forger Posted May 28, 2006 Posted May 28, 2006 Well.. another lamer has chosen the bad way. I'm in an irc-security mailing list and saw a message about an autoit bot. Maybe someone already contacted an admin, or jon himself, so I guess this post would be deleted/closed if that's the case.> The botmaster was JohnWayne [asd@d006150.adsl.hansenet.de] JohnWayne > > The majority of the bots were connecting from Taiwan and Hong Kong IPs > with a few from Poland, Malaysia and the US as well.I've uploaded the executable files so you can decode them if possible and give me some more info about how they work or who to contact in order to stop them, since i'm not an expert The following zipped file contains malware executables. DO NOT RUN IF YOU DON'T KNOW WHAT YOU'RE DOING.www.se ndspa ce.com/file /m8m rrc remove the spaces.Password: pm me (I will only give it to trustworthy persons, the rest will not receive a reply.)The upload will be killed once this is confirmed to be resolved.
w0uter Posted May 28, 2006 Posted May 28, 2006 (edited) it uses my ftp.au3 cool 1.exe -- removed source -- Edited June 12, 2006 by JdeB My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll
Coffee Posted May 28, 2006 Posted May 28, 2006 (edited) haha finally credit is given where it is due. Too bad it gains the wrong kind of attention for the UDF authors. These things happen all the time. Browsed through a certain little "hacker" mag the other day at the bookstore while the wife checked out her crafting mags. Saw lots of examples of autoit code in there. Either Autoit is getting more popular, or the quality of hackers has gone down the tubes. (prolly both) Unless it is something to become newsworthy, I don't think we can attack every mal script we find. I am also happy as Autoit was created to be simple to understand, quick to learn, and productive without the time consumption. These examples only prove that that vision was a success. Edited May 28, 2006 by Coffee
forger Posted June 12, 2006 Author Posted June 12, 2006 (edited) I'm sorry to bring this up again, v1 is resolved, but v2 and v3 are still pending and crawling in the servers. I'd be grateful if someone decode the source for 2 and 3. I've reuploaded the sources: -removed ... have the source - Again I warn: don't download it if you don't know what you're doing. Thanks! Edited June 12, 2006 by JdeB
Nomad Posted June 12, 2006 Posted June 12, 2006 I noticed that this program does all of the things that 314 has requested info on and has discussed... disabling the firewall, enabling a hidden keylogger, sending information using the command line. Makes me wonder. I think this code should be deleted. Nomad
forger Posted June 12, 2006 Author Posted June 12, 2006 I agree on that,but can someone at least pm me with the decoded source? It's not one server, not one channel and not one bot. I found a server that had around 300-400 bots so I want to put an end to this, hence I need the source :\
Developers Jos Posted June 12, 2006 Developers Posted June 12, 2006 (edited) I noticed that this program does all of the things that 314 has requested info on and has discussed...No need to accuse anybody till you are sure...The code contains: ; <AUT2EXE INCLUDE-START: C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3>and somebody used that Nick on this forum as well ... so maybe its somebody different.The user data path also tell you its somebody with a German WinOS ... Edited June 12, 2006 by JdeB SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Nomad Posted June 12, 2006 Posted June 12, 2006 No need to accuse anybody till you are sure...The code contains: ; <AUT2EXE INCLUDE-START: C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3>and somebody used that Nick on this forum as well ... so maybe its somebody different.The user data path also tell you its somebody with a German WinOS ... I was not implying that he wrote this script, I was implying that he probably has similar intentions. This topic was posted a week before 314 even started asking questions about this stuff.
slightly_abnormal Posted June 12, 2006 Posted June 12, 2006 http://www.google.com/search?q=fearlumskforger, can you pm the sourcecodes i'm curious what the others do...
Developers Jos Posted June 12, 2006 Developers Posted June 12, 2006 http://www.google.com/search?q=fearlumskforger, can you pm the sourcecodes i'm curious what the others do...I removed the link and put in the text.No need to distribute the source to more than necessary ... SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
forger Posted June 13, 2006 Author Posted June 13, 2006 @slightly_abnormal: Sorry, but JdeB is right :\ I killed the link anyway, thanks for the response
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now