WARNING pc hackers

[abaaaabbbb63]

Someone posted a suspect similar thread a few minutes ago. Good thing it was rapidly deleted.

If you do this command netstat -ano and encounter some unknown ip, just right click in cmd, check Mark, select the adress and port, press Ctrl+C, then go to this site:
Trace An IP - Our IP Address Locator & Tracer Can Track Any Location
and paste it there. It usually gives a company name if it's legit.

[Dexwest]

thanks jorndel

[TrollArchSoda]

Holy shit dude you scared the hell out of me i tought soon i will i read this i will going to be hacked , Ty for warning :P

[crazycake12432]

thanks for the warning

[qwertyup]

Again to all it happened, all hacks on this site are AT YOUR OWN RISK If it happened to you, clean it out or reformat, this will be the best way to get rid of it.

I have a test laptop at home, and downloaded the file. Reformat worked best because it reset all my registry and ip tables for the network i run.

[Iwashere94]

ya i downloaded the " hack " and it appeared a anonymous chat telling me he was from steam support and she asked me the year i was born and my secret answer. that mf.... Care Guys!

[poocheesey2]

yah that is the hacker he asked me sign into my paypal to cancel a order he placed i told him to fuck off and before he could do any thing else i kicked him off and had my workmate trace him and also to every one who was wondering about my involvement with mpgh wile working fro GMD. I have a 14 year old sun who uses my computer to do his video gaming stuff and he uses this web site.

ya i downloaded the " hack " and it appeared a anonymous chat telling me he was from steam support and she asked me the year i was born and my secret answer. that mf.... Care Guys!

[Lulz$ecurity]

Happend to me. he infected with virus my pc. -_-

you should blame your brains
anyways format your OS

[aIW|Convery]

Click random links as you're desperate to get hacks for the game your mom bought you -> Get banned -> Cry about viruses -> Make a scare thread saying that TCP connections are 1337 hacks (even though no virus or hacker would use TCP) -> get thanks -> show your mom that others believe you got hacked so she'll buy you a new computer/game for you.

Really simple

And really, is this what the term 'hacker' have devolved into? Kids are 'hackers' because they are asking you for your password and secret question so they can 'hack' your accounts?

ps. Got to love how people that can't write in proper English are always 40+(loving wife, CEO and all that..) with a kid 10-16 years old that downloads everything that messes them up. Luckly with their expert computer knowledge they can tell the 'hacker'; 'no!' when he asks for more passwords and then trace him via google..

*sigh* Threads like this where kids whine about them being hacked by giving out their parents credit cards to anyone that claims they can hack them a higher level in minecraft, they are what makes me lose all faith in humanity and want to start cutting myself..

[Nachos]

These links were only available for a couple of hours and the user has been banned.

And just to clear things up, you didn't download a hacker if you downloaded it. You downloaded some malware that gives a hacker access to your computer. Also, most AVs should be able to detect this.

If any of you got this or think you got this you should stay up to date with this thread and section. I will try to find out some more details about and get them posted. @master131 If you could take a look in to this I'm sure it would be appreciated. The thread is in the CoD archive, the link is still in the thread if you wanna look at the file.

[[MPGH]master131]

Alright, I've looked into it. You guys should know never to download files that are directly linked or are not approved yet. There's a reason we implement this stuff into the forum. Here is the VirusTotal result:
https://www.virustotal.com/file/ef16...is/1357953718/

As you can see, there aren't many detections due to the fact that it's coded in AutoIt. I'm in the process of analysing the script. As ESET is the only vendor that detected the file and provides an online virus scanning service, please scan your computer using this: https://www.ese*****m/us/online-scanner/

It can also pick up DarkComet and other RAT software so if you think you're computer has been compromised, please scan it immediately.

Here is the picture that was included with this so called hack:


EDIT - Alright, I've looked into the script. It seems to avoid AV detection because of the way it stores the malware and also insert over a million junk lines into the script (probably to try slow down my tools or something). For security's sake, I'm not going to try to extract or write this file to my computer to see what it is so yeah.

Code:

FILEINSTALL(<path removed>,TEMPDIR&"\run.exe")
REGWRITE("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", SCRIPTNAME,"REG_SZ", SCRIPTFULLPATH)

Perhaps you guys should check your Temporary directory for "run.exe". Also check your startup entries for the path to the fake hack.

Also as a final note @poocheesey2 @MLG_ProTryhard Just because a connection is ESTABLISHED, does not mean you are hacked, don't give misleading information.

EDIT 2 - Turns out "run.exe" is harmless and is the fake hack seen in the screenshot above. When you click the buttons, it simply closes. The AutoIt script tries to delete all files/folders in drives from C to K. It also creates a readme.txt file which I'm still looking into. A connection is also made to an IP located in Germany, the same country where the RAR file was hosted. That's still being looked into too.

EDIT 3 - The AutoIt script also contains RAT/BOTNET code and will perform requests like SYN/HTTP/UDP flooding as well as play sounds and whatnot. Deleting the file should essentially render the whole thing useless as far as I know.



Thanks to @aIW|Convery for doing this for me.

[aIW|Convery]

To remove it:
Kill the process and use regedit to remove it from HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run..

[[MPGH]master131]

To remove it:
Kill the process and use regedit to remove it from HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run..

This. That's all you have to do. Also, the AutoIt has a DarkComet RAT inside it that is loaded into itself so it is not written to disk to evade AV detection. I was able to decrypt and decompress it despite the script being heavy obfuscated. Here is the VT scan of the DarkComet RAT:
https://www.virustotal.com/file/5abd...is/1357975799/

If anyone is interested in the "crypto" stuff, then read on:
The script uses alot of public AutoIt sources to do what it does.

Firstly it does some basic checks that will cause it to exit immediately if it is true. These checks will see if Sandboxie is present by checking for 2 of its processes. It then checks if it's being analysed by Anubis (online analysis service) by comparing computer name, OS name, service pack, username and startup list.

Afterwards, does a check with the computers name to see if it's not "RAZOR-LAPTOP". It then does another check to see if the running script is an EXE or not. If it's not an EXE, it will create a batch script and a VBS script. The batch script will use "del *.* /q /s" from drives C to K to try delete everything inside it. The VBS script is to hide the Command Prompt window that pops up when the batch is executed. All of that of course won't happen because the script that this "RAZOR" person released was an EXE.

After that, a file named "run.exe" is created into the %TEMP% folder and run. This is the fake hack that was in the screenshot that "RAZOR" posted. A massive base64 string inside the script is then decoded using CryptStringToBinary (in crypt32.dll) and that string is then decompressed using an undocumented function in ntdll.dll called RtlDecompressBuffer which uses the LZNT1 compression format to decompress the data. Then that data is then decrypted using AutoIt's _Crypt_DecryptData function (found in Crypt.au3) with the CALG_AES_256 algorithm using the password "32c5235c235Y". Finally, that decrypted data is then mapped into memory instead of writing to disk and then executed which essentially loads the DarkComet RAT inside the AutoIt script's process to avoid anti-virus detection.

Nice try "RAZOR", but your method aint going to work on me.

[aIW|Convery]

It is moral to say that "RAZOR" controls the infected computers from morrisftw123.zapto.org (77.10.89.79:1604)?
Oops..
Whatever you guys do, don't try to get revenge and don't do anything illegal..

EDIT: Also, he's running it on a Nokia Lumia N900 (don't ask), but I guess Blackhat pays..