Jump to content

Autoit used for malware reasons

forger
 Share

Recommended Posts

forger Adventurer

forger

Posted
Posted

Well.. another lamer has chosen the bad way. I'm in an irc-security mailing list and saw a message about an autoit bot. Maybe someone already contacted an admin, or jon himself, so I guess this post would be deleted/closed if that's the case.

> The botmaster was JohnWayne [asd@d006150.adsl.hansenet.de] JohnWayne
>
> The majority of the bots were connecting from Taiwan and Hong Kong IPs
> with a few from Poland, Malaysia and the US as well.

I've uploaded the executable files so you can decode them if possible and give me some more info about how they work or who to contact in order to stop them, since i'm not an expert :)

The following zipped file contains malware executables. DO NOT RUN IF YOU DON'T KNOW WHAT YOU'RE DOING.

www.se ndspa ce.com/file /m8m rrc

remove the spaces.

Password: pm me (I will only give it to trustworthy persons, the rest will not receive a reply.)

The upload will be killed once this is confirmed to be resolved.

Link to comment
Share on other sites
Coffee Adventurer

Coffee

Posted
Posted (edited)

haha finally credit is given where it is due.

Too bad it gains the wrong kind of attention for the UDF authors.

These things happen all the time. Browsed through a certain little "hacker" mag the other day at the bookstore while the wife checked out her crafting mags. Saw lots of examples of autoit code in there. Either Autoit is getting more popular, or the quality of hackers has gone down the tubes. (prolly both)

Unless it is something to become newsworthy, I don't think we can attack every mal script we find.

I am also happy as Autoit was created to be simple to understand, quick to learn, and productive without the time consumption. These examples only prove that that vision was a success.

Edited by Coffee
Link to comment
Share on other sites
  • 3 weeks later...
forger Adventurer

forger

Posted
  • Author
Posted (edited)

I'm sorry to bring this up again, v1 is resolved, but v2 and v3 are still pending and crawling in the servers.

I'd be grateful if someone decode the source for 2 and 3. I've reuploaded the sources:

-removed ... have the source -

Again I warn: don't download it if you don't know what you're doing.

Thanks!

Edited by JdeB
Link to comment
Share on other sites
Nomad Universalist

Nomad

Posted
Posted

I noticed that this program does all of the things that 314 has requested info on and has discussed... disabling the firewall, enabling a hidden keylogger, sending information using the command line. Makes me wonder.

I think this code should be deleted.

Nomad :D

Link to comment
Share on other sites
forger Adventurer

forger

Posted
  • Author
Posted

I agree on that,but can someone at least pm me with the decoded source? It's not one server, not one channel and not one bot. I found a server that had around 300-400 bots so I want to put an end to this, hence I need the source :\

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted (edited)

I noticed that this program does all of the things that 314 has requested info on and has discussed...

No need to accuse anybody till you are sure...

The code contains:

; <AUT2EXE INCLUDE-START: C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3>

and somebody used that Nick on this forum as well ... so maybe its somebody different.

The user data path also tell you its somebody with a German WinOS ...

Edited by JdeB

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
Nomad Universalist

Nomad

Posted
Posted

No need to accuse anybody till you are sure...

The code contains:

; <AUT2EXE INCLUDE-START: C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3>

and somebody used that Nick on this forum as well ... so maybe its somebody different.

The user data path also tell you its somebody with a German WinOS ...

I was not implying that he wrote this script, I was implying that he probably has similar intentions. This topic was posted a week before 314 even started asking questions about this stuff.

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

http://www.google.com/search?q=fearlumsk

forger, can you pm the sourcecodes i'm curious what the others do...

I removed the link and put in the text.

No need to distribute the source to more than necessary ...

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...