Have you ever chatted with a Hacker within a virus?

[ionut97]

This is an impressive and first-time experience in my anti-virus career. I chatted with a hacker while debugging a virus. Yes, it’s true. It happened when the Threat team were researching key loggers for Diablo III while many game players playing this game found their accounts stolen. A sample is found in battle .net in Taiwan, China. The hacker posted a topic titled “How to farm Izual in Inferno” (Izual is a boss in Diablo III ACT 4), and provided a link in the content which, as he said, pointed to a video demonstrating the means.

Below is the ‘Video’. It’s a RAR archive actually containing two executable files. These two files are almost the same except the icon.

The malware will connect to a remote server via TCP port 80 and download a new file packed by Themida.

That’s very simple Downloader/Backdoor behavior and we are only interested in looking for key logging code for Diablo III so we didn’t pay much attention to it.

But an astonishing scene staged at this time. A chatting dialog popped up with a text message:

(Translated from the image below)

Hacker: What are you doing? Why are you researching my Trojan?

Hacker: What do you want from it?

The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby.

We felt interested and continued to chat with him. He was really arrogant.

(Translated from the image below)

Chicken: I didn’t know you can see my screen.

Hacker: I would like to see your face, but what a pity you don’t have a camera.

He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.

We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.

Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password.

t sounds like a movie story, but it’s real. We are familiar with malware and we are fighting with them every day. But chatting with malware writers in real time doesn’t happen so often. Next time, I will be on the alert.

The malware and its components are detected by the AVG as Trojan horse BackDoor.Generic variants.

Franklin Zhao & Jason Zhou

Source:Have you ever chatted with a Hacker within a virus?

[Wav3]

Asa, si ?

Si eu am vorbit cu unu de era la mine in pc, cand mi-am luat-o grav in freza.

Atatea poze si explicatii pentru un nimic made in china.

[pinguinulturbat]

Da am vorbit. Mesajul a fost : Salut, sunt de pe RST! , vreau sa vorbesc ceva cu tine. Inchis calculatorul + restart + format toate partitiile , m-am kkt pe mine.

[sTz]

Inturdsting.Vorbeam acum cativa ani buni prin prorat cu niste colegi pe care-i mai prosteam sa-mi intre-n server, lol.

[souL]

Abia acum au auzit de RAT-uri? Totusi, imi si imaginez fata lu' ala cand i-a aparut mesajul fix cand dadea debug. El chiar credea ca ala l-a contactat pentru ca ii daduse debug cand, probabil, "hacker"-ul era pe viewing mode tot timpul.

[B3st]

Care e hacker ul in balada asta ?