Poll

Which theria is your favorite?

Aetheria
30 (34.1%)
Etheria
58 (65.9%)

Total Members Voted: 88

Author Topic: Etheria & Aetheria  (Read 30247 times)

And that there confirms my suspicions. How is this not a RAT? Badspot provided us with that information, 4 anti-virus programs denoted it as remote access software and files it had created are mysteriously gone now.

Please note that someone with coding experience is not an instant cyber security master. While I have no doubts that Badspot is indeed making a good call here (not to mention he's quite decent with the whole cyber security business afaik), this is not a good basis for action on it's own.

Those of you who have downloaded and run the .exes, you're screwed; turn off your network connections and reformat. This is a version of darkcomet that is new/lesser known to the public cyberdefense eye, and will therefore not be detected by your system in most cases. If you want, you can send out the infected file to cybersec agencies to let them know they need to update - but a case like this can't be sat down with for hours while you wait for a fix.

What was said in the chat Zealot posted is most likely true - cases like this where a seemingly legitimate program will do a task with a 'piggybacking' (so to speak) software following in behind to do whatever it was trying to do - You'll see it often, especially in conversion programs (.midi to .ogg, .wav, .mp3, and, as we've seen here, .bat to .exe) to cloak the malicious file from suspicion. Dark's fallen victim, as it would seem, and didn't mean to spread this.
What if I have no access to an external hard drive

files it had created are mysteriously gone now.
they are? the files it created still existed on my end, and i deleted 'em.

And that there confirms my suspicions. How is this not a RAT? Badspot provided us with that information, 4 anti-virus programs denoted it as remote access software and files it had created are mysteriously gone now.
Well so far the only actual evidence here that it is a virus is that 4 antiviruses classified it as a trojan. However, all the created processes are harmless, it doesn't read anything malicious, it doesn't create anything malicious either. The reason the files are gone is because in the created processes (which I explained) it started a command prompt to delete the files afterward. I examined both the files (Which are the only ones they made) and they're completely harmless.

I'm completely unsure how other people are coming to the conclusion that it's a RAT, do you have some evidence that it is? Please show it.

Have access to a disk drive and discs?
they are? the files it created still existed on my end, and i deleted 'em.
hey i just noticed the "afolder" thing you were talking about ipquarx

it's empty...

:O
Well so far the only actual evidence here that it is a virus is that 4 antiviruses classified it as a trojan. However, all the created processes are harmless, it doesn't read anything malicious, it doesn't create anything malicious either. The reason the files are gone is because in the created processes (which I explained) it started a command prompt to delete the files afterward. I examined both the files (Which are the only ones they made) and they're completely harmless.

I'm completely unsure how other people are coming to the conclusion that it's a RAT, do you have some evidence that it is? Please show it.
The way the program is presented seems suspicious and with that bit of proof too. When I first read this topic, I had suspicions this was a type of malware and Badspot confirmed my suspicions.

Ip, before you even decide to skip this stuff over and just post thinking that I'm wrong, just read this.
Maxx still has no idea what he's talking about. Your entire claim about badspot magically knowing whether or not a file is a rat is completely invalid. You cannot magically determine whether or not a file is a virus, there has to be evidence to support it. This can be seen through A. created processes  B. modified, removed and created files  and C. read files.

Your claim about anti-viruses magically knowing whether or not something is a virus is also invalid, they use the behaviour of the exe (like the files it writes, the processes it makes, etc) to determine whether or not it's a virus. For example, if an exe creates and runs a file at location X, it's classified as a trojan. This is very possibly the case.

Let's take a look at the created processes and completely invalidate your claim about it running a virus in the background.


1. Create a folder named "afolder" in the temp directory
2. Create a folder named "ytmp" in the temp directory
3. set "ytmp" to hidden
4. clear the screen
5. if the bat file exists, delete it
6. if the exe files exists, delete it
#7 does absolutely nothing as far as I can tell.

SO. Unless you have some actual evidence that it's a virus. I am thoroughly convinced you're just bandwagoning and have not a damn clue what you're saying. You can start by looking for files that it modifies. Good luck.
let me ask you this
if this was some high-tech arg, why would it be creating, hiding, and deleting files?
you said it isn't CREATING anything, when its obvious the decrypter.exe placed files in the temp folder.
why would some ARG shove stuff into a user's directory WITHOUT THEIR CONSENT?
i know you're going to say that its some stupid program that leads you to the all magic ARG, and skip over my post in its entirety because, why would we give a forget about the white 12 year old whos trying to explain to people that its possibly malicious and it isn't safe right? but i think its enough evidence throughout the topic of multiple user's posts, INCLUDING YOUR OWN POST, that it is some sort of RAT.
the virus total scan that YOU MADE says so, and virustotal is most of the time accurate, putting the file under the name of "DarkKomet"
Well, the virustotal of the exe file the readme links to is here: https://www.virustotal.com/en/file/a8ff1e82b45d5a0048e75be255eebbdc73b463bcd8d201ae1cb197539be1eb5a/brown townysis/1420253104/

It creates two files
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\ytmp\tmp33507.bat (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\ytmp\tmp95157.exe (successful)

and then runs them.

So yeah, no, i'm not running this stuff.

plus, the rchelicopter phrase thing links to HACKFORUMS! and some other shady stuff.
also judging by what has happened to me in the past, i left my own room for a total 5 minutes, and came back and my account was hijacked.
this could literally be some person that we do not know who hijacked carbon's account to spread the loving thing.

""Packers detected:
PE_PATCH, UPACK"

Sorry if I can't write this proper but such packers are needed to compile batch files. Its a shame that some scans will call it as malware. It's not unlike those tools we use to scan for Alternate Data Streams or change system password tools. Those can set off the alarms during a scan as well.

In other words a False Positive."
Who would put a false positive peice of software that purposely executes and drops its own files in a user directory? Even in a topic creating a ARG?
It's a loving ARG, not the movie "Hackers".

Please note that someone with coding experience is not an instant cyber security master. While I have no doubts that Badspot is indeed making a good call here (not to mention he's quite decent with the whole cyber security business afaik), this is not a good basis for action on it's own.

Those of you who have downloaded and run the .exes, you're screwed; turn off your network connections and reformat. This is a version of darkcomet that is new/lesser known to the public cyberdefense eye, and will therefore not be detected by your system in most cases. If you want, you can send out the infected file to cybersec agencies to let them know they need to update - but a case like this can't be sat down with for hours while you wait for a fix.

What was said in the chat Zealot posted is most likely true - cases like this where a seemingly legitimate program will do a task with a 'piggybacking' (so to speak) software following in behind to do whatever it was trying to do - You'll see it often, especially in conversion programs (.midi to .ogg, .wav, .mp3, and, as we've seen here, .bat to .exe) to cloak the malicious file from suspicion. Dark's fallen victim, as it would seem, and didn't mean to spread this.
This then applies to Ipquarx's post. I am pretty sure Badspot knows some things about software and IT.
Why in the forget would Carbon give out a program that extracts files into a hidden directory?
a hidden loving directory!
Well so far the only actual evidence here that it is a virus is that 4 antiviruses classified it as a trojan. However, all the created processes are harmless, it doesn't read anything malicious, it doesn't create anything malicious either. The reason the files are gone is because in the created processes (which I explained) it started a command prompt to delete the files afterward. I examined both the files (Which are the only ones they made) and they're completely harmless.

I'm completely unsure how other people are coming to the conclusion that it's a RAT, do you have some evidence that it is? Please show it.
It's common sense, this is an ARG topic, right? oh yes we had to go through those executing and finding passwords to find more clues, but you know he drops a big old exe that duplicates itself into a hidden directory, I can't even try to prove my point because you're going to smash it down with some weird theory and Zealot or someone is going to tell me to "shut the forget up" because I'm trying to prove that this is most certainly a RAT.
I am at my most certainty that Badspot knows a lot more about computers, tech and software than all of us here.
take a look at the 2013 hijacking spree, multiple users got hacked with their BLF accounts taken and at one point, MrMcCakey was hijacked with a RAT by Lando The Climber.
http://forum.blockland.us/index.php?topic=234999.0
Quote
It all started when gullible and moronic Cakey decided Lando could be trusted when he sent me a java application that he claimed was a game he made. The next day, a gay research photo opened up in my browser out of the blue (I can't remember what it was called, it was "gitsuh" or something). Shortly after, a chat window opened up. It was shaking and I could only close it by opening the task manager and killing the application. Talking through it was somebody insulting me and typed purposely terribly. I assumed it was Lando from the very start, but I was always bad at making wild guesses like that. I was in a Steam chat with Lando at the time, and he made a post with a massive furry research picture in the pony thread. Immediately after, he told me about the post, not giving away that he was the one that made it. At this point, my heart was pounding. With the little time I had before I was locked out of my account, I made a thread saying I was hijacked, and any suspicious posts coming from MrMcCakey weren't from me. But eventually I put two and two together, and I figured out Lando was hijacking me, and I was so pissed. I confronted him about it, but he kept denying it.

Shortly after Badspot banned MrMcCakey and cleared out the disgusting posts that Lando made, I got a Steam message from a close friend I made during my time here on Blockland, by the name of Zealot. Some of you think of him as an annoying troll that ruins the game for everyone (though he hasn't done a whole lot of it lately), but I think of him as a companion in marriage. Anyway, he gave me the full story, which I don't remember completely, but I'll say how I think it went.

The java application was sent to multiple people, including Zealot. He was smart, though, and he checked the contents of the application to see if they were dangerous. Lando also sent it to a forum member named Frontrox, which most of you know. He passed it on to more people, not knowing it was a dangerous program. Anyway, once Lando had access to my computer, he got access to my Minecraft password (which led to me buying a new Minecraft account -.-), which happened to match with my forum password. He got on my forum account, and stuff went down. MaroonCacti and Tømpson aided slightly, but they eventually let me know and apologized, so we're cool.

Zealot created a drama topic on Lando for hijacking people's accounts, which includes Steve5451, me, and perhaps a few other people I don't know the names of. Here's where stuff gets sentimental. In the topic, there were numerous posts showing concern if I was gone from the forums, and that really touched my heart. Obviously I was going to make an alt, but how, you may ask? Remember the second key I talked about earlier? I remembered it. One thing led to another, and I had access to it. I created a new account called Cakey and applied the key to it. As soon as I made a post, I received PMs and Steam friend requests from numerous people. Of course there were people who thought I actually made those posts myself as a forum Self Delete, but honestly I just laughed. Anyway, everyone's concern for me made me think I was worth something to this community, like I deserve a place here. Regardless of the events that day, I was very, very happy.
I have exhausted all of the possible peices of evidence here, there is no other way to tell you this could be a RAT.
This executable has hidden files, moved them, and even duplicated itself, yet it's related to this stuffty ARG and you think downloading the file is safe, I'm pretty sure this line of text could at least hint the common forum-goer that this is a loving RAT.

Have access to a disk drive and discs?The way the program is presented seems suspicious and with that bit of proof too. When I first read this topic, I had suspicions this was a type of malware and Badspot confirmed my suspicions.
https://yourlogicalfallacyis.com/appeal-to-authority

Badspot doesn't magically know that the program is malicious. He probably just looked at the circumstances (user spreading .exe file that people are suspicious about), and decided to invoke the rule he made about not distributing executable files through the forums. In my opinion it was kinda a rash move, but on the other hand it would have taken him more time than it was worth to him to actually prove something was dangerous.

Badspot never confirmed that it was dangerous, Ipquarx just showed on the last page that there is nothing harmful about the program and the antivirus detections were false positives.

So is there any process or service or any network traffic info I could use to pinpoint something in or outbound?
tbh I should prolly reformat anyway for performance reasons lol
But idfk wat do.

Also, he could have most likely done it because it's extremely easy.
You literally find a legit copy of DarkComet somewhere on the internet, follow the steps to generate a working stub, and voila! Send it to one person and they are your victim, the person that you can toss their machine and data around like loving toys.

https://yourlogicalfallacyis.com/appeal-to-authority

Badspot doesn't magically know that the program is malicious. He probably just looked at the circumstances (user spreading .exe file that people are suspicious about), and decided to invoke the rule he made about not distributing executable files through the forums. In my opinion it was kinda a rash move, but on the other hand it would have taken him more time than it was worth to him to actually prove something was dangerous.

Badspot never confirmed that it was dangerous, Ipquarx just showed on the last page that there is nothing harmful about the program and the antivirus detections were false positives.
Why would the virustotal AV's detect that it is DarkKomet then if its such a big fat false positive?

Also, he could have most likely done it because it's extremely easy.
You literally find a legit copy of DarkComet somewhere on the internet, follow the steps to generate a working stub, and voila! Send it to one person and they are your victim, the person that you can toss their machine and data around like loving toys.
Why would the virustotal AV's detect that it is DarkKomet then if its such a big fat false positive?
we don't know
because we dont know what the avs look for
because if we did then people would sidestep them.

Why would the virustotal AV's detect that it is DarkKomet then if its such a big fat false positive?
Because not all AV systems are up to date/sane/great at what they do.

Why would the virustotal AV's detect that it is DarkKomet then if its such a big fat false positive?

""Packers detected:
PE_PATCH, UPACK"

Sorry if I can't write this proper but such packers are needed to compile batch files. Its a shame that some scans will call it as malware. It's not unlike those tools we use to scan for Alternate Data Streams or change system password tools. Those can set off the alarms during a scan as well.

In other words a False Positive."

It's a false positive because the detection was made based on the structure of the program. Ipquarx used a tool to track all the activity the program created and confirmed that nothing it did had any malicious effect. I'd also like to point out that out of the 56 different programs virustotal uses, only 4 off-brand names claimed a detection, this makes the detections dubious at best.

It's a false positive because the detection was made based on the structure of the program. Ipquarx used a tool to track all the activity the program created and confirmed that nothing it did had any malicious effect. I'd also like to point out that out of the 56 different programs virustotal uses, only 4 off-brand names claimed a detection, this makes the detections dubious at best.
Still doesn't explain why it duplicated itself into a renamed .exe and a bat file.

Still doesn't explain why it duplicated itself into a renamed .exe and a bat file.
Maybe it was a programming error?
Maybe it was part of the game?

Ok so
say I had been ratted.
clearly there will be network traffic between my comp and starfish's comp, right?
So I have a network logger built into AVG
if comm was happening then could I find it in the network traffic logger? If so, how, if not, why tf not