Silk Road forums
Discussion => Security => Topic started by: frogman on September 15, 2012, 06:59 am
-
Has anyone else experienced this infection approximately 1 week after first plugging in the usb?
It is highly unlikely that i could have been infected in any other way as this trojan is spread via instant messaging or USB. And I DONT INSTANT MESSAGE ON THIS COMPUTER!
THE USB WAS PURCHASED FROM UGLYSURFER!
-
Has anyone else experienced this infection approximately 1 week after first plugging in the usb?
It is highly unlikely that i could have been infected in any other way as this trojan is spread via instant messaging or USB. And I DONT INSTANT MESSAGE ON THIS COMPUTER!
THE USB WAS PURCHASED FROM UGLYSURFER!
While I don't doubt you have an infection, have you scanned the USB key and did it show the actual infection was on the USB key. Might it have been from something you Downloaded while using the usb key? What Anti-Virus are using?
This aside, software from possibly dubious sources should NOT BE TRUSTED!!
Please read KMF's very informative post:
The ugly truth about security software New
http://dkn255hz262ypmii.onion/index.php?topic=41662.0
-
I'm sure that you did NOT obtain this from the Darknet Bootable USB. I have one (from uglysurfer) and I also have a copy of his OpenVAS-5 vulnerability assessment system. I keep up on Ubutntu security and regularly scan my systems (including the Darknet Bootable USB) with the OpenVAS 5 software.
I think you need to gather facts before you start casting wild accusations that harm (a very excellent vendor's) reputation. Based on what little fact you have stated my guess is that your Windows system is the problem, not the Darknet Bootable USB.
This infection is also spread by social networks (see Technical Information below).
The Darknet Bootable USB boots Ubuntu Linux and your Windows system is not active when it loads, I doubt seriously that the dorkbot jumped operating systems and hard drive devices to deposit the worm on your Windows OS!
The Darknet bootable USB drive is partioned and formatted with Linux file systems.
Here is the technical detail of how your Dorkbot trojan spreads. After reading I suggest you retract your statements blaming uglysurfer. You need to get your facts straight before you blame someone of stealing!
Technical Information (Analysis)
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.
Installation
Commonly, Win32/Dorkbot variants may arrive as a link through in an instant message or social network message; the link points to a copy of the worm that can be downloaded and executed on the affected user’s computer. The worm may be present as the following:
facebook-profile-pic- <random number>-JPEG.exe
facebook-pic00 <random number>.exe
When executed, variants of Win32/Dorkbot may copy themselves to the %AppData% folder using a randomly generated six letter file name, which is based on the HDD serial number, by calling GetVolumeInformation() API (for example, "ozkqke.exe").
The worm modifies the following registry entry to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%AppData%\<randomly generated six letter string>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%AppData%\ozkqke.exe"
Note: %AppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %AppData% folder for Windows 2000, NT and XP is C:\Documents and Settings\<user>\Application Data; and for Vista and Windows 7 is C:\Users\<user>\AppData\Roaming.
Spreads via…
Removable drives
Win32/Dorkbot may create a folder named “RECYCLER” in all the accessible USB drives, and register it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever a USB device is plugged into the affected computer. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Instant messaging/Instant relay chat
Using backdoor functionality (see payload section below), the worm can be ordered by a remote attacker to spread via instant messaging platforms such as Windows Live Messenger, Pidgin chat, Xchat and mIRC. It sends messages to all of the affected user's contacts. The messages sent, and the frequency at which the messages are sent are configured by the remote attacker.
Social networks
Win32/Dorkbot variants can be ordered to spread via social network services such as Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm’s copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the remote attacker.
Payload
Allows backdoor access and control
Variants of Win32/Dorkbot may connect to an IRC server, join a channel and wait for commands. In the wild, we have observed the worm utilizing IRC servers on the following domains for this purpose:
shuwhyyu.com
lovealiy.com
syegyege.com
av.shannen.cc
Using this backdoor, a remote attacker can perform a number of different actions on an affected computer. As well as being able to spread via instant messaging applications (detailed in the Spreads via... section), the worm can also be ordered to perform the following actions:
Obtain computer information
Protect itself
The worm uses a user-mode rootkit to prevent the affected user from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:
NtQueryDirectoryFile
NtEnumerateValueKey
CopyFileA/W
DeleteFileA/W
Injects code
When executed, the worm injects code into "explorer.exe", as well as to many other running processes on the affected computer. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.
Contacts remote host
Win32/Dorkbot generates an IRC 'nickname' by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:
n{<country code>|<OS version><user type>}<random string>
where:
Operating system version could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
Country code is a two digit country code (for example US - USA, RU - Russia, etc)
User-type is either 'a' (administrator) or 'u' (user)
Example 'nickname': n{US|XPa}xkfnalw
Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, Windows Live Messenger message, and domain lists among other information.
The worm can accept commands from the attacker to perform one or more of the following:
Download a file from specified URL and execute it on the affected computer
Update its main executable from specified URL and wait until next restart to execute (or, if specified in the command, to restart immediately)
Collect log on information and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached log on details
Block or redirects certain domains and websites
Show infection statistics
Launch and stop denial of service (SYN and UDP flood) attacks
Spread via USB, instant messaging, and social networks
Change Windows Live Messenger and HTTP spreading message
Report back information about the bot
If logging is enabled by the attacker, every command executed is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.
Hooks APIs
Win32/Dorkbot hooks several APIs for various purposes, such as hiding its components (like registry entries and dropped file and process names), spreading and sniffing usernames and passwords. Some examples that we have observed Win32/Dorkbot hooking in the wild are:
CopyFileA/W
CreateFileA/W
DeleteFileA/W
DnsQuery_A/W
GetAddrInfoW
HttpSendRequestA/W
InternetWriteFile
LdrLoadDll
MoveFileA/W
NtEnumerateValueKey
NtQueryDirectoryFile
NtResumeThread
PR_Write
RegCreateKeyExA/W
send
URLDownloadToFileA/W
Deletes files
Win32/Dorkbot contains instructions to delete downloaded and executed files after reboot. It needs this feature to be turned on by the attacker. After installation, the worm deletes its initial dropper executable.
Removes arbitrary files
The worm uses “behavior monitoring” to identify and delete files that appear to communicate via Internet Relay Chat (IRC) or exhibit worm behavior such as spreading via removable drives or USB media.
Modifies files
The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:
regsvr32.exe
cmd.exe
rundll32.exe
regedit.exe
verclsid.exe
ipconfig.exe
Steals sensitive information
Win32/Dorkbot is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.
Win32/Dorkbot variants target the following websites from which to steal usernames and passwords:
4shared
AOL
Alertpay
Bcointernacional
BigString
Brazzers
Depositfiles
DynDNS
Facebook
Fastmail
Fileserve
Filesonic
Freakshare
GMX
Gmail
Godaddy
Hackforums
Hotfile
IKnowThatGirl
Letitbit
LogMeIn
Mediafire
Megaupload
Moneybookers
Moniker
Namecheap
Netflix
Netload
NoIP
OfficeBanking
Oron
PayPal
Runescape
Sendspace
Sms4file
Speedyshare
Steam
Thepiratebay
Torrentleech
Twitter
Uploaded
Uploading
Vip-file
Whatcd
Yahoo
YouPorn
YouTube
eBay
Infects websites
The worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action may facilitate the worm's spreading function.
Blocks access to security websites
Variants of the worm may be ordered to block user access to sites with the following strings in their domain:
avast
avg
avira
bitdefender
bullguard
clamav
comodo
emsisoft
eset
fortinet
f-secure
garyshood
gdatasoftware
heck.tc
iseclab
jotti
kaspersky
lavasoft
malwarebytes
mcafee
onecare.live
norman
norton
novirusthank
onlinemalwarescanner
pandasecurity
precisesecurity
sophos
sunbeltsoftware
symante
threatexpert
trendmicro
virscan
virus
virusbuster.nprotect
viruschief
virustotal
webroot
The worm may also download additional or updated domain list from a remote website.
Additional information
On execution, it performs a self-integrity check. If it fails, it shows the message box below and attempts to corrupt the hard drive by writing garbage data to the hard drive.
It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use “hex-Mutex”, but others have been observed using random mutex such as "t2f-Mutex" and"f4448e25-Mutex".
maxkoda
Has anyone else experienced this infection approximately 1 week after first plugging in the usb?
It is highly unlikely that i could have been infected in any other way as this trojan is spread via instant messaging or USB. And I DONT INSTANT MESSAGE ON THIS COMPUTER!
THE USB WAS PURCHASED FROM UGLYSURFER!
-
^ ^ ^ Holy crap.
-
I'm sure that you did NOT obtain this from the Darknet Bootable USB. I have one (from uglysurfer) and I also have a copy of his OpenVAS-5 vulnerability assessment system. I keep up on Ubutntu security and regularly scan my systems (including the Darknet Bootable USB) with the OpenVAS 5 software.
This aside doesn't negate the fact that the virus _might_ have been in the USB key, it quite likely may not have also. Proving that would only be able to be done with a USB key straight from the vendor and not plugged in to anyone's computer yet.
OpenVas does not nothing to scan for viruses, it scans for vulnerabilities.
I think you need to gather facts before you start casting wild accusations that harm (a very excellent vendor's) reputation. Based on what little fact you have stated my guess is that your Windows system is the problem, not the Darknet Bootable USB.
yes, i agree quite likely.
The Darknet bootable USB drive is partioned and formatted with Linux file systems.
Viruses _can_ infect windows systems from linux formatted files systems.
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives,
Ahhh yes as I was saying, it could have been plugged in any infected windows system and been infected and then passed along the infection.
-
Anybody who uses software or hardware from an illegal drug website, actually let me repeat that: An Illegal Drug Website, no, let me repeat that again because I don't think you can quite hear me: AN ILLEGAL DRUG WEBSITE, deserves what is coming to them.
I am forlornly hoping that this thread is a bad dream and when I wake up it'll all be gone. Hopefully these posters are just rather enterprising trolls. Seriously, until this thread, I didn't even believe people were buying into this "Secret VM for total uber security on the darknet" bullshit.
You cannot outsource your security. Or you can, but in just the same sense as you can outsource your asshole. If you want a bootable OS that connects to the darknet then buy a flash drive, put a copy of Tails or Liberte on it, and then you're good to go. This is not complicated, honestly, it's actually cheaper and easier than what you've just gone and done.
Jesus, now I need a drink.
-
^ ^ ^ Holy crap.
I'm pretty sure he just copy pasted that off the net.
-
Anybody who uses software or hardware from an illegal drug website, actually let me repeat that: An Illegal Drug Website, no, let me repeat that again because I don't think you can quite hear me: AN ILLEGAL DRUG WEBSITE, deserves what is coming to them.
ha yes I know, but some people think they can buy anything....
Jesus, now I need a drink.
I'll pour one for you ;)
-
some stuff
+1 please make your own systems, if you don't know how use something aimed at everybody (like liberte), not something aimed only at drug vendors and customers