[QUOTE=aurum481;39630625]That was an interesting read. Will you put up other parts?[/QUOTE]
Eventually, I still need to write them :v
I'll try to find some time tonight as I have off from school.
[QUOTE=Goz3rr;39629978]Man, all the ones i manage to decrypt had their password changed less than a week ago :c
[editline]18th February 2013[/editline]
Is there an easy way to extract the .NET installer things, because i don't feel like installing it to get the executable.[/QUOTE]
[url]http://en.wikipedia.org/wiki/Cabinet_(file_format)[/url]
7zip unpacks them just fine.
[QUOTE=OldFusion;39642299][url]http://en.wikipedia.org/wiki/Cabinet_(file_format)[/url]
7zip unpacks them just fine.[/QUOTE]
Pretty sure i tried that, said it was an unsupported filetype, do you need to rename it to .cab for it to work?
But they aren't cab files, even the cabinet sdk extract.exe cant open them.
If you know for a fact that the keylogger sends an initial 'infected' email back home and runs on the .NET framework, you can simply get the password by running it sandboxed and logging the API calls with a profiler.
Look for a NetworkCredentials constructor. It's always fucking there.
[QUOTE=Lone Wolf807;39522176]What of something like this?
[IMG]http://puu.sh/1Zw4d[/IMG]
So while I was attempting to unpack a UPX my Mbam quarantined a file, I thought only using a .exe opens up files?[/QUOTE]
Hi
This is not related to a keylogger but to decompiling a freeware . (which is not an assembly)
So I viewed the package with 7zip. I got the same first 4 files in the image.
How to proceed from there?
I tried in SAE, but is not an assembly.
NP++ gives MZ header.
The freeware is: myquotes.exe found here - [url]www.volumedigger.com/Software/myQuotes.aspx[/url].
The issue that I m trying to correct is that it doesn't log on to yahoo server. Says "Failed to login to yahoo." with admin settings in win 7.
It says its built on .net framework and i think C++ visual. I don't have much idea of coding, so its just a guess.
Looking at the images in the post, i thought it might be easier to fix in VS 2012. So I am just taking a shot..
Any help, guidance is much appreciated.
[QUOTE=NeO2;43922919]Hi
This is not related to a keylogger but to decompiling a freeware . (which is not an assembly)
So I viewed the package with 7zip. I got the same first 4 files in the image.
How to proceed from there?
I tried in SAE, but is not an assembly.
NP++ gives MZ header.
The freeware is: myquotes.exe found here - [url]www.volumedigger.com/Software/myQuotes.aspx[/url].
The issue that I m trying to correct is that it doesn't log on to yahoo server. Says "Failed to login to yahoo." with admin settings in win 7.
It says its built on .net framework and i think C++ visual. I don't have much idea of coding, so its just a guess.
Looking at the images in the post, i thought it might be easier to fix in VS 2012. So I am just taking a shot..
Any help, guidance is much appreciated.[/QUOTE]
If you get those files it means it's a native executable, i.e. you can't really decompile it.
You might be able to debug it though, but you will never get a reasonable source code in less time than it would take you to copy the whole thing from scratch.
(Hint: Sniff the network connections, that will tell you how to request the data from Yahoo at least.
If it's encrypted/TLS you need to use an active proxy though.)
[url=http://i.imgur.com/hsu6B3V.png]Changed his profile picture to goatse[/url]
:v:
Changed his password, here's the new credentials if you want to have some fun.
[code]
-snip-
[/code]
Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?
Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?
[QUOTE=KillerLUA;44011656]Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?
Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?[/QUOTE]
These are made by kids who literally copy and paste code from tutorials. Do you really expect them to be doing anything more advanced than that?
I'm going to do this whenever I need a new email for something :v:
[QUOTE=KillerLUA;44011656]what use is collecting runescape/etc accounts anyways, how can you make money from that?[/QUOTE]
Google shows that there are plenty of websites to sell ingame money to, and entire accounts as well. There's potentially quite a bit of money in store for someone who can steal a few decent accounts.
[QUOTE=KillerLUA;44011656]Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?
Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?[/QUOTE]
If they were really smart, they'd use a built-in SMTP server.
What's wrong with good old IRC servers?
[QUOTE=Ott;44013286]What's wrong with good old IRC servers?[/QUOTE]
Most of the people making these VB.NET viruses don't know what IRC is.
[QUOTE=KillerLUA;44011656]Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?
Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?[/QUOTE]
farming gold and all that comes with that sort of business
[QUOTE=Ott;44013286]What's wrong with good old IRC servers?[/QUOTE]
IRC Servers require you to be connected all the time, Most AV's loose their shit over IRC connections.
Lots of applications use SMTP for error reporting so its not that easy to detect when its being used maliciously.
From the skiddies point of view it is a really nice setup for them since they can just log into the account and get what they want, Hell it even tells them what ones they have dealt with already!
Edit:
Also I hate to be the party pooper but perviously in this thread we did have a rule where you didnt post any passwords or user names in the thread. Can we please keep that rule?
Not to mention .NET has an SMTP client built in.
[QUOTE=KillerLUA;44011656]Why don't these people just use a throwaway web server for storing keys? Is it the "recommended" thing in tutorials to use email?
Doesn't seem to make any sense to me, and what use is collecting runescape/etc accounts anyways, how can you make money from that?[/QUOTE]
They aggregate rare items and large pools of in-game money with this shit.
They either use the items themselves or they sell them on for in-game or even real-life money.
It's not much of a good scheme, but it makes those assmunches feel cool.
[QUOTE=benjojo;44017786]IRC Servers require you to be connected all the time, Most AV's loose their shit over IRC connections.
Lots of applications use SMTP for error reporting so its not that easy to detect when its being used maliciously.
From the skiddies point of view it is a really nice setup for them since they can just log into the account and get what they want, Hell it even tells them what ones they have dealt with already!
Edit:
Also I hate to be the party pooper but perviously in this thread we did have a rule where you didnt post any passwords or user names in the thread. Can we please keep that rule?[/QUOTE]
Okay, I snipped the previous credentials.
why do people email to themselves? Why don't the have 2 email addresses, one for sending and one for receiving?
[QUOTE=cloudcakes30;44024139]why do people email to themselves? Why don't the have 2 email addresses, one for sending and one for receiving?[/QUOTE]
Last time I tried to make two gmail accounts quickly it wanted a phone number to verify it.
[QUOTE=helifreak;44024963]Last time I tried to make two gmail accounts quickly it wanted a phone number to verify it.[/QUOTE]
They really should be using TOR to set this up, in which case that wouldn't be a problem.
I guess they don't even know about that :v:
[QUOTE=Tamschi;44027801]They really should be using TOR to set this up, in which case that wouldn't be a problem.
I guess they don't even know about that :v:[/QUOTE]
It would certainly be a good idea to use Tor to send the data to a hidden service running on the network.
I can not stress this next point more, using the Tor network for malicious activity is bad and you should be ashamed. The Tor network was designed for people in oppressed country's to express their political opinions and to bypass illegitimate government blocks (blocking news sites like the guardian for example). By using the Tor network for such malicious activities you are making it harder for people such as myself to operate Tor Nodes (mostly exit nodes) and in turn you are making it harder for people to use the Tor network for legitimate reasons. Secondary to that it should be used by everyone who wishes to gain anonymity although I would strongly recommend not using it to access clearnet sites without being aware of the risks and taking the appropriate precautions needed to stay safe in case your traffic passes through a compromised/malicious node (the node operator capturing unsecured traffic).
[QUOTE=Nightrazr;44021272]They aggregate rare items and large pools of in-game money with this shit.
They either use the items themselves or they sell them on for in-game or even real-life money.
It's not much of a good scheme, but it makes those assmunches feel cool.[/QUOTE]
Or they just sell the accounts.
[QUOTE=TheCreeper;44028463]It would certainly be a good idea to use Tor to send the data to a hidden service running on the network.
I can not stress this next point more, using the Tor network for malicious activity is bad and you should be ashamed. The Tor network was designed for people in oppressed country's to express their political opinions and to bypass illegitimate government blocks (blocking news sites like the guardian for example). By using the Tor network for such malicious activities you are making it harder for people such as myself to operate Tor Nodes (mostly exit nodes) and in turn you are making it harder for people to use the Tor network for legitimate reasons. Secondary to that it should be used by everyone who wishes to gain anonymity although I would strongly recommend not using it to access clearnet sites without being aware of the risks and taking the appropriate precautions needed to stay safe in case your traffic passes through a compromised/malicious node (the node operator capturing unsecured traffic).[/QUOTE]
Actually I meant for setting up the accounts...
By the way, has anyone tried a different angle on these things?
I have no idea how to make sense of obfuscated code, but given the level of skill involved in making this crap, I think a much easier strategy would be to run them in a VM, bait them into accessing their mail server by letting them log some fake data, and just sniff the traffic. If they use encryption, redirect all traffic to your own server (it's unlikely that they both force it and check the certificate), or just proxy the SMTP/encryption library (again, unlikely that they roll their own). Or debug at runtime.
[QUOTE=DrTaxi;44131983]By the way, has anyone tried a different angle on these things?
I have no idea how to make sense of obfuscated code, but given the level of skill involved in making this crap, I think a much easier strategy would be to run them in a VM, bait them into accessing their mail server by letting them log some fake data, and just sniff the traffic. If they use encryption, redirect all traffic to your own server (it's unlikely that they both force it and check the certificate), or just proxy the SMTP/encryption library (again, unlikely that they roll their own). Or debug at runtime.[/QUOTE]
That's way more difficult than just decompiling it. The amount of skill gone in to making this crap is little-to-none.
I feel like someone could make a wireshark-like application that automatically spits out only SMTP information of a single process and everything could be a lot easier. It seems like SMTP is the common method of phone-home that we've seen so far.
But it needs to be run, which isn't exactly a good idea without a VM :v:
This just in: Confuser 1.9 is hard to unpack.
If anyone has any tips, hit me up because this is pretty dang hard.
Sorry, you need to Log In to post a reply to this thread.
