1 Topic by kittyPL (edited by Oy 2015-11-07 16:39:38)

  • kittyPL
  • Member
  • Offline

Topic: WARNING - Your steam account is in danger!!!

Hello guys, I have some bad news.

So, I found a server called *snip*, at the address of *snip*. The server requires a password, and has some people playing. I visited their site,*snip*, just becouse I was curious. They say that they want you to download their client and provide a direct download link. After downloading and unpacking I was suprised by the presence of H-Client, that required admin rights. That was the moment, when I thought that something was wrong. Afaik, no client requires admin permissions, there is no need to. I decided to setup a virtualbox running windows 7. After running, small console program was run.

Currently, Im not sure what it does, but I'm pretty sure it's nothing good. First symptoms were:
- Disabled task manager
- Disabled system restore (recovery), removed all recovery points
- Hosts file edited (pointing steampowered to loopback address)

I also checked autostart programs, but nothing seemed changed there. I believe that some valuable information was sent to hackers, but I didn't run a wireshark to see what was sent and where.

Im not a proffesional, probably somebody with bigger experience should check this.
Please ban this ip from masterserver - it's probably just a fake server that doesn't even run teeworlds.

In the next post I'll show you how to remove the symptoms of this injector, not sure if thats all you need to do.

Task manager:
- Click Start and type "regedit"
- Navigate to following key in the left menu: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- Find DWORD value DisableTaskMgr on the right panel
- Double click on it, change to 0

Disabled system restore
- Go to the control panel -> System -> System Protection
- Choose your system disk, click configure
- Click on the first radio button and adjust the slider to few gigabytes
- Ignore the error (I'm not sure if it does anything)

Hosts file edited
- Click start, type in "notepad"
- Right click on the notepad, choose run as administrator
- Click open, in the upper bar copy-paste "%systemroot%\system32\drivers\etc\"
- In the file name bar type "hosts" and press enter.
- You will see a list of domains with 127.0.0.1 address next to them
- Erase the contents of this file
- Save the file

// removed links, no need to advertise that - Oy

C++/Java my life ^^
If you like dislike button click it NOW!

2 Reply by heinrich5991

  • heinrich5991
  • heinrich5991
  • Moderator / Donor
  • Offline

Re: WARNING - Your steam account is in danger!!!

Thanks for the report. The server doesn't seem to be on the master server list right now, but it's still online. The players look faked I suppose.

3 Reply by kittyPL

  • kittyPL
  • Member
  • Offline

Re: WARNING - Your steam account is in danger!!!

They are fake. I checked them after few hours - still same people. Possible, but not probable.

C++/Java my life ^^
If you like dislike button click it NOW!

4 Reply by heinrich5991

  • heinrich5991
  • heinrich5991
  • Moderator / Donor
  • Offline

Re: WARNING - Your steam account is in danger!!!

kittyPL wrote:

They are fake. I checked them after few hours - still same people. Possible, but not probable.

Do they still show up for you in the server browser?

5 Reply by m!nus

  • m!nus
  • m!nus
  • Administrator
  • Offline

Re: WARNING - Your steam account is in danger!!!

*whistles innocently*

6 Reply by Oy

  • Oy
  • Developer
  • Offline

Re: WARNING - Your steam account is in danger!!!

Probably heard that before, but don't download random binaries from the net roll

Remember the 80s - good times smile

7 Reply by kittyPL (edited by kittyPL 2015-11-07 20:32:04)

  • kittyPL
  • Member
  • Offline

Re: WARNING - Your steam account is in danger!!!

I know it was a trap - I've used virtualBox to check if the threat was real. Posting here to warn others and probably remove this server from master smile

By the way - I posted the address to allow more research for developers and people interested. Im pretty sure that noone would click on the link unless he knows what he is doing. Deafinitely not in thread that warns you about contents.

C++/Java my life ^^
If you like dislike button click it NOW!

8 Reply by Oy

  • Oy
  • Developer
  • Offline

Re: WARNING - Your steam account is in danger!!!

kittyPL wrote:

Im pretty sure that noone would click on the link unless he knows what he is doing. Deafinitely not in thread that warns you about contents.

Well, like that one fella said: two things are infinite, the universe and human stupidity...

Remember the 80s - good times smile

9 Reply by kittyPL

  • kittyPL
  • Member
  • Offline

Re: WARNING - Your steam account is in danger!!!

Well, if you are studpid enough to fall for it from this thread, then you probably deserve a trojan smile

Anyway, after the server is taken down from master - I think it would be good idea to close the discussion.

C++/Java my life ^^
If you like dislike button click it NOW!

10 Reply by heinrich5991

  • heinrich5991
  • heinrich5991
  • Moderator / Donor
  • Offline

Re: WARNING - Your steam account is in danger!!!

Closed on request // heinrich5991.