Sign in to follow this  
Followers 0
forger

Autoit used for malware reasons

14 posts in this topic

Well.. another lamer has chosen the bad way. I'm in an irc-security mailing list and saw a message about an autoit bot. Maybe someone already contacted an admin, or jon himself, so I guess this post would be deleted/closed if that's the case.

> The botmaster was JohnWayne [asd@d006150.adsl.hansenet.de] JohnWayne
>
> The majority of the bots were connecting from Taiwan and Hong Kong IPs
> with a few from Poland, Malaysia and the US as well.

I've uploaded the executable files so you can decode them if possible and give me some more info about how they work or who to contact in order to stop them, since i'm not an expert :)

The following zipped file contains malware executables. DO NOT RUN IF YOU DON'T KNOW WHAT YOU'RE DOING.

www.se ndspa ce.com/file /m8m rrc

remove the spaces.

Password: pm me (I will only give it to trustworthy persons, the rest will not receive a reply.)

The upload will be killed once this is confirmed to be resolved.

Share this post


Link to post
Share on other sites



LOL.


Share this post


Link to post
Share on other sites

much obliged :)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

haha finally credit is given where it is due.

Too bad it gains the wrong kind of attention for the UDF authors.

These things happen all the time. Browsed through a certain little "hacker" mag the other day at the bookstore while the wife checked out her crafting mags. Saw lots of examples of autoit code in there. Either Autoit is getting more popular, or the quality of hackers has gone down the tubes. (prolly both)

Unless it is something to become newsworthy, I don't think we can attack every mal script we find.

I am also happy as Autoit was created to be simple to understand, quick to learn, and productive without the time consumption. These examples only prove that that vision was a success.

Edited by Coffee

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

I'm sorry to bring this up again, v1 is resolved, but v2 and v3 are still pending and crawling in the servers.

I'd be grateful if someone decode the source for 2 and 3. I've reuploaded the sources:

-removed ... have the source -

Again I warn: don't download it if you don't know what you're doing.

Thanks!

Edited by JdeB

Share this post


Link to post
Share on other sites

I noticed that this program does all of the things that 314 has requested info on and has discussed... disabling the firewall, enabling a hidden keylogger, sending information using the command line. Makes me wonder.

I think this code should be deleted.

Nomad :D


Share this post


Link to post
Share on other sites

I agree on that,but can someone at least pm me with the decoded source? It's not one server, not one channel and not one bot. I found a server that had around 300-400 bots so I want to put an end to this, hence I need the source :\

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

I noticed that this program does all of the things that 314 has requested info on and has discussed...

No need to accuse anybody till you are sure...

The code contains:

; <AUT2EXE INCLUDE-START: C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3>

and somebody used that Nick on this forum as well ... so maybe its somebody different.

The user data path also tell you its somebody with a German WinOS ...

Edited by JdeB

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

No need to accuse anybody till you are sure...

The code contains:

; <AUT2EXE INCLUDE-START: C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3>

and somebody used that Nick on this forum as well ... so maybe its somebody different.

The user data path also tell you its somebody with a German WinOS ...

I was not implying that he wrote this script, I was implying that he probably has similar intentions. This topic was posted a week before 314 even started asking questions about this stuff.


Share this post


Link to post
Share on other sites

http://www.google.com/search?q=fearlumsk

forger, can you pm the sourcecodes i'm curious what the others do...

I removed the link and put in the text.

No need to distribute the source to more than necessary ...


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

k.. i just like seeing how things work :D

Share this post


Link to post
Share on other sites

@slightly_abnormal: Sorry, but JdeB is right :\

I killed the link anyway, thanks for the response :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0