Silk Road forums
Discussion => Silk Road discussion => Topic started by: Libertas on May 21, 2013, 10:29 pm
-
Hi all,
Many vendors have received the following message from somebody going by the name of Simonclark81 / AaronTurner71:
Hi, I'm not sure if you are the right person or not, but I live near to you and have noticed you making quite a few deliveries to the mailbox, some of which I managed to get on video... search for 'silk road **** ****' on www.********.us and click on the the first video and you will be able to see.
This is not a threat, I am just trying to pre warning you to be more careful when mailing things. (and maybe send someone else to the mailbox instead of yourself) Although I wouldn't say no to a free sample :)
P.S If it is not you in the video, then you can ignore this
Simon / Aaron
I have edited the description and link in order to prevent anyone here from falling into this trap. If you receive this message, please delete it immediately. Please do not follow the link if you see it posted elsewhere.
Going to the site included in the message will automatically run a Java applet that either attempts to "phone home" - sending your IP address to a third party, thereby de-anonymising you - or attempts to download / run some malware that could compromise your system and would more than likely contain a keylogger / datalogger which could steal your Silk Road login information and PIN, if entered.
Discussion of the message in question and what it may be attempting to accomplish can be found here:
http://dkn255hz262ypmii.onion/index.php?topic=161802.msg1151537#msg1151537
A very helpful member, astor, has confirmed the following:
That is confirmed malware. I just spoke to someone who visited that site, actually ran the Java, and now multiple anti-virus programs detect malware on his computer where there was none before.
Now to determine whether it's LE or some random asshole who wants to install keyloggers to steal account credentials, or possibly enumerate the IP addresses of vendors and blackmail them.
EDIT: astor has just given us the following update:
This is the exact malware on that site. It's a Trojan downloader:
https://www.virustotal.com/en/file/35970e91c4d3364f8b05f5b40d892224084c7fc207af4db8165ebf6ca9bd5357/analysis/
The checksums on the Client.jar file are the same.
AVG has also detected rootkits in my VM.
On Windows XP, the files ntoskrnl.exe and hal.dll get infected.
Again, please do NOT visit the site linked in the message, nor follow any instructions in it. We recommend that you delete it immediately should you receive it.
- The Moderators -
*** This [WARNING] sticky is temporary - please do not be alarmed if it is removed in the coming days. ***
-
Thanks for the heads up gandalf :)
I've posted a suggestion to combat these problems in the feature request area, I feel this is now getting out of hand and SilkRoad must take a more aggressive approach to counteract these asshats.
-
i hope Simonclark81 gets a hot turd rammed down his throat. someone should DDoS that site too.
-
Yea, I got hit by this garbage.
Its taken me all fucking day to be confident enough that its off my computer for good. What a fucking NIGHTMARE!
No one to blame bu myself though.
-
Yeah, I wanted to check back in on you, DB718 -- was astor able to help you get things sorted?
-
Thanks scout, astor and I spoke. He gave me some safety tips, and got me started in the right direction, but ultimately i just spent the past how ever man hours its been, learning how to manually find and remove malware through registry edit. With the help of like 4 different anti malware programs, i was able to dispose of the bugs for good.
A total fucking nightmare. On the bright side, ive learned more about computers and viruses in the past 5 hours than some will learn in a lifetime, lol.
My only concerns are whether or not there was actually a key logger, as one of the bugs was called dclog or something like that, secondly if my IP was possibly compromised.
-
Perhaps if anyone knows how to tell whether or not you have been infected by the malware, they could let people know on here? My anti-virus picked it up and stopped the java applet from running at all, though I still have a certain level of paranoia about me and now I don't want to log in or out of anything, just to be safe! My computer knowledge is basic at best, so anyone who can point to potential signs of infection would help in reassuring me, and I'm sure many others!
In the meantime, safety precautions must be taken! Time to move my wares and leave the country!
-
wow id love to be able to contribute to something like this. Hell id even Dos this guy off I could. Unfortunately I still feel like a super sleuth computer genius when I start orbot of my phone. Sometimes I even make noises
-
What bastards. Can someone explain to this computer berk how our ip's could be com promised if we're using TOR, java apps or flash or anything won't run either, the TOR bundle has nothing installed for playing videos or stuff like that. (Sorry for all my highly technical computer jargon!)
-
If this devil is trying to get IP address's and blackmail please do what I've done ok not only have I got SR changing IP codes for me but I've also bought an app in which I can change my computers IP myself so one day my real IP is in oz the next ussr the next south americe etc etc or if I feel really at risk I can set it automatically to change my IP every 6 seconds or less so if any vendors do read this please do the same ok I'm not gonna give any details of what who when n what but it's easy to find buy and install and some are even free ok best to be safe than sorry and I'm not even a vendor anyway hope this helps anyone and everyone out ok peace out cheers, phoboss.
-
I'm thinking a guaranteed removal of this thing for anyone who clicked it would be to run Darik's Boot and Nuke?
-
I'm loving your avatar, Talk to Frank. Is it your creation? I haven't seen it before, quite ingenious play on the anti drugs ad campaign
-
I'm loving your avatar, Talk to Frank. Is it your creation? I haven't seen it before, quite ingenious play on the anti drugs ad campaign
Thanks haha! Unfortunately I'm not creative enough to make it myself though!
-
Perhaps if anyone knows how to tell whether or not you have been infected by the malware, they could let people know on here?
I found the rootkits with the free version of AVG. dirtybiscuitz found it with Malware Bytes and some others that I forgot, but those two definitely work.
The Trojan itself can be detected with any of the AV programs listed on that web site that give it a specific name. Oddly, the ones with just a green check mark don't detect it.
-
Thank you for the warning! 8)
If you have been infected...I am no expert myself but it might be a good idea to reinstall the whole operating system. I would be afraid that something was left behind which was not detected.
-
Not sure if this will ease minds, but if you are stuck on a static IP address change it your self on a regular basis.
Type "cmd" in the search box.
The entry for the Command Prompt should now be visible. Left-click on it to open it up.
Type ipconfig /release in the command window and press Enter.
Once the IP has been released, a new one can be obtained.
Type ipconfig /release in the command window and press Enter.
Childs Play : )..
p.s. make thats a SPACE between the forward slash, IE
ipconfig(space)/renew
forgot to add:
if your on a fast BB fiber connection, this process should be instant almost, if your still on 56k modem i would make camp for the night........
-
What do these scammers hope for if they send out the same message to all vendors? That a few will be suckered in before everyone gets the wise? They must not think vendors communicate together in the forums. I'm getting really sick of these chancers, and I'm just a buyer
-
a deep scan with uniblue spy eraser found nothing... still concerned.
-
Just treat every message in SR as potential scam haha
-
For any one concerned, the anti bots i used where as follows..Malwarebytes, aswMBR, spybot search & destroy, rkill, tdsskiller and lastly junkware removal tool.
Most of the time the scans produced nothing, then after a restart some where back, or just one or two.
In order to successfully remove all threats the rootkits have to be removed.
-
AaronTurner71 is pulling the same shit.
-
So, can this infect Linux distros?
-
Subbing.
-
So, can this infect Linux distros?
Theoretically. That's the beauty of java ;)
If somebody could pm the link I or someone better qualified (e.g. almost everybody) could run some rudimentary analysis on it.
-
Thread un-stickied.
Libertas