Author Topic: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site] (Read 22868 times)

Michael (alan1998) · « **Reply #15 on:** February 26, 2015, 04:12:54 PM »

A video for you too Watch about Hal.dll missing:
https://www.youtube.com/watch?v=evV-zSM3A2k

Edit: Can the OP please remove the host links for the Malicious Website? That file is extremely dangerous. Thanks.

PS: I have removed the majority of the code.

polonus · « **Reply #16 on:** February 26, 2015, 04:19:28 PM »

Hi Michael,

Please do not try to delete hal.dll in your system

as you may corrupt it big time.

polonus

Michael (alan1998) · « **Reply #17 on:** February 26, 2015, 04:21:53 PM »

Not my video :-). Besides, that video was made inside a Virtual Machine. I know enough not to damage my system.. Even if I did... I have 3 systems at home, 2 are trustworthy to get a clean version of Hal.dll to rebuild the machine.

Actually, I wonder if that would work!? I will try that later inside a Testing Environment lol.

REDACTED · « **Reply #18 on:** February 26, 2015, 04:31:27 PM »

Quote from: Michael (alan1998) on February 26, 2015, 04:12:54 PM

A video for you too Watch about Hal.dll missing:
https://www.youtube.com/watch?v=evV-zSM3A2k

Edit: Can the OP please remove the host links for the Malicious Website? That file is extremely dangerous. Thanks.

PS: I have removed the majority of the code.

Whoops, sorry about that. Where would be the best place to report an active malicious website? I did attempt to remove the http at the front to prevent users from click on the site's link by putting them in brackets.

Many thanks for the in-depth analysis. It seems far worse than i had originally imagined.

Michael (alan1998) · « **Reply #19 on:** February 26, 2015, 04:33:43 PM »

I will be emailing Avast! Shortly with the attached file and the source. No need to email them :-)

polonus · « **Reply #20 on:** February 26, 2015, 04:37:03 PM »

Hi Oliver,

For me first and foremost all go here: virus@avast.com with a link to this thread preferably,
so the avast member coder of duty can handle or forward it.
All we do here as an avast support forum member is furthering avast detection,
that is our main aim as support to this here community.

Damian

REDACTED · « **Reply #21 on:** February 26, 2015, 04:40:25 PM »

I've removed links to the site in question to prevent downloads. If anyone did want to see the site in question the reddit post I pointed to has the site's url visiable. However this will be at your on perial. The bat file seems to have a really nasty kick as Michael (alan1998) pointed out.

Thanks again avast community. We are making progress towards stopping the malware in it's tracks.

Michael (alan1998) · « **Reply #22 on:** February 26, 2015, 04:42:23 PM »

It is people like you, Polonus, Donovan etc that help us everyday with tracking these (Excuse my french) bastards down.

polonus · « **Reply #23 on:** February 26, 2015, 05:09:31 PM »

Hi Michael,

And a big thank you to you and others helping us.
Together we stand strong against ignorance and unawareness.
Helping here is also helping the community great time.
All that contributed, thanks for a very interesting thread indeed,
and that you have found your way unto this marvellous platform
that Avast has provided for us all,

Damian

Michael (alan1998) · « **Reply #24 on:** February 26, 2015, 05:52:49 PM »

Quote from: polonus on February 26, 2015, 05:09:31 PM

Hi Michael,

And a big thank you to you and others helping us.
Together we stand strong against ignorance and unawareness.
Helping here is also helping the community great time.
All that contributed, thanks for a very interesting thread indeed,
and that you have found your way unto this marvellous platform
that Avast has provided for us all,

Damian

You're quite welcome :-)

Pondus · « **Reply #25 on:** February 26, 2015, 06:32:15 PM »

F-Secure added URL block

also added detection for both files as Trojan.BAT.AAIU in next update
https://www.virustotal.com/nb/file/29c50017317cc6c79b1e6ab03e36f5b75780fdbf059615396d3a19625f35676e/analysis/1424954933/
https://www.virustotal.com/nb/file/fbf640ae0bd0da2c4101034df918910c31617a7b31d603b7900df13d67883937/analysis/1424955640/

REDACTED · « **Reply #26 on:** February 26, 2015, 07:23:26 PM »

Quote from: Pondus on February 26, 2015, 06:32:15 PM

F-Secure added URL block

also added detection for both files as Trojan.BAT.AAIU in next update
https://www.virustotal.com/nb/file/29c50017317cc6c79b1e6ab03e36f5b75780fdbf059615396d3a19625f35676e/analysis/1424954933/
https://www.virustotal.com/nb/file/fbf640ae0bd0da2c4101034df918910c31617a7b31d603b7900df13d67883937/analysis/1424955640/

Great to hear Pondus! Hopefully we will see more vendors being added to the list shortly.

Pondus · « **Reply #27 on:** February 26, 2015, 07:37:32 PM »

Norman/BlueCoat added URL block and added detection for files as Agent.BNNBZ / Agent.BNNCA

REDACTED · « **Reply #28 on:** February 26, 2015, 08:07:50 PM »

Just heard back from a large enterprise firewall firm they have said that they have confirmed that the latest A/V signatures block

system32_virus_remover_v1.2.bat MD5:9cf75d716f6b698b5433db6bad4a2877 - as BAT/Ral.A!tr (trojen)

The site has also been blocked from IP Reputation database. Really happy with how things are going. Amazon also had an EC2 Abuse report sent out so hopefully they can get the instance booted offline asap.

In addition it seems the fake blog page image has been stolen from an actual twitch employee (djWHEAT), However the hacker is calling themselves ("StepTech"), As mentioned before StepTech is not related to twitch.tv and or staff.

Just amusing to see how someone has put so much effort into creating a fake identity that people would believe in.

REDACTED · « **Reply #29 on:** February 27, 2015, 02:56:44 PM »

The site hosting the malware has been taken offline, The domain is now pointing to GoDaddy's parked domains service.
Pondus has reported that he has been able to get Norman/BlueCoat to block the file in question.

I am awaiting confirmation from Amazon to ensure the end user cannot spin up a new EC2 instance on the account.

Thanks everyone!
Oliver

Author Topic: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site] (Read 22868 times)

Michael (alan1998)

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

polonus

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

Michael (alan1998)

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

REDACTED

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

Michael (alan1998)

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

polonus

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

REDACTED

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

Michael (alan1998)

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

polonus

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

Michael (alan1998)

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

Pondus

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

REDACTED

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

Pondus

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

REDACTED

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

REDACTED

Re: Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]