Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Fake Game Demo website - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake Game Demo website

Lee informed us today that dota2trailer.tk claims to have a video trailer for the new Dota 2 game but instead installs a keylogger to steal credentials from gamers.

The website warns that you need java script enabled so it may have some java exploits.

VirusTotal's url check didn't show any known maliciousness associated with that url.
http://www.virustotal.com/url-scan/report.html?id=c6b23afaa80fb96f096cb9b9e6a25012-1294334566
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site


 Looking at the code on the site it does try to use java to download "hxxp://NoS.fileave.com/CamPlug.exe"
CamPlug.exe isn't recognized as malicious by any antivirus vendor at VirusTotal however it is detected as packed/encrypted by two of the vendors as Gen.Variant.MSILKrypt!IK which by itself doesn't make this malware however that has been used in other keyloggers and trojans so I believe it is malicious.


http://www.virustotal.com/file-scan/report.html?id=ecb6e9b3a5c4aa9165a7725d6b28d22dae38c8a72fe10d25eec53de5189c54bf-1294338169

donald

206 Posts
ISC Handler
By no means is this a complete analysis...I am merely highlighting some initial findings from that CamPlug.exe.

* Check for Pixel Server remote admin...then download it if doesn't exist:
0x0FAB0 N O P i x e l S e r v e r 0 1 T r u e D i s a b l e d N o n e c d . . 'v i k i s c a p e . n o - i p . b i z

*** vikiscape.no-ip.biz is flagged by my corporate Proxy as infected by Malware.

* Appears to enable Remote Admin:
0x10798 [S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n E n a b l e d A p p D a t a a d m i n i s t r a t i o n eR e m o t e a d m i n i s t r a t i o n b r o u g h t t o y o u b y P i x e l F r a g

* ZOMG A TUTORIAL:
0x11288 Z O M G - A - T U T O R I A L

That is all for now....
HackDefendr

65 Posts
I thought Java and JavaScript were unrelated. Am I missing something?
HackDefendr
5 Posts

Sign Up for Free or Log In to start participating in the conversation!