www.elitec0ders.Net up to no good?

Does anyone know the skinny on www.elitec0ders.Net ? I know they seem more geared towards black hats (I’m a plaid had myself) and have very bad English skills, but am now thinking they are up to more than just providing tools. I was looking for a good protected storage viewer that might be able to look at more then just the on current logged user (pspv can’t) so I downloaded their PS Explorer program. Symantec reported it as PWSteal.Refest:

http://securityresponse.symantec.com...al.refest.html

Which from their description does a lot more than advertised. Anyone know anything about them?

They seem to be up to no good. They have keyloggers and Trojans, for God's sake. Yeah, they don't seem to be the "White" hat kind of guys. I'll post over at hackthissite.org and see if anyone knows their deal.

Bleh...

Seen our good ol' downloads archive? Remember some of the people that'd stop by to say hello on AO-IRC? No? Well... **** you then.

Quote:

---

Anyone know anythink about them?

---

Quote:

---

They seem to be up to no good. They have keyloggers and Trojans, for God's sake. Yeah, they don't seem to be the "White" hat kind of guys. I'll post over at hackthissite.org and see if anyone knows their deal.

---

Holy ****in' ****! Call the cops or someone, this site is mean! Boo hoo... boo hoo... boo hoo... and **** you too. :rolleyes:

Seriously, a site has trojans and keyloggers, AAO had worse than that. No biggie IMO.

lol good job TheSpecialist...I might have been offended if I got offended by brutish jackasses. Nah, how about YOU go **** YOURself? I think I might enjoy that a little more.

But, seriously, I understand why it isn't a big deal, but I just want to know who these guys are.

Yes i negged him, not because he's a newbie and said F you to a senior, hey i'd say F you to the specialist too, but the Spec was kind to hide the post, the newbie didn't.

Irongeek, look :P
http://www.elitehackers.com/ubb/ulti...c;f=1;t=005684
You're famous ;)

I’m not complaining about Trojans, I’m complaining about false advertising (which yes, I know is the point of a Trojan in the first place). If folks want to post malware on a site that’s fine with me but it should be labeled as such or others should point it out (which is what I did), I just though it was interesting and that folks might want to know that a useful tool to a pen-tester like this Protected Storage viewer was also doing something else.

Hi Irongeek

I realise that our friend THeSpecialist uses a somewhat unique "post encryption algorithm" :p

However, I do believe that I can see his point, which I take to be that there are lots of sites out there with this type of material on them. So what does one more or less matter?

As for the spyware/trojan..............that is typical of these sites is it not?............maybe they do that sort of thing to take out skiddies that must visit them often?

In answer to your question, the site seems to lack the "mission statement" , bullsh1t, hype that a lot of them do.

I would guess that they are genuine people interested in the coding and functionality of such software?.............I could not see any malicious intent or incitement..............but there are probably "traps" for those so inclined :D

It is probably an FBI/Secret Service honeypot.................they are now watching you.............I wish them luck with the Hanoi proxy that I used ::hide-beh

well i am the admin of elitec0ders.net, and i didnt understand wat the ***** Irongeek is takign about
Symantec is a gay like u that is why it detected PS explorer as PWSteal.Refest , funny
the programs in that site didnt contans any unknown or hidden backdoors, u can check by running ethereal and check the trafic ,what the need for a simple gussing ??
u belive in symantec more than ur eye ,heheh funny , u know what is that means ?
that means ur just a script kid ,i understand ur a pen tester white hat ,
now a days all pen tester white hats r like u ,so no wondering ..

well i am not a gay hat ,or white hat, what is ther in a ****ign hat?

>I'll post over at hackthissite.org and see if anyone knows their deal.
heheh what is the deal ??

> I’m complaining about false advertising (which yes, I know is the point of a Trojan in the first >place).

hehe man dont be a gay ,u can run ethereal , and check is that program contains any hidden think or not , what u mean by false advertising ?,it just displayes the PS ,that is all wont do any other thinks ,

Interesting ....

When downloading this file Trend detects Troj_Prostor.A

When searching Trend's site for that ( or variations thereof ) I got NO hits.

But the link that the AV discloses ( TROJ_PROSTOR.A ) says

Quote:

---

TROJ_PROSTOR.A is a Trojan horse program, a malware that has no capability to spread into other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

---

It might just use similar ( or stolen ) code? I think more in-depth research would be needed to determine whether it is malicious or not, which I do not have time to do ( and probably don't have the ability either :confused: ).

As far as br0nd goes .... Yes, I negged him!

br0nd, You may ( or may not ) be the admin of that site, and when you are there you can do as you or the admin wishes, but when you are here keep your skiddie language and attitude to yourself!

My thoughts exactly IKnowNot. Here is what Symantec had to say about what it detected:

Quote:

---

PWSteal.Refest does the following when it is executed:

1. Creates a dll file in the %System% directory. This file has a random name with up to 8 lower-case characters, e.g., "abcde.dll" or "qrstuvwx.dll". The file is 45056 bytes in length.

Note: %System% is a variable. The Trojan locates the System folder and creates a dll in that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Installs the dll as a Browser Helper Object, so that it is loaded every time Internet Explorer starts. To do this, it creates the following registry keys:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{<random clsid>}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<random clsid>}

and sets the value

(Default) = %System%\<random name>.dll

in the registry key

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{<random clsid>}\InProcServer32.

The {<random clsid>} is a random value of the form, {########-####-####-####-############}, for example, {380b99b4-5f7d-7791-b8ef-499d848499e6}.

3. The dll monitors outgoing https connections to the following websites:
o .anz.com
o .bendigobank.com.au
o .citibank.com
o .citibank.de
o .commbank.com.au
o .dab-bank.com
o .deutsche-bank.de
o .e-gold.com
o .hsbc.com.au
o .hsbc.com.hk
o .online-banking.standardchartered.com.hk
o .sparkasse-banking.de
o .stgeorge.com.au
o banking.lbbw.de
o banking.mashreqbank.com
o banknetpower.net
o barclays.co.uk
o cd.citibank.co.ae
o cibconline.cibc.com
o citibank.com.au
o dit-online.de
o easyweb.tdcanadatrust.com
o ebank.uae.hsbc.com
o ekocbank.kocbank.com.tr
o hercules.pamukbank.com.tr
o internetsube.akbank.com.tr
o lloydstsb.co.uk
o national.com.au
o nbd.ae
o online-banking.standardchartered.ae
o online.nbad.com
o pbg1.edc.citiaccess.com
o standardchartered.com
o suncorpmetway.com.au
o westpac.com.au
o www.alahlionline.com
o www.almubasher.com.sa
o www.arabi-online.com
o www.cbdonline.ae
o www.citibank.com.hk
o www.dahsing.com
o www.ebank.iba.com.hk
o www.privatebank.citibank.com.sg
o www.sabbnet.com
o www.samba.com
o www.scotiaonline.scotiabank.com
o www.unb.com
o www1.bmo.com
o www1.royalbank.com

4. When Internet Explorer makes an HTTP POST request to one of these domains (for example, when the user submits a web form at a bank site), the Trojan also sends the information to a cgi script at www.refestltd.com.

---

If I can get time and a test box together I can test it with a sniffer, but in the mean time I think I'll take Semantec's word over a l33t 5p3@king sci99tk177y.

ok sorry for my bad language, well i can say only this ,the PS explorer u downloded from that site didnt contans any malware ,it wont drop any thinks
also the source of that program is avilable on my articile at codeproject
http://www.thecodeproject.com/tools/HirPStorage.asp
compile it and symantec will say the same i hope
heheh ,so now what u guys think ??

The code looks legit, but I don’t have VC6 on a box yet so I have not compiled it. For those that do not wish to register with thecodeproject.com I’ve attached the source to this post.

Guys, when you build it make sure you set the active configuration to Release so you don’t get the error about __imp__InitCommonControls@0

The binary I compiled does not set off Symantec and it works fine. I’ll attach it to this post.

However, the two exes in http://www.elitec0ders.net/ps1.0.zip both report as trojans:

Ps.exe reports as: PWSteal.Tarno
Psgui.exe reports as: PWSteal.Refest

So something seems to be up with that.

compiled code detected as trojan
[Click for User Profile] antifumo 2:35 2 Dec '04

Nice... McAfee VirusScan 7 detects the compiled software as a virus! (but only if compiled in release mode)

http://www.thecodeproject.com/tools/...672#xx985672xx

well i dont know what happened to semantec now ,but just understand this , AV detcting the trojans ,backdoors by looking ther signatures , i mean the strings in the exe or some part of code, well i didnt think ther is point for arguing on this issue , the exe u downloaded is in ur hand , and u just need to run one sniffer , and check ,it wont take much time ,just 5 min ,
or u can use filemon , and see if it is droping any file on pc,
5 min testing is more valuable than arguing and blaming others like this ,
so,take out the network plug ,and just test . and if u see anything happening on sniffer , then blame me , i will accept , what u r saying

Well, clearly the source you linked to is not the same as the binaries on your site. If I get the time to set up at test system I may find out more, but I’m not running those binaries on any off my current systems. The version I compiled works fine, thanks for the source. By the way, what is your native language?

br0nd, have you checked your code to see if someone has not tampered with it ?

yes source is same ,and nobody changed it , the think is the source at codeproject contains icon ,and the exe downloaded from elitecoders is compiled without icon (i deleted icon for making exe small),
just adding one icon is enough for making one exe undetactable from AV hehe
try compiling in relese mode deleting the icon ,may be the AV will detect ,
english is not my native language ,hehe ,my english sucks

Did you actually look at the code or are you just 'confident' that nothing has changed ? With a site like yours, I would not be so sure that nobody has tried to break into it and mess with stuff.

enjoy

~Halv

yes i looked in to it , it seems oke , just have a look ,

http://www.virustotal.com/ says this

AntiVir 6.30.0.7 04.18.2005 TR/PSW.Prostor.A
AVG 718 04.19.2005 no virus found
BitDefender 7.0 04.19.2005 Trojan.PWS.Prostor.A
ClamAV devel-20050307 04.19.2005 no virus found
DrWeb 4.32b 04.18.2005 Trojan.PWS.Prostor
eTrust-Iris 7.1.194.0 04.19.2005 no virus found
eTrust-Vet 11.7.0.0 04.18.2005 no virus found
Fortinet 2.51 04.19.2005 W32/Prostor.A-tr
F-Prot 3.16b 04.19.2005 security risk named W32/Prostor.A@pws
Ikarus 2.32 04.19.2005 Trojan.PSW.Prostor.A
Kaspersky 4.0.2.24 04.19.2005 Trojan-PSW.Win32.Prostor.a
McAfee 4471 04.18.2005 BackDoor-CMZ
NOD32v2 1.1069 04.19.2005 Win32/PSW.Prostor.A
Norman 5.70.10 04.18.2005 no virus found
Panda 8.02.00 04.19.2005 Trojan Horse
Sybari 7.5.1314 04.19.2005 Trojan-PSW.Win32.Prostor.a
Symantec 8.0 04.18.2005 PWSteal.Refest
VBA32 3.10.3 04.18.2005 no virus found

Troj/Prostor-A is a password-stealing Trojan.

When run, Troj/Prostor-A attempts to steal passwords saved in Outlook Express, Internet Explorer and MSN Explorer.

Stolen information is displayed onscreen or saved to a file on the local machine.


http://www.sophos.com/virusinfo/anal...jprostora.html

PSGUI.EXE - infected by Trojan-PSW.Win32.Prostor.a
http://www.kaspersky.com/scanforvirus

only symantic saying bullshit lol , well dont know ,may be the author of that backdoor using my source?? may be ..

Hmmm,

Perhaps this is the answer:

http://www3.ca.com/securityadvisor/p...x?id=453089162

The two executables have exactly the same name in the prostor-a trojan. Given that the purpose is to display protected storage passwords, it would be reasonable to expect something like this in password stealing trojans?

Looks like a bit of code theft to me :)

Incidentally RAV detects both files as Trojan Spy:Win32/Small.AF

A-squared only detects the 4Kb file, and thinks that it is Prostor-A

I suspect it is a partial detection situation, a bit like droppers and packagers being recognised, even if the actual malware is not?

The actual files do look too small for a fully blown password stealing trojan?


Cheers

>The actual files do look too small for a fully blown password stealing trojan?

http://securityresponse.symantec.com...al.refest.html

PWSteal.Refest is a Trojan Horse that installs itself as a BHO (Browser Helper Object) for Internet Explorer and steals online banking information when it is submitted in web forms.


Type: Trojan Horse
Infection Length: 81,920 (.exe), 45,056 (.dll)

and ps.exe psgui.exe is just 4 kb 15kb somthing ...

Yes, Symantec certainly seem to be giving a false positive there. What they are describing does not even work in the same way and is much larger.

RAV are doing the same, their one (small.AF) is a java script downloader. It should be detected by Kaspersky, Antivir and BitDefender, and was not.

I can understand the Prostor-A detection (which was the majority opinion) as it looks like this code has been used in it? certainly the executables have the same names.

:)

br0nd:

did you try to contact AV companies that detect your program as virus? Maybie they could fix their virus defs so your program is not false detected.

lol no need, let them show anything , it is ther problam , not my hehe

br0nd,

most people who use computers beyond email and the internet will be concerned about this if they wanted to use your software. There is an implicit 'trust' that must be built. By starting out with even a hint of malicious software then you lose that trust and it takes a LOT of time to regain that from communities such as these.

This may not mean much to you now, but in the future it may.

If nihil's research is correct then you should change the name of your .exe when it get compiled and then see if it gets flagged as viri or not.

By contacting the AV companies, you are taking a proactive step. They can post a note to their virus definitions part of their web site explaining that there is a chance of a false positive (as your are claiming with your software).


~Halv

So, let me get this straight..... You downloaded a file that.... well, basically it
STEALS PASSWORDS. And now you're freaked out because Symantec thinks that this file
STEALS PASSWORDS. Hmmmm.


Seriously, think about it. Symantec will quarantine Foundstone tools and countless others (You've never seen this before?) because if you DONT know what the program is doing on your machine, its probably not good. If you downloaded it and you know that its used to STEAL PASSWORDS, what the hell is the problem?


PS. I ran them both, they did not attempt to add any registry keys.
PPS. I also doubt its based on the filename, but on the methods and behavior of the file. I think Symantec is correct in detecting this behavior as potentially malicious, because potentially IT IS.

-Maestr0

Downloaded the same file, same place as IronGeek.

Panda Antivirus told me, both Trojan and Virus was contained within the zip file (both .exe files), not disinfectable.

That's all I need to know. Why mess with it?

Maestr0 is right...

AV programs are doing their job, and are picking up potentially dangerous files. and writing to them will do no good, becasue they dont care. Unless you are a BIG company that holds some weight behind your words and could effect their bottom line they will not chage their product to work with yours. Especially since the vast majority of users will NEVER use this product...ever.

Quote:

---

Originally posted here by Maestr0
So, let me get this straight..... You downloaded a file that.... well, basically it
STEALS PASSWORDS. And now you're freaked out because Symantec thinks that this file
STEALS PASSWORDS. Hmmmm.


Seriously, think about it. Symantec will quarantine Foundstone tools and countless others (You've never seen this before?) because if you DONT know what the program is doing on your machine, its probably not good. If you downloaded it and you know that its used to STEAL PASSWORDS, what the hell is the problem?


PS. I ran them both, they did not attempt to add any registry keys.
PPS. I also doubt its based on the filename, but on the methods and behavior of the file. I think Symantec is correct in detecting this behavior as potentially malicious, because potentially IT IS.

-Maestr0

---

Read the description that Symantec gave for what the Trojan is suppose to do, it’s way beyond the stated goal of the app. I’m willing to believe it’s a false positive, but since I have the source code and compiled a version that works why bother with it? Also, the source code makes one binary, why does the zip contain two?

zip contains one with GUI and one with command line , command line exe have small size , just for
hacking purpose , that is all , didnt u read the readm e ?

Didn't matter, the source you gave me could only be to one of them (the gui one).

well i think this topic need to be closed , bc now all know sematec gives false alert and the files downloaded from my site are clean ,wont do any harm ,just display ps
so this topic must close , why arguing agian ??