www.elitec0ders.Net up to no good? - Page 3
Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: www.elitec0ders.Net up to no good?

  1. #21
    Member
    Join Date
    Mar 2004
    Posts
    81
    Did you actually look at the code or are you just 'confident' that nothing has changed ? With a site like yours, I would not be so sure that nobody has tried to break into it and mess with stuff.

    enjoy

    ~Halv

  2. #22
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    yes i looked in to it , it seems oke , just have a look ,

    http://www.virustotal.com/ says this

    AntiVir 6.30.0.7 04.18.2005 TR/PSW.Prostor.A
    AVG 718 04.19.2005 no virus found
    BitDefender 7.0 04.19.2005 Trojan.PWS.Prostor.A
    ClamAV devel-20050307 04.19.2005 no virus found
    DrWeb 4.32b 04.18.2005 Trojan.PWS.Prostor
    eTrust-Iris 7.1.194.0 04.19.2005 no virus found
    eTrust-Vet 11.7.0.0 04.18.2005 no virus found
    Fortinet 2.51 04.19.2005 W32/Prostor.A-tr
    F-Prot 3.16b 04.19.2005 security risk named W32/Prostor.A@pws
    Ikarus 2.32 04.19.2005 Trojan.PSW.Prostor.A
    Kaspersky 4.0.2.24 04.19.2005 Trojan-PSW.Win32.Prostor.a
    McAfee 4471 04.18.2005 BackDoor-CMZ
    NOD32v2 1.1069 04.19.2005 Win32/PSW.Prostor.A
    Norman 5.70.10 04.18.2005 no virus found
    Panda 8.02.00 04.19.2005 Trojan Horse
    Sybari 7.5.1314 04.19.2005 Trojan-PSW.Win32.Prostor.a
    Symantec 8.0 04.18.2005 PWSteal.Refest
    VBA32 3.10.3 04.18.2005 no virus found

    Troj/Prostor-A is a password-stealing Trojan.

    When run, Troj/Prostor-A attempts to steal passwords saved in Outlook Express, Internet Explorer and MSN Explorer.

    Stolen information is displayed onscreen or saved to a file on the local machine.


    http://www.sophos.com/virusinfo/anal...jprostora.html

    PSGUI.EXE - infected by Trojan-PSW.Win32.Prostor.a
    http://www.kaspersky.com/scanforvirus

    only symantic saying bullshit lol , well dont know ,may be the author of that backdoor using my source?? may be ..

  3. #23
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hmmm,

    Perhaps this is the answer:

    http://www3.ca.com/securityadvisor/p...x?id=453089162

    The two executables have exactly the same name in the prostor-a trojan. Given that the purpose is to display protected storage passwords, it would be reasonable to expect something like this in password stealing trojans?

    Looks like a bit of code theft to me

    Incidentally RAV detects both files as Trojan Spy:Win32/Small.AF

    A-squared only detects the 4Kb file, and thinks that it is Prostor-A

    I suspect it is a partial detection situation, a bit like droppers and packagers being recognised, even if the actual malware is not?

    The actual files do look too small for a fully blown password stealing trojan?


    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #24
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    >The actual files do look too small for a fully blown password stealing trojan?

    http://securityresponse.symantec.com...al.refest.html

    PWSteal.Refest is a Trojan Horse that installs itself as a BHO (Browser Helper Object) for Internet Explorer and steals online banking information when it is submitted in web forms.


    Type: Trojan Horse
    Infection Length: 81,920 (.exe), 45,056 (.dll)

    and ps.exe psgui.exe is just 4 kb 15kb somthing ...

  5. #25
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Yes, Symantec certainly seem to be giving a false positive there. What they are describing does not even work in the same way and is much larger.

    RAV are doing the same, their one (small.AF) is a java script downloader. It should be detected by Kaspersky, Antivir and BitDefender, and was not.

    I can understand the Prostor-A detection (which was the majority opinion) as it looks like this code has been used in it? certainly the executables have the same names.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #26
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    br0nd:

    did you try to contact AV companies that detect your program as virus? Maybie they could fix their virus defs so your program is not false detected.
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  7. #27
    Junior Member
    Join Date
    Apr 2005
    Posts
    11
    lol no need, let them show anything , it is ther problam , not my hehe

  8. #28
    Member
    Join Date
    Mar 2004
    Posts
    81
    br0nd,

    most people who use computers beyond email and the internet will be concerned about this if they wanted to use your software. There is an implicit 'trust' that must be built. By starting out with even a hint of malicious software then you lose that trust and it takes a LOT of time to regain that from communities such as these.

    This may not mean much to you now, but in the future it may.

    If nihil's research is correct then you should change the name of your .exe when it get compiled and then see if it gets flagged as viri or not.

    By contacting the AV companies, you are taking a proactive step. They can post a note to their virus definitions part of their web site explaining that there is a chance of a false positive (as your are claiming with your software).


    ~Halv

  9. #29
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    So, let me get this straight..... You downloaded a file that.... well, basically it
    STEALS PASSWORDS. And now you're freaked out because Symantec thinks that this file
    STEALS PASSWORDS. Hmmmm.


    Seriously, think about it. Symantec will quarantine Foundstone tools and countless others (You've never seen this before?) because if you DONT know what the program is doing on your machine, its probably not good. If you downloaded it and you know that its used to STEAL PASSWORDS, what the hell is the problem?


    PS. I ran them both, they did not attempt to add any registry keys.
    PPS. I also doubt its based on the filename, but on the methods and behavior of the file. I think Symantec is correct in detecting this behavior as potentially malicious, because potentially IT IS.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #30
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    Downloaded the same file, same place as IronGeek.

    Panda Antivirus told me, both Trojan and Virus was contained within the zip file (both .exe files), not disinfectable.

    That's all I need to know. Why mess with it?
    ZT3000
    Beta tester of "0"s and "1"s"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides