Aerosol Posted November 19, 2014 Report Share Posted November 19, 2014 (edited) Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.Example message:Onyx is right, the link's indeed phishy and uses bit.ly (a URL shortener) to trick users into clicking it. Remember the worm that spread via Skype and Messenger last year? (reference here and here) This is a similar campaign.SetupSomeone adds you on Steam, you accept and immediately a chat pops up as similar to above.Alternatively someone from your friends list already got infected and is now sending the same message to all his/her friends.The bit.ly link actually refers to a page on Google Drive, which immediately downloads a file called IMG_211102014_17274511.scr, which is in fact a Screensaver file - an executable.The file is shared by someone named "qwrth gqhe". Looks legit.Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string "&confirm=no_antivirus" is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.(and in some cases download automatically)At time of writing, the file is actually still being hosted by Google Drive. I have reported it however.Afterwards, you're presented with the screensaver file which has the following icon:Opening the file will result in installing malware on your system, which will steal your Steam credentials.Technical details:IMG_211102014_17274511.scrMeta-data=======================================================================File: IMG_211102014_17274511.scrSize: 1031168 bytesType: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assemblyMD5: 138ec432db0dd6b1f52f66cc534303dbSHA1: 7d0575a883fed7a460b49821c7d81897ae515d43ssdeep: 12288:HX24H8aUg/YGX5mYL/s8n2XtK8XXSTbVqbUFp6F7PdpECZ9dVIN:3n8DgQSpk8n2d9STgQFpO7VykbVINDate: 0x5460FA18 [Mon Nov 10 17:47:04 2014 UTC]EP: 0x4bb1fa .text 0/3CRC: Claimed: 0xfdcdb, Actual: 0xfdcdbVirusTotal: linkResource entries=======================================================================Name RVA Size Lang Sublang Type--------------------------------------------------------------------------------RT_ICON 0xbe0e8 0x42028 LANG_NEUTRAL SUBLANG_NEUTRAL dataRT_GROUP_ICON 0x100110 0x14 LANG_NEUTRAL SUBLANG_NEUTRAL MS Windows icon resource - 1 iconRT_VERSION 0x100124 0x44c LANG_NEUTRAL SUBLANG_NEUTRAL dataSections=======================================================================Name VirtAddr VirtSize RawSize Entropy --------------------------------------------------------------------------------.text 0x2000 0xb9200 0xb9200 7.978522 [sUSPICIOUS].reloc 0xbc000 0xc 0x200 0.101910 [sUSPICIOUS].rsrc 0xbe000 0x42570 0x42600 6.429023 Version info=======================================================================Translation: 0x0000 0x04b0LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.Assembly Version: 6.0.6000.16384InternalName: wrrrrrrrrrrrr.exeFileVersion: 6.0.6000.16384CompanyName: Windows ® Codename Longhorn DDK providerComments: Office Licensing Admin Access ProviderProductName: Windows ® Codename Longhorn DDK driverProductVersion: 6.0.6000.16384FileDescription: LICLUA.exeOriginalFilename: wrrrrrrrrrrrr.exeConnects to:185.36.100.181Downloads and executes:temp.exeMeta-data=======================================================================File: temp.exeSize: 4525568 bytesType: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assemblyMD5: d0f8b90c85e5bedb691fca5c571a6794SHA1: cd9b3bf5c8d70e833b5c580c9b2fc1f3e5e4341essdeep: 98304:seRaRLOvFLHpNeV/riwz58R42is6e3RXjOWDucCnp1DA9sv7o2s2kbsUOEGx4VKm:zRaidjjqPdDsDbsU0akJyxL405+fiXDate: 0x5460F588 [Mon Nov 10 17:27:36 2014 UTC]EP: 0x8522b6 .text 0/3CRC: Claimed: 0x0, Actual: 0x4564dd [sUSPICIOUS]VirusTotal: link[/ul]Resource entries=======================================================================Name RVA Size Lang Sublang Type--------------------------------------------------------------------------------RT_VERSION 0x4540a0 0x234 LANG_NEUTRAL SUBLANG_NEUTRAL dataRT_MANIFEST 0x4542d4 0x1ea LANG_NEUTRAL SUBLANG_NEUTRAL XML document textSections=======================================================================Name VirtAddr VirtSize RawSize Entropy --------------------------------------------------------------------------------.text 0x2000 0x450384 0x450400 6.884893 .rsrc 0x454000 0x4c0 0x600 3.689538 .reloc 0x456000 0xc 0x200 0.101910 [sUSPICIOUS]Version info=======================================================================Translation: 0x0000 0x04b0LegalCopyright: Assembly Version: 1.0.0.0InternalName: vv.exeFileVersion: 1.0.0.0ProductVersion: 1.0.0.0FileDescription: OriginalFilename: vv.exeRemediationWhat if you clicked the link and executed the file? Follow these steps:Exit Steam immediatelyOpen up Task Manager and find a process called temp.exe, wrrrrrrrrrrrr.exe, vv.exe or a process with a random name, for example 340943.exeLaunch a scan with your installed antivirusLaunch a scan with another, online antivirusWhen the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as wellVerify none of your Steam items are missingPreventionBe wary when someone new adds you on Steam and immediately starts sending linksIn fact, don't click on links someone unknown sends to youIf you did, don't open or execute anything else - just close the webpage (if any) or cancel the downloadBy default, file extensions are not shown. Enable 'Show file extensions' to see the real file type. Read how to do that hereAdd the IP 185.36.100.181 to your host file or block it in your firewall. In the host file, add:127.0.0.1 185.36.100.181 Follow the tips by Steam itself to further protect your account:Account Security RecommendationsConclusion Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and it's (in this case) a screensaver file.For checking what is really behind a short URL, you can use:http://getlinkinfo.com/For checking whether a file is malicious or not:https://www.virustotal.com/Follow the prevention tips above to stay safe.Source Edited November 19, 2014 by Aerosol Quote Link to comment Share on other sites More sharing options...
tuxiqul Posted November 21, 2014 Report Share Posted November 21, 2014 Vreau si eu softu care trimite automat mesaje pe steam Quote Link to comment Share on other sites More sharing options...
