Comments on: Malware author taunts security researchers with built-in chat

By: Adela Doiron

Adela Doiron — Fri, 22 Jun 2012 19:03:00 +0000

My inlaws still have dial up because no one is going to spend the money building a tower to get wireless to the other side of the ridge for only a dozen customers. No way are they spending the time or gas to drive into town for the library wireless.

By: HahTse

HahTse — Fri, 22 Jun 2012 16:34:00 +0000

http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/

They just don’t try to hard. Much easier.

By: OtherMichael

OtherMichael — Fri, 22 Jun 2012 16:28:00 +0000

While the percentage of internet users on dial-up is low, those low percentages still represent millions of users in America alone, many of whom are potentially less tech-savvy than non-dial-up users. As such, that is millions of potential targets, with a possibly higher rate of return than other targets. I had dial-up internet until 2007; my parents had it up until 2010.

By: Nathan Hornby

Nathan Hornby — Fri, 22 Jun 2012 14:27:00 +0000

I always imagine antivirus companies spending most of their time creating and distributing viruses, rather than thwarting them.

From a business perspective it makes a lot more sense.

By: dragonfrog

dragonfrog — Fri, 22 Jun 2012 13:29:00 +0000

Max, decompilers and debuggers are not some powerful secret weapons. You buy them with money, online or in shops, no questions asked. The hacker could go fork over a few hundred bucks for the exact same tools AVG’s engineers would have been using, to the extent they weren’t using free open source tools.

And as to why you would run the tool on the same box – if the software uses a complex packer / encrypter to hide what it does, you could either spend days picking it apart, or you could hook it to a debugger and run it.

Finally, RasDefaultCredentials is used for dialup as well as VPN credentials. Who would want that? Someone who doesn’t live near an internet cafe, or who wants to look at things he might be embarrassed to watch in public…

By: Tadas Jelinek

Tadas Jelinek — Fri, 22 Jun 2012 13:24:00 +0000

While VM should not break regular software, it doesn’t mean that it’s impossible to detect that that it’s being executed in VM.

By: angusm

angusm — Fri, 22 Jun 2012 11:43:00 +0000

And the shutdown command came from … inside the LAN!

By: malindrome

malindrome — Fri, 22 Jun 2012 09:58:00 +0000

… and they never found the body.

By: Jonathan Lydall

Jonathan Lydall — Fri, 22 Jun 2012 09:17:00 +0000

The article stated they were using a VM (Virtual Machine), which I gather is pretty standard practice and would have meant all activity on it would have been completely isolated from the machine hosting the VM. Other advantages about VMs is that you can analyse all changes to the virtual hard disk in a very straight forward manner, making it easier to spot any changes caused by the malware.

By: Rob Cypher

Rob Cypher — Fri, 22 Jun 2012 08:35:00 +0000

There’s some sort of patch out there for 32-bit and 64-bit computers with Win7 to play Diablo properly without having to kill explorer.exe.

Also, sometimes if you alt-tab onto the desktop after the game boots, then alt-tab back to the game, the colors correct themselves. I’ve been running Diablo on my 64-bit Win7 computer and that’s how I’ve gotten it to work without screwing around with explorer.exe.

YMMV, of course.

By: Max Allan

Max Allan — Fri, 22 Jun 2012 08:05:00 +0000

OK, I call shenanigans on this one.
They RUN the malware on the same box they’re decompiling it on? So all their clever tools have now been downloaded by the malware author. I think not. Noone is that stupid.
They might run it in a VM with some monitor on the VM but the guest shouldn’t be able to spot that, so how would the malware author know what was going on?

You don’t run a threat and push it through a disassembler on the same box. How can you believe anything the disassembler tells you. It’s been poisoned already. If this is AVG standard practice, I now believe that there are probably viruses inside AVG code.

The malware was designed to steal dialup usernames. WTF? As @wrybread:twitter
said, were they in 1995? I mean really, these days who even needs dialup accounts, let alone has a modem. Just walk to your nearest internet cafe and get a bajillion times more bandwidth and almost complete anonymity, unlike a dial up phone call with caller ID etc…

I think BB has just been trolled. (and a whole load of other news outlets that picked up on the story.)

By: Peter Yard

Peter Yard — Fri, 22 Jun 2012 07:57:00 +0000

Next time they try something like that they might even have the virus in some kind of honeypot environment to lure the hacker to stay longer. In that industry it pays to be devious and deceptive, and I’m not talking about the bad guys.

By: ocker3

ocker3 — Fri, 22 Jun 2012 07:41:00 +0000

Yeah, if they left a machine connected to the open ‘net, they were probably looking at the command/control interface and/or communications, be somewhat surprised if they didn’t have a sandboxed network with a dedicated outside line they were using, to avoid any cross-contamination with their actual systems (or something even cooler, since they’re the ones who do this for a living)

By: niktemadur

niktemadur — Fri, 22 Jun 2012 07:17:00 +0000

Yeah, one side of my brain is going “Bad Ass!”, but the other half is appalled.

By: gregarious

gregarious — Fri, 22 Jun 2012 04:29:00 +0000

It would be interesting to simply use this chat function + built in camera to screw with some security researchers, Real Genius style:

http://www.youtube.com/watch?v=sf-5RaFnh2U

The author blew a chance at an epic prank.

By: Bob Bryla

Bob Bryla — Fri, 22 Jun 2012 04:28:00 +0000

Really, Jack, I’m sure the AVG guys know how to go off the grid and continue to reverse engineer the trojan, and have long since been able to detect and quarantine it with the latest AVG engine.

By: DildOverlord.exe

DildOverlord.exe — Fri, 22 Jun 2012 04:07:00 +0000

AVG aren’t amateurs, duder. I’m sure they were working under conditions that left them pretty well protected.

By: Pedantic Douchebag

Pedantic Douchebag — Fri, 22 Jun 2012 02:51:00 +0000

“He then shut down our system remotely” is the “and then we noticed he had a hook for a hand” of any spooky IT campfire story.

By: Jason Baker

Jason Baker — Fri, 22 Jun 2012 02:43:00 +0000

Similarly, I’ve been playing a lot of Diablo (I) lately… and discovered in Windows 7, you need to kill explorer.exe for it to not have a completely wacky palette. Something with color cycling, I guess. I just run a batch file to kill it for me when I launch the game, and relaunch explorer when Diablo exits. YMMV. Not sure what this has much to do with chatting with virus makers, but I’m happy to do what I can to enable to continued play of old Blizzard games, because I’d like to think that when I’m old and gray there might still be someone (and some machine) alive to play them with me still.

By: Shashwath T.R.

Shashwath T.R. — Fri, 22 Jun 2012 02:43:00 +0000

Reading the linked articles is sooo last week!

From the article you didn’t read:

The dialog is not from any software installed in our virtual machine.

They ran it on a throwaway VM to see what it does, the dialog popped up, they chatted with the guy, played dumb for a while…

By: wrybread

wrybread — Fri, 22 Jun 2012 02:29:00 +0000

From the first line of the quoted article:

“The dialog is not from any software installed in our virtual machine.”

AVG is an antivirus software company, so they’d need to install these beasties all the time so they can recognize them.

On another note, what an awesome encounter, I wish they’d posted the entire discussion. But this line makes me a bit suspicious:

“What it [the virus] really wants to steal is dial up connection’s username and password.”

Was this in 1995?

By: Tyler Pieper

Tyler Pieper — Fri, 22 Jun 2012 02:25:00 +0000

I know for at least the original Starcraft to display right in Windows Vista/7, you need to open up the Screen Resolution control panel window. You don’t actually need to change any settings, the window just needs to be open when you start the game.

This is assuming you’re getting weird colors and funky resolution. Outside of that, I can’t help you. :/

By: bcsizemo

bcsizemo — Fri, 22 Jun 2012 02:17:00 +0000

Totally agree. Not that I’ve had any experience quite like that, but I have caught something that toasted the OS once. Unless they are going to start writing malicious firmware updaters I’m not really worried about what they are going to do to my software.

By: Vengefultacos

Vengefultacos — Fri, 22 Jun 2012 02:06:00 +0000

Uhm… how does a malware writer magically know you’re decompiling his code and open a chat window with you, unless you were stupid enough to run the thing in the first place? That’s sorta like someone on the bomb squad saying “hey! a booby-trap! Let’s set it off to see how it works!”

If they did run it, it should have been in a virtual machine. Preferably on a fake network so any attempts to call home or take part in a DDOS spam spewing wouldn’t impact htird parties. So the best MR. Malware could haev done was shut down a virtual machine, not an actual system.

By: nox

nox — Fri, 22 Jun 2012 01:42:00 +0000

Has happened to me. After refusing their strange declaration of love, they started to threaten me with all the damage they could cause my PC, (e.g. “I AM GOD!!!”) so I told them off and pulled the Ethernet cord. Idiot.

By: Ty_MY

Ty_MY — Fri, 22 Jun 2012 01:26:00 +0000

for those curious, translation of the two lines of chat:

Hacker:
Why are you researching/analyzing my trojan?

Hacker:
What are you hoping to find?

By: Cowicide

Cowicide — Fri, 22 Jun 2012 01:22:00 +0000

http://i.imgur.com/MN0r8.jpg

By: Jack Kieffer

Jack Kieffer — Fri, 22 Jun 2012 01:08:00 +0000

1. This is awesome. 2. It sounds like the people trying to decompile the virus got destroyed and humiliated. Remotely shut down and insulted via chat? Embarrassing.

By: Bodhipaksa

Bodhipaksa — Fri, 22 Jun 2012 01:03:00 +0000

That’s like something from a Vernor Vinge novel. Amazing!

By: Palomino

Palomino — Thu, 21 Jun 2012 23:58:00 +0000

I purchased Diablo 2. When I was having video problems I requested information via a chat forum link. I instantly received bizarre emails, rude and very dismissive, explaining that my ticket was closed because they were spending all their time with Diablo 3 customers. I reopened the ticket multiple times and received the same nastily surreal responses. I deleted the game last night, I’ll take the $9.99 loss, the download affect the viewability of my screen, whether the game was active or not.