Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 35

Thread: www.elitec0ders.Net up to no good?

  1. #11
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    > I’m complaining about false advertising (which yes, I know is the point of a Trojan in the first >place).

    hehe man dont be a gay ,u can run ethereal , and check is that program contains any hidden think or not , what u mean by false advertising ?,it just displayes the PS ,that is all wont do any other thinks ,

  2. #12
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Interesting ....

    When downloading this file Trend detects Troj_Prostor.A

    When searching Trend's site for that ( or variations thereof ) I got NO hits.

    But the link that the AV discloses ( TROJ_PROSTOR.A ) says
    TROJ_PROSTOR.A is a Trojan horse program, a malware that has no capability to spread into other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.
    It might just use similar ( or stolen ) code? I think more in-depth research would be needed to determine whether it is malicious or not, which I do not have time to do ( and probably don't have the ability either ).

    As far as br0nd goes .... Yes, I negged him!

    br0nd, You may ( or may not ) be the admin of that site, and when you are there you can do as you or the admin wishes, but when you are here keep your skiddie language and attitude to yourself!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #13
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    My thoughts exactly IKnowNot. Here is what Symantec had to say about what it detected:

    PWSteal.Refest does the following when it is executed:

    1. Creates a dll file in the %System% directory. This file has a random name with up to 8 lower-case characters, e.g., "abcde.dll" or "qrstuvwx.dll". The file is 45056 bytes in length.

    Note: %System% is a variable. The Trojan locates the System folder and creates a dll in that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    2. Installs the dll as a Browser Helper Object, so that it is loaded every time Internet Explorer starts. To do this, it creates the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{<random clsid>}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<random clsid>}

    and sets the value

    (Default) = %System%\<random name>.dll

    in the registry key

    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{<random clsid>}\InProcServer32.

    The {<random clsid>} is a random value of the form, {########-####-####-####-############}, for example, {380b99b4-5f7d-7791-b8ef-499d848499e6}.

    3. The dll monitors outgoing https connections to the following websites:
    o .anz.com
    o .bendigobank.com.au
    o .citibank.com
    o .citibank.de
    o .commbank.com.au
    o .dab-bank.com
    o .deutsche-bank.de
    o .e-gold.com
    o .hsbc.com.au
    o .hsbc.com.hk
    o .online-banking.standardchartered.com.hk
    o .sparkasse-banking.de
    o .stgeorge.com.au
    o banking.lbbw.de
    o banking.mashreqbank.com
    o banknetpower.net
    o barclays.co.uk
    o cd.citibank.co.ae
    o cibconline.cibc.com
    o citibank.com.au
    o dit-online.de
    o easyweb.tdcanadatrust.com
    o ebank.uae.hsbc.com
    o ekocbank.kocbank.com.tr
    o hercules.pamukbank.com.tr
    o internetsube.akbank.com.tr
    o lloydstsb.co.uk
    o national.com.au
    o nbd.ae
    o online-banking.standardchartered.ae
    o online.nbad.com
    o pbg1.edc.citiaccess.com
    o standardchartered.com
    o suncorpmetway.com.au
    o westpac.com.au
    o www.alahlionline.com
    o www.almubasher.com.sa
    o www.arabi-online.com
    o www.cbdonline.ae
    o www.citibank.com.hk
    o www.dahsing.com
    o www.ebank.iba.com.hk
    o www.privatebank.citibank.com.sg
    o www.sabbnet.com
    o www.samba.com
    o www.scotiaonline.scotiabank.com
    o www.unb.com
    o www1.bmo.com
    o www1.royalbank.com

    4. When Internet Explorer makes an HTTP POST request to one of these domains (for example, when the user submits a web form at a bank site), the Trojan also sends the information to a cgi script at www.refestltd.com.
    If I can get time and a test box together I can test it with a sniffer, but in the mean time I think I'll take Semantec's word over a l33t 5p3@king sci99tk177y.

  4. #14
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    ok sorry for my bad language, well i can say only this ,the PS explorer u downloded from that site didnt contans any malware ,it wont drop any thinks
    also the source of that program is avilable on my articile at codeproject
    http://www.thecodeproject.com/tools/HirPStorage.asp
    compile it and symantec will say the same i hope
    heheh ,so now what u guys think ??

  5. #15
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    The code looks legit, but I don’t have VC6 on a box yet so I have not compiled it. For those that do not wish to register with thecodeproject.com I’ve attached the source to this post.

  6. #16
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Guys, when you build it make sure you set the active configuration to Release so you don’t get the error about __imp__InitCommonControls@0

    The binary I compiled does not set off Symantec and it works fine. I’ll attach it to this post.

    However, the two exes in http://www.elitec0ders.net/ps1.0.zip both report as trojans:

    Ps.exe reports as: PWSteal.Tarno
    Psgui.exe reports as: PWSteal.Refest

    So something seems to be up with that.

  7. #17
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    compiled code detected as trojan
    [Click for User Profile] antifumo 2:35 2 Dec '04

    Nice... McAfee VirusScan 7 detects the compiled software as a virus! (but only if compiled in release mode)

    http://www.thecodeproject.com/tools/...672#xx985672xx

    well i dont know what happened to semantec now ,but just understand this , AV detcting the trojans ,backdoors by looking ther signatures , i mean the strings in the exe or some part of code, well i didnt think ther is point for arguing on this issue , the exe u downloaded is in ur hand , and u just need to run one sniffer , and check ,it wont take much time ,just 5 min ,
    or u can use filemon , and see if it is droping any file on pc,
    5 min testing is more valuable than arguing and blaming others like this ,
    so,take out the network plug ,and just test . and if u see anything happening on sniffer , then blame me , i will accept , what u r saying

  8. #18
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Well, clearly the source you linked to is not the same as the binaries on your site. If I get the time to set up at test system I may find out more, but I’m not running those binaries on any off my current systems. The version I compiled works fine, thanks for the source. By the way, what is your native language?

  9. #19
    br0nd, have you checked your code to see if someone has not tampered with it ?

  10. #20
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    yes source is same ,and nobody changed it , the think is the source at codeproject contains icon ,and the exe downloaded from elitecoders is compiled without icon (i deleted icon for making exe small),
    just adding one icon is enough for making one exe undetactable from AV hehe
    try compiling in relese mode deleting the icon ,may be the AV will detect ,
    english is not my native language ,hehe ,my english sucks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •