AlterMW3 = Malware?

[House]

This has been posted on TG Blog ... read if you play at aIW

Many of you have noticed we were under a heavy DDOS attack over the past week. After having fought it off pretty easily, we went out to investigate what kind of idiot would use his botnet for this kind of activity.

Today it came to our attention that ntauthority used YOU, the people who play in alterMW3, to do his dirty work. Yes, he used all of you – over 60000 people, to DDOS our website.

Below is a code snippet taken from AlterMW3′s “iw5m.dll” (the original, unmodified file is included with this post). The dll contains a thread function that runs constantly while you’re playing AlterMW3. What does it do? Well, it turns out it runs a DDOS attack on our website:


.text:100EBF70 push ebp
.text:100EBF71 mov ebp, esp
.text:100EBF73 sub esp, 354h
.text:100EBF79 mov eax, dword_1029C6D0
.text:100EBF7E xor eax, ebp
.text:100EBF80 mov [ebp+var_4], eax
.text:100EBF83 push ebx
.text:100EBF84 push esi
.text:100EBF85 push edi
.text:100EBF86 push 3
.text:100EBF88 call sub_100BE567
.text:100EBF8D add esp, 4
.text:100EBF90 call sub_100BF381
.text:100EBF95 mov [ebp+var_8], eax
.text:100EBF98 cmp [ebp+var_8], 0
.text:100EBF9C jz loc_100EC483
.text:100EBFA2
.text:100EBFA2 loc_100EBFA2:
.text:100EBFA2 mov eax, 1
.text:100EBFA7 test eax, eax
.text:100EBFA9 jz loc_100EC483
.text:100EBFAF push 0FAh ; delay for the thread loop
.text:100EBFB4 call ds:Sleep
.text:100EBFBA mov [ebp+var_108], 't' ; encrypted link to TG forums
.text:100EBFC1 mov [ebp+var_107], 'h'
.text:100EBFC8 mov [ebp+var_106], 'h'
.text:100EBFCF mov [ebp+var_105], 'l'
.text:100EBFD6 mov [ebp+var_104], '&'
.text:100EBFDD mov [ebp+var_103], '3'
.text:100EBFE4 mov [ebp+var_102], '3'
.text:100EBFEB mov [ebp+var_101], 'k'
.text:100EBFF2 mov [ebp+var_100], 'k'
.text:100EBFF9 mov [ebp+var_FF], 'k'
.text:100EC000 mov [ebp+var_FE], '2'
.text:100EC007 mov [ebp+var_FD], 'h'
.text:100EC00E mov [ebp+var_FC], 'y'
.text:100EC015 mov [ebp+var_FB], 'w'
.text:100EC01C mov [ebp+var_FA], 'r'
.text:100EC023 mov [ebp+var_F9], 's'
.text:100EC02A mov [ebp+var_F8], '{'
.text:100EC031 mov [ebp+var_F7], 's'
.text:100EC038 mov [ebp+var_F6], 'x'
.text:100EC03F mov [ebp+var_F5], 'o'
.text:100EC046 mov [ebp+var_F4], '2'
.text:100EC04D mov [ebp+var_F3], ''
.text:100EC054 mov [ebp+var_F2], 's'
.text:100EC05B mov [ebp+var_F1], 'q'
.text:100EC062 mov [ebp+var_F0], '3'
.text:100EC069 mov [ebp+var_EF], 'l'
.text:100EC070 mov [ebp+var_EE], 't'
.text:100EC077 mov [ebp+var_ED], 'l'
.text:100EC07E mov [ebp+var_EC], '~'
.text:100EC085 mov [ebp+var_EB], '~'
.text:100EC08C mov [ebp+var_EA], '3'
.text:100EC093 mov [ebp+var_E9], 1Ch
.text:100EC09A mov [ebp+var_20C], 0
.text:100EC0A4 jmp short loc_100EC0B5

.text:100EC0A4 jmp short loc_100EC0B5

As you can see, this piece of code builds an encrypted string “thhl&33kkk2hywrs{sxo2.sq3ltl~~”. If we XOR this string with 0x1C, the result is “https://www.teknogods.com/phpbb”

This is the exact URL that we got attacked at constantly (that is why we moved our forum to phpbb_a). You can thank ntauthority for making you a part of HIS private botnet. We’re wondering though, what else he has used you people for? TeknoGods would never do anything like this, because it is lame, way below our standards and not to mention illegal.

Our dedicated servers work even when user is fully offline and do not require users to register for anything. Anyone can play from anywhere, anytime, offline and online (there are still a few bugs, but we’re working constantly to fix them).

TL;DR: Altermw3 is a malware; ntauthority of alteriw.net is using altermw3 users for a DDoS (distributed denial of service) attack against our web page.

If you’re a reverse-engineer, download the altermw3 ‘iw5m.dll’ malware here a see for yourself!

PS. New version of T----MW3 is almost ready!

LAST MINUTE UPDATE: Latest ‘iw5m.dll’ version of AlterMW3 connects to IRC – does it turn your computer into fully remotely controlled zombie PC? We strongly suggest: never trust AlterIW ever again.

UPDATE #2:

Log of lot of bots joining their channel: Paste2: Next Generation Pastebin - Viewing Paste 1898447 (Killed (https://irc.rizon.no (G-Lined: botnet not allowed on rizon)))

G-Lines are always MANUALLY added.

UPDATE #3:

They admit it here:

alterIWnet • View topic - What are you doing guys?

UPDATE #4:

Their propaganda response here: alterIWnet • View topic - Regarding Teknogods and AlterMW3

Regards,
- TG Team -

[sflord90]

glad i never touched AlterMW3..


trojans cant touch me though ..

[aIW|Convery]

Technofags are just crying all the time. First it's us hacking their servers, then we are DDOSing, bribing feds to investigate their site and now we are a botnet.. But ye, if you want to go cheat on their servers instead then who am I to stop you =P

Also, everything is taken out of context in an attempt to slander aIW. Hence the "I advice you to stay far away from alterIW! [and play on my service instead]".. Not to mention that I personally find it funny that the guy who are always shouting about how he's making an original project and wants donations for it REs every aIW file whenever it updates, for no reason of course as he's making his own version from scratch, right?

I mean, it's not like he had a service just like aIW that he was going to release when enough people had donated to him and then never managed to release anything remotely useful.. and it's not like it took him 6 months to get a MW3 server semi-working while it took aIW 6 days..
So there's no real reason for all the hate..

[House]

I took this log by Wireshark 2 min ago and it seems to be true. AIW Client sent HTTP, SYN and TCP floods to the TeknoGods server IP. I dont claim anything but proof it is.

If you still want to play on aIW I advise you to add this to your hosts file which wil block connecting to TG IP:

Code:

127.0.0.1 91.229.175.162
127.0.0.1 teknogods.com

[aIW|Convery]

@House That was NTAs idea of a 'joke' and was in the code for a day and a half. The reason for this was because Teknofrauds cried about us DDOSing them for a whole week to cover up that their server couldn't even handle 100 players at the same time and to get attention as 'a competitor aIW has to do everything they can to compete with'. So NTA decided he wanted to show them what load really is and added that which was removed 32 hours later.

We have openly apologized for that thread being in the code as no one but NTA knew about it, but Teknofrauds wont stop there and constantly claim that we are a huge botnet while linking to the posts about the DDOS where Jerbob says "it's true" to further establish those claims and accusations. His other 'proof' is users joining the IRC channel via aMW3, this is a feature that has been in aIW for almost a year but as soon as it's added to aMW3 it's concrete proof of being part of a botnet.
It's worth noting that when ingame IRC was tested for aMW2 the users automatically joined the channel, exactly like how it was done today.

All in all, if aIW would have been a botnet and we actually cared for his tiny project we could have kept his site down without any problems. In the old thread where some accused aIW of being a botnet because the client can receive commands from admins (kick user, print to console etc.) we calculated that aIW as a botnet would have a rough 270GB/s worth of upload speed. I can't think of any site that can handle that, yet here we are explaining instead of silencing everyone that is annoying.

Again, if you want to cheat on a service with no anti-cheat or you're just falling for their propaganda then by all means go cheat on their service. aIW couldn't care less for what some cheaters believe as, let's be honest here, most cheaters here are kids that will believe anything. If I claimed that the Teknofrauds site is run by enchanted gerbils then quite a few would probably regard that as a fact.

[House]

I think that regardless reason, duration and network usage/capacity, NTA (or anyone else responsible) mustn't have misused ability to control the network of users to commit actions they did not sign approval for and especially if those actions include illeagl activities like Denial of Service and private data exposure (IP addresses).

[aIW|Convery]

I think that regardless reason, duration and network usage/capacity, NTA (or anyone else responsible) mustn't have misused ability to control the network of users to commit actions they did not sign approval for and especially if those actions include illeagl activities like Denial of Service and private data exposure (IP addresses).

Well, that's your opinion. I for one couldn't care less about the game opening a page as long as it wouldn't affect my computer in any way. Also, they didn't sign anything saying that the game is allowed to gather the MAC address and all that either..

[onemoar]

Well, that's your opinion. I for one couldn't care less about the game opening a page as long as it wouldn't affect my computer in any way. Also, they didn't sign anything saying that the game is allowed to gather the MAC address and all that either..

its bullshit non the less and its exactly the kind of behavior I tried to warn people about time and time again
regardless of the intention for it to be a "joke" the end result was a ddos attack PERIOD
and I am not even gonna discuss the subject of abuse of trust and misuse of userbase resources
what is really sad is this little flameware between teknotards and "assmassed idiots worldwide" aIW
the only thing both of you have manged todo is prove that my inital judge of you people was right your all morons
I mean seriously ? QC fail much .. all code should get at least a glance over before it rolls out ....
I advise everyone to boycott AIW > or grab a aimbot and go trolling :3

and saying "we are sorry' doesn't cut it

[aIW|Convery]

its bullshit non the less and its exactly the kind of behavior I tried to warn people about time and time again
regardless of the intention for it to be a "joke" the end result was a ddos attack PERIOD
and I am not even gonna discuss the subject of abuse of trust and misuse of userbase resources
what is really sad is this little flameware between teknotards and "assmassed idiots worldwide" aIW
the only thing both of you have manged todo is prove that my inital judge of you people was right your all morons
I mean seriously ? QC fail much .. all code should get at least a glance over before it rolls out ....
I advise everyone to boycott AIW > or grab a aimbot and go trolling :3

and saying "we are sorry' doesn't cut it

How about just rooting every cheater instead of banning them then? Seems like a lot of fun, not to mention an effective way to keep them away.. I mean, as the kids that hate aIW (yet plays it everyday) and are just looking for a reason to go on a crusade telling the world how bad aIW is as soon as a single mistake is made then why not, they'll never drop it and will only ramp it up so saying 'aIW now roots the cheaters, don't want to be part of a botnet? don't cheat' would probably even bring us more 'legit' players while the cheaters will cry in their corners. Not to mention that they would be responsible for their UC site being down (you know, then one that couldn't even handle 2 bots)..

Also, 'boycotting' a free service really has no effect, other than reducing the number of cheaters and therefore serverload.

[lolbie]

hehe
I think it is pretty cool xD
we are not in a botnet and still attacking a site :P

He is just using a loop to ddos them
how awesome xD

[Rkafisking]

I think that regardless reason, duration and network usage/capacity, NTA (or anyone else responsible) mustn't have misused ability to control the network of users to commit actions they did not sign approval for and especially if those actions include illeagl activities like Denial of Service and private data exposure (IP addresses).

NT might think its funny, regardless your ISP could still ban u for DDos attacks. Couple of years back i had some malware and it sent out DDos attack aswel without me knowing. My ISP contacted me telling what was up and suggested me formatting my windows, saying if it would continue there would be a possibilty they would literallypull the plug. Thanks for the heads up house.

[lolbie]

NT might think its funny, regardless your ISP could still ban u for DDos attacks. Couple of years back i had some malware and it sent out DDos attack aswel without me knowing. My ISP contacted me telling what was up and suggested me formatting my windows, saying if it would continue there would be a possibilty they would literallypull the plug. Thanks for the heads up house.

you don't even have to worry this isn't even a real ddos + it is already gone

[House]

you don't even have to worry this isn't even a real ddos + it is already gone

SYN flood - Wikipedia, the free encyclopedia

[Rkafisking]

you don't even have to worry this isn't even a real ddos + it is already gone

I never worry but its still an invasion of my privacy.
They shouldnt use my PC for a personal geek war.
Honestly i dont even see how its a joke cause its not even funny.

[lolbie]

I never worry but its still an invasion of my privacy.
They shouldnt use my PC for a personal geek war.
Honestly i dont even see how its a joke cause its not even funny.

maybe if you knew more it was a pretty good action...
but I am not going to say it