Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

[!Donovan]

Really great work that you are doing. We all appreciate it.

~!Donovan

[polonus]

@All,

Such reports should all also land at Avast base to further protection of the Avast community.
I am convinced Avast team members appreciate and support our cooperative efforts.
Together we can just make "the difference that counts".
We all trust in Avast, unless we test!

polonus

[REDACTED]

@All,

Such reports should all also land at Avast base to further protection of the Avast community.
I am convinced Avast team members appreciate and support our cooperative efforts.
Together we can just make "the difference that counts".
We all trust in Avast, unless we test!

polonus

I agree, I'm going to be forwarding on all that we know, I'm guessing it would need to be sent to there virus@avast address?

In addition i've been forwarding on all we know to Twitch's Security department.

Thanks
Oliver

[REDACTED]

An email has been sent to Avast's research team detailing all the new information we have on the current threat.


I hope you all have a good weekend!
Oliver

[Michael (alan1998)]

I'm a little peeved this still hasn't been added.

Too the chest I go.

[REDACTED]

Just heard back from a researcher at F-Secure, They are also now looking into the .bat mal cases.

I'll keep my eyes peeled in the next 24 hours to see if anything else is done from avast's end.

Thanks all.
Oliver

[polonus]

Hi Oliver,

Thank you from the avast support userbase
for your continuous investigating and reporting these threats for us.

Damian

[REDACTED]

Greetings all,

The group has started up a new site aimed at phishing, Happy to disclose to researchers the URL.

The site is attempting to look like a twitch.tv site that will log the person's ip address as well as there login information.

[Michael (alan1998)]

PM them to Polonus. He does the Website stuff. Same with Donovan

[REDACTED]

Hi Alan, I have gone ahead and sent them both reports on the new phishing site.

Interesting to see how things are evolving from simple .bat files!

[REDACTED]

Michael (Alan1998), I'm about to send you a new piece of malware connected to this case, The guys have finally pulled off an executable that deletes system32 and emails over passwords at the same time.

Thanks
Oliver

[polonus]

@readers of this evolving and interesting thread,

Sometimes abuse goes hand in hand and the one abuse makes that the other abuse is being ignored.
What Oliver mentions is abuse that goes hand in hand with pop-under adware serverd up via links to -creative.ad123m.com -> https://www.virustotal.com/nl/domain/creative.ad123m.com/information/
This is a source for the the dreaded Zedo and ADS123 pop-unders in for instance the Firefox browser.
So the abuse that Oliver is reporting is now piggybacking on the Zedo and ADS123 crap adware infection.
Good to know how website abuse is all interconnected.

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

Looking at the files in question, they have to be compiled by an attacker before use as an executable.

Looks like the language being used is VB6 (VB.net)/Visual Basic.

However there are some worrying lines in there.


An IP logger, A streamkey forwarding kit and finally a reset of the HOSTs file.

Code: [Select]

Text = (vbNewLine & "{IP} google.com" & vbNewLine + "{IP} google.fr" & vbNewLine + "{IP} google.ca" & vbNewLine + "{IP} google.co.uk" & vbNewLine + "{IP} google.de" & vbNewLine + "{IP} google.nl" & vbNewLine + "{IP} google.ru")

The livestream key is critical, if anyone grabs it they can hijack your stream. This could be nasty threat if compiled.

[polonus]

Hi Oliver,

This language is going to be more and morte popular with virus authors:

VB code can be analyzed using a combination of static and dynamic analysis. If we open the VB code in a disassembler it will not yield too much information, only obfuscated strings, a tactic frequently employed to make it more difficult to analyze the file.

Read here why this malware is becoming more and more popular:
http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/visual-basic-platform-is-becoming-increasingly-popular-among-malware
A more detailed description of such a trojan from 2012: http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojanwin32vbqms  link article author = Atlantis

Damian

[REDACTED]

No update from Avast on the .bat files, Still monitoring other files. If theres anything new i'll let you all know as quickly as possible.