offensive hidden message for
anti-virus CEO




Subject: RE: Outstanding Account

Message body:

This is a reminder that your account balance of $5746.80 was overdue as
of 28 April 2016.

Enclosed is a statement of account for your reference.

Please arrange payment of this account today or, if you cannot make full
payment at this time, please contact us to make a payment arrangement
that is mutually acceptable.

Regards,

Tonia Joseph

Sales Director

Have a nice day

The name and job title of the person contacting you is randomly chosen,
as is the amount that you are being asked to pay and the date on which
it became overdue.

Attached to the email is a .ZIP file (again, its precise filename
varies) that contains the malicious payload.

The danger is, of course, that people who receive the email may click on
the attachment (presumably in a mixture of outrage and confusion that
they are being asked to pay a substantial amount of money) without
thinking of the consequences.

For inside the ZIP is an obfuscated Javascript file which downloads
further malicious code from the internet, designed to infect innocent
victims’ PCs.

This isn’t an unusual disguise for online criminals to spread their
attacks. In fact, these simple social engineering tricks have been
proven to work time and time again – which is why it is so important for
all computer users to exercise caution and be suspicious of unsolicited
email attachments.

What makes this particular attack interesting, however, is if you take a
closer look at the obfuscated Javascript inside the ZIP file.

Because it appears that whoever wrote the malware was unable to stop
themselves from including an offensive message about Travis Witteveen,
the CEO of anti-virus firm Avira, as well as a call-out to another
security company – Vienna-based IKARUS Security.

Spammed-out malware campaign contains offensive hidden message for
anti-virus CEO




“Travis Witteveen S**** N****’s c****”

Of course, neither of these companies are in anyway connected to the
creation of the malware. It’s part of the job that all of us in the
anti-virus industry get called names by online criminals from time to
time. It’s part of the job and, to be honest, makes us feel like we
must be doing something right!

VirusTotal reports that some anti-virus products are not yet identifying
the malware, but Bitdefender security products detect both the ZIP and
the .JS file as JS:Trojan.JS.Downloader.HU.



--
David B.

[Diesel]

David B <Dav...@nomail.invalid>
news:nfvij8$f8r$1...@boaterdave.dont-email.me Fri, 29 Apr 2016 12:07:27

GMT in alt.computer.workshop, wrote:

> Quote!
> *****
>
> There is no love lost between the people who write malware and the
> anti-virus companies who work hard to protect innocent users
> against them.

Depends on what you mean by working hard. Some AVers tend to spend
their 'productive' time using reporters to talk shit about so and so
VXer in an effort to boost sales of their employers product(s).

> Here is what a typical malicious email looks like:
>
> http://www.hotforsecurity.com/blog/spammed-out-malware-campaign-con
> tains-offensive-hidden-message-for-anti-virus-ceo-13820.html

This article is 10+ years out of date.

As you seem to appreciate Graham Clueless Cluley so much, you might like to read about this:

http://virus.wikia.com/wiki/Coconut

And lets not forget this one:

http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=10327

Did you know that a reporter local to your area (generally speaking)
invited me to a cup of tea for a sit down interview concerning
Toadie? Evidently, it was doing well in your country despite my not
seeing any activity on this side of the pond. When that reporter
contacted me initially, I was already working on irok, assuming
(wrongfully in hindsight) that Toadie was a dud - ie: didn't make
wild. couldn't survive for one reason or another.

I don't know why that reporter and yourself ever thought I was a
local to your area...That still puzzles me to this day. I'm not
british.

Here's one of the news articles he had quite a bit of involvement in
where he LIED his ass off concerning myself and Toadie. I sent his
employer a copy of this news article and a copy of the reporters
email as well as a copy of Graham Cluley denying he did what I
accused him of.

His usenet post from work! no less [g]; no denying he made the post
that denied talking to the reporter(s), where as their emails (as
well as the one I sent each of them) directly disputing his claim.
ALL sent to his employer. Yes, I'd reach out to various AV just like
I did your friends jenn and eagle, David. I don't play. I'm not a
script kiddie and, I won't be bullied by anyone.

Believe it or not, David. But, those of us who were VX that would
occasionally interact with joe public did have pull with joe public.
They listened to what we had to say and took our technical expertise
for what it is; actual demonstrated, expertise. Some would even ask
questions, because they weren't sure about what the mouthpiece from
Sophos was telling them. or various other so called experts in the
field of AV.. but actually weren't. I'm not trying to come across as
an egotistical fuck or anything else, David... what I've written in
this post is what happened. Cluley isn't the individual you think he
is, but, I can certainly understand why you'd be so cozy towards
him. I'm not sure of it's a british thing in particular or not. I
would like to think it isn't, and, the two of you are just
exceptional assholes.

Btw, Shortly after all this went down, Cluless Cluley was muzzled by
sophos for usenet posts engaging VX. IE: wasn't allowed to 'taunt'
or talk to reporters and feed them anymore bullshit, especially if
said reporter wouldn't cover for him.

http://www.zdnet.com/article/virus-writer-turns-tail-covers-tracks/?_escaped_fragment_=#!

"Raid", a virus-writer who distributed the Toadie.exe virus and then
taunted the authorities on a number of public newsgroups, could now
be trying to cover his tracks, according to one anti-virus expert.

Sources at Sophos anti-virus believe that the authorities may
already be hot on the trail of this individual after his or her
virus crippled the Austrian headquarters of one of their major
international clients over the weekend. Raid posted Toadie.exe to
various warez sites disguised as a password cracking program.

Raid has subsequently attempted to erase a number of these messages
and has is prevented them from being archived at newsgroup site
Deja.com.

Graham Cluley, senior technical consultant with Sophos anti-virus
believes Raid could now be in big trouble. He said, "Raid is playing
a very, very dangerous game. The US authorities have shown that they
are prepared to pursue this sort of thing by any means."

Cluley thinks that this case could also have put the wind up Raid.
He added, "Raid has been fairly quiet of late. Maybe he's just
getting on with his real life, or he's found girls or something, but
he could well have taken a look at this case and got the
heebie-jeebies."

*** end copy

I didn't distribute Toadie on anything besides my website. When
pulled from my website, it was completely harmless and unable to
infect any systems unless the individual who downloaded it took
additional steps. Several, deliberate, steps. in a specific order.

As far as taunted authorities, I didn't do that either. It's usenet!
How in the fuck would I know if so and so is/isn't police/fed/other
acronym short of them telling me and my being able to independently
confirm it?

Clueless cluley was talking shit in that entire article. Nobody was
'hot on my trail' I didn't do anything illegal. Toadie and Melissa
are different in that respect. I didn't let a viable copy of toadie
'loose' on the general public already armed and ready to kill.
Vicoden, OTH, did.

When I asked the asshat specific details concerning that BULLSHIT
article, he denied having stated those things, said the reporter
made it up/quoted him out of context. BULLSHIT. I contacted that
reporter and several others who ran stories very close to that one.
They ALL stated that cluley provided them that information and that
they didn't make anything up to sensationalize the story. They
didn't need too, cluley did it for them.

I sent cluleys employer copies of those emails,
along with my usenet posts and his. Sophos muzzled his fat ass as a
result shortly there after. No more taunting VX on usenet, no more
bsing reporters.

Av/VX alike knew the material offered on my website was provided in
a NON INFECTIOUS state. The original toadie archive was laid out like this:


PKUNZIP (R) FAST! Extract Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKUNZIP Reg. U.S. Pat. and Tm. Off.

ş Pentium II class CPU detected.
ş XMS version 2.00 detected.
ş DPMI version 0.90 detected.

Searching ZIP: /HHI/RAID/TOAD12B.ZIP

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
2049 DeflatN 1047 49% 08-24-1999 00:34 cf7d915c --wa DESC.SDI
2049 DeflatN 1047 49% 08-24-1999 00:34 cf7d915c --wa FILE_ID.DIZ
9100 DeflatN 8864 3% 08-27-1999 15:31 f42deb18 --wa TOADIE.EXE
4702 DeflatN 2183 54% 08-24-1999 00:33 13bf2f23 --wa TOADIE.NFO
17038 DeflatN 7160 58% 06-15-1998 18:26 62f65fd7 --wa WARNING.YOU
------ ------ --- -------
34938 20301 42% 5

From the toadie.nfo file:

Toadie's engine has a 'Safe Infect' feature. Which means, until a file has
become infected, Toadie's payloads are off, and it is restricted to current
directory only. Only when Toadie is executed from an infected file are
the payloads and other spreading systems online. This allows you to safely
study Toadie, infecting executables without any risk to yourself. Of course,
this feature was only added for EDUCATIONAL PURPOSES! The author is not
suggesting in any way shape or form, nor was this routine written to break
any laws or suggest to do so in any way shape or form.

Cluley LIED about everything in the news media report above and this
one as well: That's the zip file you could have gotten from my
website, back in the day. There's no way in hell I was responsible
directly for it having hit Toyota Corporation or anyone else. Btw,
Sophos antivirus was protecting those machines at the time they
caught Toadie. I understand cluleys need to make me out to be a
righteous bad guy on the run, after all.. I did just spank their
product on a corporate environment that isn't exactly, unknown. [g]

It wasn't even the initial version that hit them (I knew people who
worked at Sophos too, that were far friendlier towards me than
cluley; they shared infos and contributed to my succesful cluley
muzzling) Each virus family had certain things in common. I wasn't
as concerned with being detected as I was with making your ability
to remove me a time consuming/difficult process. Detection could be
as simple as a definitions update. Removal will require you to spend
time studying my code and writing DEDICATED code to deal with it.
IE: an engine update to specifically handle what I wrote.

http://www.zdnet.com/article/toadie-virus-poses-serious-threat/


Graham Cluley, senior technical consultant with Sophos Anti-Virus,
warns the attack should be taken seriously. "The fact that it's
being actively distributed in the same way to Melissa, is very
worrying," he says.

Toadie.exe is written in high level language, ASIC, and attaches
itself to email messages waiting to be sent.

Toadie's creator, "Raid", is actively distributing the virus in the
guise of a program for cloning cell-phones as well as a program
designed to generate adult site passwords, says Sophos.

I didn't distribute Toadie via any cell phone cloning application
and Sophos backed off concerning that accusation in a hurry when I
contacted the reporter about it. I wasn't one who could be bullied
and/or punked by Avers that like to talk shit to reporters. Not only
would I reach out to those reporters, I'd go and humiliate the AV
company via usenet and various websites that keep track of the 'war'
I'm *proud* to have caught Cluley outright in several lies, to the
point where his own employer (sophos) felt it necessary to put a
leash on their dog. He was clearly abusing his position.

When Irok was created, various AV companies had no idea what it was
actually doing (the protective layers on the exe made things very
difficult; it couldn't be tricked into doing much by poorly written
emulation software. It had to actually be run on the intended
environment, and/or somebody who was higher ranking than an
assembler asshat would have needed to try and reverse engineer it.
IROK's binary was well protected against such activity; which also
made their emulation software worthless.

So, they literally copy/pasted some things I wrote on usenet
concerning the virus when infected people would ask me about it. The
AVers didn't know what it was doing, so, they used my answers and
passed them off as their own in the descriptions for it.

Initially, they all claimed irok would corrupt your hard disk
requiring a reformat. It wasn't ever a true statement and it grossly
exposed various levels of incompetence and skillset differences. As
well as the gap between knowledge. As I said, I've been doing this a
long long time. So, I've seen the extended ascii character set being
used as a form of copy protection which is what irok did to 'fake' a
HD crash. An experienced tech (wouldn't even have to be a coder)
would have been able to determine something was up, but an actual
crash was unlikely. A dead giveaway: the HD space used and available
space wasn't altered. IE: you'd expect to see some crazy numbers
outside of the drives given range had a real file table system issue
been present.

IE: the same trickery I used to expose pooh for the half ass fuckwit
she is (remember, it took her days to learn that I was taunting you
with a hex encoded message... they still haven't been able to tell
you what the hell I did to switch it up. A real technician (and some
have already done it and proudly emailed me a copy of the message
decoded) would notice exactly what they're looking at as soon as
they decoded HEX...

This is essentially the same thing IRoK did to various AV/wannabe AV
'experts' embarrased them.

Atleast one intelligent individual who knew nothing about how
viruses actually worked did figure out what I'd done and he was able
to save ALL of his information. He didn't lose a damn thing besides
the time required to undo my trick. Had he taken the advice offered
by the so called AV experts, he would have toasted his system and
lost anything he didn't have a copy of. The user didn't even need to
reload his machine. He lost nothing; because he was able to
determine what I'd done. Something AVers PAY people good salaries to
do.

It's inexcusable. Cluless cluley hasn't improved much and he's just
been filling you full of shit concerning me. Btw, Irok was written
and released AFTER Toadie. Obviously, I wasn't 'scared' of anyone
knocking my door in. Didn't run, didn't try to cover my tracks. ALL
of that was complete horse shit straight from the asshat cluless
cluley (who did btw, suggest people to reformat and reload to
recover from iroks payload) IE: technologically incompetent FUCKING
MORON.


--
MID: <nb7u27$crn$1...@boaterdave.dont-email.me>
Hmmm. I most certainly don't understand how I can access a copy of a
zip file but then not be able to unzip it so I can watch it. That
seems VERY clever!
http://al.howardknight.net/msgid.cgi?ID=145716711400

[Diesel]

Diesel <m...@privacy.net>
news:XnsA5FD9F39...@dieselpower.eternal-september.org Tue,

03 May 2016 19:29:51 GMT in alt.computer.workshop, wrote:

> Cluley LIED about everything in the news media report above and
> this one as well: That's the zip file you could have gotten from
> my website, back in the day. There's no way in hell I was
> responsible directly for it having hit Toyota Corporation or
> anyone else. Btw, Sophos antivirus was protecting those machines
> at the time they caught Toadie. I understand cluleys need to make
> me out to be a righteous bad guy on the run, after all.. I did
> just spank their product on a corporate environment that isn't
> exactly, unknown. [g]
>

> I didn't distribute Toadie via any cell phone cloning application
> and Sophos backed off concerning that accusation in a hurry when I
> contacted the reporter about it. I wasn't one who could be bullied
> and/or punked by Avers that like to talk shit to reporters. Not
> only would I reach out to those reporters, I'd go and humiliate
> the AV company via usenet and various websites that keep track of
> the 'war' I'm *proud* to have caught Cluley outright in several
> lies, to the point where his own employer (sophos) felt it
> necessary to put a leash on their dog. He was clearly abusing his
> position.

BUMP... In the highly unlikely event you didn't notice my reply.

Have you asked clueless cluley about any of the above, yet? I'm
curious to see if the passage of time brings forth honesty in those
who previously lacked it. I realize with you, it clearly doesn't..
I'm curious mainly to see if it's a british thing the both of you
have in common. As, well, let's face it.. cluley lied his ass off
about me, and, you've done the same, several times.

[David B.]

Yes, I have.

[Diesel]

"David B." <ech...@pinger.invalid> news:ngirk7$hv3$1...@boaterdave.dont-
email.me Fri, 06 May 2016 19:38:01 GMT in alt.computer.workshop, wrote:

> Yes, I have.

LOL. Hard to dispute facts isn't it, asshole. He LIED his fucking ass
off talking to that reporter. It doesn't help that I actually kept my
old .zip files with the instructions does it. :) Cluley lied, and, you
directly support that sort of piece of shit. You have much in common
with him. You both write total BULLSHIT about other people.

[Diesel]

Diesel <m...@privacy.net>
news:XnsA601169F...@dieselpower.eternal-september.org Sat,

07 May 2016 06:03:59 GMT in alt.computer.workshop, wrote:

> "David B." <ech...@pinger.invalid>
> news:ngirk7$hv3$1...@boaterdave.dont- email.me Fri, 06 May 2016
> 19:38:01 GMT in alt.computer.workshop, wrote:
>
>> Yes, I have.
>
> LOL. Hard to dispute facts isn't it, asshole. He LIED his fucking
> ass off talking to that reporter. It doesn't help that I actually
> kept my old .zip files with the instructions does it. :) Cluley
> lied, and, you directly support that sort of piece of shit. You
> have much in common with him. You both write total BULLSHIT about
> other people.
>
>

ROFL. Cat got your tongue now David?

Having second thoughts about suggesting I visit this newsgroup, might
you be? :-)

Oh... Did you want to falsely give people the impression that you
were some kind of saint or good guy on a mission? Have I pretty well
fuxored that cover story for you at this point? Oops!

Do you want me to continue discussing your drinking problem and the
abuse your wife suffers as a result of it, so openly, here? I really
don't mind. Would you like me to go into further detail about the irl
relationship you've lost as a result of your abusive behavior when
you've had too much to drink, David? I can.

In the event it hasn't already occured to you, You picked the wrong
one...

[Diesel]

Diesel <m...@privacy.net>
news:XnsA602AB73...@dieselpower.eternal-september.org Sun,

BUMP

Tsk Tsk Davd... Your silence on these matters isn't helpful to your
cause. It can easily give the would be reader the impression that
you're guilty as all fuck of everything I've written. We both know
(as do several others who've taken the time to post here recently)
you are, of course. But, you're making this too easy for me.

Aren't you even going to try and challenge a single accusation?
Concerned about what sort of evidence I might be holding onto...
waiting for the right opportunity to share it...Are you? :-)

Getting the impression that I'm not satisified with hog tieing you, I
want to see your bones break from the strain... ? :-)

[burfordTjustice]

All mouth no action....pathetic.

Did you have a hand in Morgans death?
Did you poison Dave Eagle?

[%]

Well?