Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Message
<blockquote data-quote="Ghosthunter" data-source="post: 500" data-attributes="member: 6"><p>For dynamic analysis, we already have the following setup of utilities (all of them are publicly available):</p><ol> <li data-xf-list-type="ol">ProcessHacker — simple and tasteful, let's watch how the virus interacts with другими.dll and the system.</li> <li data-xf-list-type="ol">TCPView is a utility that tracks outgoing TCP connections.</li> <li data-xf-list-type="ol">Regshot is a very simple open source application that allows you to view changes in the registry after running the malware.</li> </ol><p>The first step is to take a snapshot of our Windows registry so that you can clearly see the changes after running the malware.</p><p></p><p>Immediately after starting, the process communicates with the remote server, whose IP address we decrypted at the very beginning:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/916/723/65a/91672365aa98b496310f5951024eccbb.png" alt="91672365aa98b496310f5951024eccbb.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Then this process shuts down, and any attempts to establish communication with remote servers are stopped for a while. But by going to Process Hacker, you can see the following picture::</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/16a/3fc/61c/16a3fc61c4375dca45d611bdf4660e6f.png" alt="16a3fc61c4375dca45d611bdf4660e6f.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>As you can see, the CPU usage has reached almost 100%. This lasted for about a minute, after which the "System" processes began to appear, waiting to connect, and some of them connected to various remote servers. This was the stage of downloading additional libraries for data theft:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/8fa/3b1/676/8fa3b167623bf89ec855f1d8bc4e0598.png" alt="8fa3b167623bf89ec855f1d8bc4e0598.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>And finally, let's look at the changes in the Windows registry:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/82a/a4e/2a2/82aa4e2a21c686dbb9000ab4639c1147.png" alt="82aa4e2a21c686dbb9000ab4639c1147.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><h4>How dangerous are cracked apps really?</h4><p>So, I really began to wonder how many malware viruses you can get on your device just by downloading "hacked" applications.</p><p></p><p>Naturally, my task as an author is to warn you. Don't repeat these actions on your devices.</p><p></p><p>Let's get started. At the beginning, I gave an example where someone wanted to get a licensed antivirus for free by downloading its crack. What is the probability that there may be a virus in the antivirus software?</p><p></p><p>We enter "download antivirus crack", and the first option in the search bar is "ESET NOD32 Crack", which we download. Naturally, VirusTotal shows 56 out of 56 detections, but let's see this from our own experience.</p><p></p><p>After installing our antivirus software on the VM, let's see if a potentially dangerous file connects to an external source.</p><p></p><p>And yes, it does:</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/cc6/3e3/aa0/cc63e3aa0d747be244877bdf4a3f6990.png" alt="cc63e3aa0d747be244877bdf4a3f6990.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>And then we establish a connection via Tor, after which some kind of bacchanal starts. Various shortcuts appear on the VM, such as "VK", "Amigo Browser", and so on.</p><p></p><p>The natural outcome is a blue screen of death. By the way, it would be interesting to conduct a full analysis of this malware. The virus in the antivirus, it sounds interesting.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/ed6/d45/78d/ed6d4578d03801b489ac5b477ca2c548.png" alt="ed6d4578d03801b489ac5b477ca2c548.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/d87/23a/774/d8723a774ac5b0188e061767744ba3bc.png" alt="d8723a774ac5b0188e061767744ba3bc.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Further tests were also disappointing, the results are as follows::</p><p></p><p>9 out of 10 quacks are viruses. Pirated anti — viruses-all of them.</p><p></p><h4>Conclusions</h4><p>Today, we conducted a brief statistical and dynamic analysis of malware distributed mainly through pirated sites. Of course, it has a huge potential, and in the future it can become an even greater threat to the world community.</p><p></p><p>Absolutely all versions of Windows are susceptible to attack using Raccoon Stealer. But at the moment, it is easily detected by most antivirus applications. Removing this threat from your PC also does not pose any special problems, the same ESET copes with a bang.</p><p></p><p>There can only be one conclusion from this story — don't download apps from various unverified sources. Moreover, do not use quacks.</p><p></p><p>And that's it for me. Be there.</p><p></p><p>Greetings, this article is a logical continuation of the analysis of the oldest viral springboard on the Internet. In a previous post, we reviewed in detail one of the latest threats detected — Raccoon Stealer. But for a detailed analysis of its counterpart, the Vidar stiller, there was simply not enough space, so it will be described in this article.</p><p></p><p></p><p>Not so long ago, a French company specializing in cybersecurity reported that since the beginning of 2020, two malware viruses — Raccoon and Vidar-have been distributed using a whole network of fake sites and fake domains.</p><p></p><p>All these attacks were aimed at short-sighted users who use cracked applications. In the last article, a small study was conducted, during which it turned out that 9 out of 10 pirated applications contain a virus. In some cases, the destructive potential of these malware was determined as critical, and after installing the coveted crack, your device would not only transmit confidential data to an attacker, but it could also fail.</p><p></p><p>It is also noteworthy that criminals used popular search engines to distribute malware, as well as the method of SEO poisoning, that is, poisoning the search results.</p><p></p><p>SEO poisoning — poisoning of search results) is the addition of words to compromised sites that contribute to the rise of these sites in the Google search results. This allows malicious sites to be visited by more potential victims. For example, when you ask for "download Sony Vegas crack" , it is highly likely that the first five results will contain malware.</p><p></p><h4>Infection routes: differences between Vidar and Raccoon Stealer</h4><p>Unlike Raccoon, Vidar has never been sold on closed forums and Telegram channels, and this virus is available only to a limited circle of people involved in its distribution. Also, Raccoon was focused mainly on the Russian-speaking segment, while Vidar is not limited to anything, it is able to operate all over the world. An example of this is an attempt to distribute it in North and South Korea through a regular mailing list, where the attacker pretended to be a trading commission.</p><p></p><p>The content of the email encourages victims to open an attached file disguised as an official request letter. If the victim starts a file from an attachment that mimics the document file icon, the Vidar stiller is infected.</p><p></p><p><img src="https://habrastorage.org/r/w1560/getpro/habr/upload_files/4f8/eff/aa0/4f8effaa0146467f80a88f5ece1b5612.png" alt="4f8effaa0146467f80a88f5ece1b5612.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Recently, Stiller actively uses disguise as "activators" for the Windows operating system. It is so common that not everyone wants to buy a fairly expensive license, so a fairly large number of users resort to using illegal programs that give access to all OS functions for free.</p><p></p><p>Like Raccoon, this malware is not distributed using critical vulnerabilities or virus loaders, <u>such as</u> TrueBot, so in order not to become another victim, it is enough just not to visit questionable sites and not download suspicious attachments from emails to your device.</p><p></p><h4>Brief statistical analysis of the malware</h4><p>The malware is written in C++, started its activity in early October 2018, and it has all the classic features of stylers:</p><ul> <li data-xf-list-type="ul">Search for specific files</li> <li data-xf-list-type="ul">ID theft from browser cookies</li> <li data-xf-list-type="ul">Stealing your browser history (also from the <em>tor browser</em> )</li> <li data-xf-list-type="ul">Crypto Wallet Theft</li> <li data-xf-list-type="ul"><em>Data theft from 2FA software</em></li> <li data-xf-list-type="ul">Capture messages from instant messengers</li> <li data-xf-list-type="ul">Screenshots</li> <li data-xf-list-type="ul">Loader Settings</li> <li data-xf-list-type="ul">Telegram notifications (server-side)</li> <li data-xf-list-type="ul">Getting a full snapshot of all information about the victim computer</li> </ul><p></p><p>So, for statistical analysis, we will use the following set of utilities, all of them are free and are publicly available:</p><ol> <li data-xf-list-type="ol">DIE-Detect it Easy: a multi-functional tool that has a huge arsenal. It will allow us to get ahead of the malware compiler type, language, libraries, and import/export tables with subsequent disassembly.</li> <li data-xf-list-type="ol">Hidra — like the previous utility, already shone <u>in my article.</u> An excellent and multifunctional tool for reverse engineering.</li> <li data-xf-list-type="ol">IDA PRO is also a tool for reverse engineering. Initially, it was considered as an additional tool, but in this article, as in the previous one, its role was almost the main one.</li> <li data-xf-list-type="ol">Reko is a decompiler that is also familiar to us from previous articles.</li> </ol><p></p><p>Well, let's get started. After getting a sample of the malware, the following picture opens up to our eyes:</p><ol> <li data-xf-list-type="ol">A rather strange icon that vaguely resembles a notepad.</li> <li data-xf-list-type="ol">The malicious file size is 193 KB, which is an order of magnitude larger than that of Raccoon.</li> <li data-xf-list-type="ol">The specified version is 27.0.0.0, and that's the end of the information.</li> </ol><p>We'll use DIE for more detailed information.</p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 500, member: 6"] For dynamic analysis, we already have the following setup of utilities (all of them are publicly available): [LIST=1] [*]ProcessHacker — simple and tasteful, let's watch how the virus interacts with другими.dll and the system. [*]TCPView is a utility that tracks outgoing TCP connections. [*]Regshot is a very simple open source application that allows you to view changes in the registry after running the malware. [/LIST] The first step is to take a snapshot of our Windows registry so that you can clearly see the changes after running the malware. Immediately after starting, the process communicates with the remote server, whose IP address we decrypted at the very beginning: [IMG alt="91672365aa98b496310f5951024eccbb.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/916/723/65a/91672365aa98b496310f5951024eccbb.png[/IMG] Then this process shuts down, and any attempts to establish communication with remote servers are stopped for a while. But by going to Process Hacker, you can see the following picture:: [IMG alt="16a3fc61c4375dca45d611bdf4660e6f.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/16a/3fc/61c/16a3fc61c4375dca45d611bdf4660e6f.png[/IMG] As you can see, the CPU usage has reached almost 100%. This lasted for about a minute, after which the "System" processes began to appear, waiting to connect, and some of them connected to various remote servers. This was the stage of downloading additional libraries for data theft: [IMG alt="8fa3b167623bf89ec855f1d8bc4e0598.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/8fa/3b1/676/8fa3b167623bf89ec855f1d8bc4e0598.png[/IMG] And finally, let's look at the changes in the Windows registry: [IMG alt="82aa4e2a21c686dbb9000ab4639c1147.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/82a/a4e/2a2/82aa4e2a21c686dbb9000ab4639c1147.png[/IMG] [HEADING=3]How dangerous are cracked apps really?[/HEADING] So, I really began to wonder how many malware viruses you can get on your device just by downloading "hacked" applications. Naturally, my task as an author is to warn you. Don't repeat these actions on your devices. Let's get started. At the beginning, I gave an example where someone wanted to get a licensed antivirus for free by downloading its crack. What is the probability that there may be a virus in the antivirus software? We enter "download antivirus crack", and the first option in the search bar is "ESET NOD32 Crack", which we download. Naturally, VirusTotal shows 56 out of 56 detections, but let's see this from our own experience. After installing our antivirus software on the VM, let's see if a potentially dangerous file connects to an external source. And yes, it does: [IMG alt="cc63e3aa0d747be244877bdf4a3f6990.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/cc6/3e3/aa0/cc63e3aa0d747be244877bdf4a3f6990.png[/IMG] And then we establish a connection via Tor, after which some kind of bacchanal starts. Various shortcuts appear on the VM, such as "VK", "Amigo Browser", and so on. The natural outcome is a blue screen of death. By the way, it would be interesting to conduct a full analysis of this malware. The virus in the antivirus, it sounds interesting. [IMG alt="ed6d4578d03801b489ac5b477ca2c548.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/ed6/d45/78d/ed6d4578d03801b489ac5b477ca2c548.png[/IMG] [IMG alt="d8723a774ac5b0188e061767744ba3bc.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/d87/23a/774/d8723a774ac5b0188e061767744ba3bc.png[/IMG] Further tests were also disappointing, the results are as follows:: 9 out of 10 quacks are viruses. Pirated anti — viruses-all of them. [HEADING=3]Conclusions[/HEADING] Today, we conducted a brief statistical and dynamic analysis of malware distributed mainly through pirated sites. Of course, it has a huge potential, and in the future it can become an even greater threat to the world community. Absolutely all versions of Windows are susceptible to attack using Raccoon Stealer. But at the moment, it is easily detected by most antivirus applications. Removing this threat from your PC also does not pose any special problems, the same ESET copes with a bang. There can only be one conclusion from this story — don't download apps from various unverified sources. Moreover, do not use quacks. And that's it for me. Be there. Greetings, this article is a logical continuation of the analysis of the oldest viral springboard on the Internet. In a previous post, we reviewed in detail one of the latest threats detected — Raccoon Stealer. But for a detailed analysis of its counterpart, the Vidar stiller, there was simply not enough space, so it will be described in this article. Not so long ago, a French company specializing in cybersecurity reported that since the beginning of 2020, two malware viruses — Raccoon and Vidar-have been distributed using a whole network of fake sites and fake domains. All these attacks were aimed at short-sighted users who use cracked applications. In the last article, a small study was conducted, during which it turned out that 9 out of 10 pirated applications contain a virus. In some cases, the destructive potential of these malware was determined as critical, and after installing the coveted crack, your device would not only transmit confidential data to an attacker, but it could also fail. It is also noteworthy that criminals used popular search engines to distribute malware, as well as the method of SEO poisoning, that is, poisoning the search results. SEO poisoning — poisoning of search results) is the addition of words to compromised sites that contribute to the rise of these sites in the Google search results. This allows malicious sites to be visited by more potential victims. For example, when you ask for "download Sony Vegas crack" , it is highly likely that the first five results will contain malware. [HEADING=3]Infection routes: differences between Vidar and Raccoon Stealer[/HEADING] Unlike Raccoon, Vidar has never been sold on closed forums and Telegram channels, and this virus is available only to a limited circle of people involved in its distribution. Also, Raccoon was focused mainly on the Russian-speaking segment, while Vidar is not limited to anything, it is able to operate all over the world. An example of this is an attempt to distribute it in North and South Korea through a regular mailing list, where the attacker pretended to be a trading commission. The content of the email encourages victims to open an attached file disguised as an official request letter. If the victim starts a file from an attachment that mimics the document file icon, the Vidar stiller is infected. [IMG alt="4f8effaa0146467f80a88f5ece1b5612.png"]https://habrastorage.org/r/w1560/getpro/habr/upload_files/4f8/eff/aa0/4f8effaa0146467f80a88f5ece1b5612.png[/IMG] Recently, Stiller actively uses disguise as "activators" for the Windows operating system. It is so common that not everyone wants to buy a fairly expensive license, so a fairly large number of users resort to using illegal programs that give access to all OS functions for free. Like Raccoon, this malware is not distributed using critical vulnerabilities or virus loaders, [U]such as[/U] TrueBot, so in order not to become another victim, it is enough just not to visit questionable sites and not download suspicious attachments from emails to your device. [HEADING=3]Brief statistical analysis of the malware[/HEADING] The malware is written in C++, started its activity in early October 2018, and it has all the classic features of stylers: [LIST] [*]Search for specific files [*]ID theft from browser cookies [*]Stealing your browser history (also from the [I]tor browser[/I] ) [*]Crypto Wallet Theft [*][I]Data theft from 2FA software[/I] [*]Capture messages from instant messengers [*]Screenshots [*]Loader Settings [*]Telegram notifications (server-side) [*]Getting a full snapshot of all information about the victim computer [/LIST] So, for statistical analysis, we will use the following set of utilities, all of them are free and are publicly available: [LIST=1] [*]DIE-Detect it Easy: a multi-functional tool that has a huge arsenal. It will allow us to get ahead of the malware compiler type, language, libraries, and import/export tables with subsequent disassembly. [*]Hidra — like the previous utility, already shone [U]in my article.[/U] An excellent and multifunctional tool for reverse engineering. [*]IDA PRO is also a tool for reverse engineering. Initially, it was considered as an additional tool, but in this article, as in the previous one, its role was almost the main one. [*]Reko is a decompiler that is also familiar to us from previous articles. [/LIST] Well, let's get started. After getting a sample of the malware, the following picture opens up to our eyes: [LIST=1] [*]A rather strange icon that vaguely resembles a notepad. [*]The malicious file size is 193 KB, which is an order of magnitude larger than that of Raccoon. [*]The specified version is 27.0.0.0, and that's the end of the information. [/LIST] We'll use DIE for more detailed information. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Pirated software and its consequences: an analysis of the oldest and simplest viral foothold on the Internet
Top