Slyck.com
 
Slyck Chatbox - And More

Huge amount of trojans/spyware/virus's?

Discussion about the binary newsgroups and how to successfully participate in the file-exchange
Forum rules
PLEASE READ BEFORE POSTING: Slyck Forum Rules

Huge amount of trojans/spyware/virus's?

Postby Mr Edd » Sun Nov 09, 2008 6:16 am

Is it just me or have the binary newsgroups been flooded with malware recently? It's getting so it's hard to find a genuine file these days I have wade through floods of trojans, etc. Usually they're not that hard to detect they're usually only kB's in size, and have multiple files with different names but with exactly the same filelength, sometimes dozens of them. If I roughly know what the filesize ought to be I can set to filter by size, but even so it's getting really annoying. It's getting to be as bad as Kazaa used to be. Newsgroups used to be free from such crap. It's almost enough to force me back to BitTorrent!
Mr Edd
 
Posts: 14
Joined: Wed Feb 01, 2006 10:45 am

Re: Huge amount of trojans/spyware/virus's?

Postby chainmail » Sun Nov 09, 2008 9:00 am

Many groups such as a.b.warez have become buried under such a huge flood of trojans that it's become hard to find any real files anymore. This is not "classic" spam, but nasty malware like keyloggers and backdoor trojans that are being posted under many different names to the binary newsgroups in massive numbers. When using a binary usenet search engine, you are likely to get hit with a flood of trojans no matter what your search terms might be. It's only been in the last year or two that this has developed, and the amount of trojans spammed on usenet seems to double about every month or two.

This is one spammer's flood of trojans from someone named "jenny@yahoo.de (Jenny)"

Here's header ID details from one of these spammed trojan files

Code: Select all
From: jenny@yahoo.de (Jenny)
Sender: jenny@yahoo.de
Newsgroups: alt.binaries.comp,alt.binaries.mom,alt.binaries.warez,alt.binaries.warez.quebec-hackers
Subject: Premiere_NDS_Crack.exe (1/9)
X-Newsposter: YENC-POWER-POST-A&A-v11b (Modified POWER-POST www.We don't like spam here either.com)
Message-ID: <part1of9.9KF6SAIoPwh1q3WfFL9W@powerpost2000AA.local>
Lines: 3008
X-Complaints-To: abuse@firstload.de
NNTP-Posting-Date: Sun, 09 Nov 2008 08:18:27 UTC
Organization: Firstload
Date: Sun, 09 Nov 2008 08:18:27 GMT
Xref: Hurricane-Charley alt.binaries.comp:44517652 alt.binaries.mom:271048591 alt.binaries.warez:37707883 alt.binaries.warez.quebec-hackers:100435119
X-Received-Date: Sun, 09 Nov 2008 08:18:58 UTC (s02-b31)


This particular file is 3.08MB (although the size varies among the hundreds spammed) and is identified by several AVs as "Zlob Trojan Downloader" (which is a backdoor trojan) but most AVs on Virustotal.com do not even recognize it as any kind of virus. This may be because the file hash/signature changes so frequently.

Trying to filter out this spammed malware is going to be a continuous challenge, since everything about them - the filenames, file sizes, poster's name, file extensions, etc - can vary to a great degree, and the spammers will of course evolve alongside anti-spam filters.

The only way these virus distributors are going to be stopped is if people start reporting them to the spammer's newsgroup providers where the stuff was originally posted. Sadly, many of the popular binary grabbers and NZB downloaders - unlike traditional newsreaders - are apparently not able to extract the message ID info, which is needed to report usenet abuse to the originating NSP. Maybe this is why these trojan spammers seem to rarely get reported, compared to spammers in text newsgroups, and the same perpetrators continue plying their trade day after day.
chainmail
 
Posts: 229
Joined: Wed Jul 30, 2008 7:14 pm

Re: Huge amount of trojans/spyware/virus's?

Postby paolari » Fri Jun 05, 2009 12:50 am

How can i clean/delete a trojan from an infectected program without hurting the program?
_________________
yahoo keyword tool ~ overture ~ traffic estimator ~ adwords traffic estimator
Last edited by paolari on Sat Jun 06, 2009 1:17 am, edited 1 time in total.
paolari
 
Posts: 1
Joined: Sun May 31, 2009 1:10 am

Re: Huge amount of trojans/spyware/virus's?

Postby ejonesss » Fri Jun 05, 2009 2:10 am

Virustotal.com do not even recognize it as any kind of virus. This may be because the file hash/signature changes so frequently.


instead of just the hash couldnt the way the program acts be scanned for?

for example if you want to scan for a key logger by scanning every program and looking for code that is designed to intercept keys and store them and either quarantine or delete that program.

unfortunately it probably will flag legit programs like the system clipboard or macro programs like quickeys because they record the keyboard when you want to make it retype something,email, word programs and such.

but that may be the only way to insure it catches the bad stuff.
…-..-..-..-..-.-----.-…-..-…-..-…-...
ejonesss
 
Posts: 2973
Joined: Thu Feb 06, 2003 5:43 pm

Re: Huge amount of trojans/spyware/virus's?

Postby HouseCrowd » Fri Jun 05, 2009 6:52 am

paolari wrote:How can i clean/delete a trojan from an infectected program without hurting the program?


Most decent anti-virus software will attempt to repair infected files rather than delete them (where possible). Just update your AV software and scan the file.
There are 10 types of people in the World; those who understand binary, and those who do not.
User avatar
HouseCrowd
 
Posts: 33862
Joined: Mon Oct 13, 2003 4:18 am
Location: UK


Return to NewsGroups

Who is online

Users browsing this forum: No registered users and 2 guests

© 2001-2008 Slyck.com