Jump to content

[PSA] Steam Hijacks


Recommended Posts

Lately, in the offsite clan I'm in, a few people have gotten a backdoor Trojan installed on their computer. The guy that backdoor'd my computer, though, wasn't exactly the brightest bulb in the litterbin. I'm not going to go into that much, however.

MODUS OPERANDI

This is a direct quote from me to someone else over Steam my chat logger caught. The someone else was added while I did not have control over my computer.

 

[2014-03-16 15:21:27] [76561198043243931] GOT HACKED READ PROFILE: Well, whomever does it backdoors into someone's account and uses webchat. Still woring on how on that note.

They link a few people on the compromised computer's Steam friendlist to a Dropbox file named screenshots.rar and ask them to explain the images.

The victim downloads the .RAR file and opens it unsuspectingly, trying to open the two .SCR files within. Upon opening, one or both dumps a registry key to the system telling it to create a folder in %APPDATA% with a random name with the backdoor Trojan inside on next boot.

After the user's computer restarts, the backdoor hacker uses the Trojan to connect to the victim's computer through a Teamviewer-based connection. From there they attempt to make purchases on the victim's PayPal account, spread the backdoor even further, and in my case check their EBay.

[2014-03-16 15:21:40] [76561198043243931] GOT HACKED READ PROFILE: From there, it more or less goes full circle.

TIMELINE OF TAKEOVER

All timestamps are UTC -0500 (US-Central Daylight-Savings Time)

2014-03-15 18:16:26 - TeamViewer logs that my monitors have switched on.

2014/03/15 18:16:26.079 2928 496 G1 CBuddyWindow::ChangeOnlineStateInternal: Setting online state to status:"ST_BL_ONLINE" aos:"AOS_Online"
2014-03-15 18:20:03 - TeamViewer logs that a session is started from ID 767-101-537.

2014/03/15 18:20:03.698 3396 1876 S0 CT41 CT.Receive.CMD_SESSIONMODE From=767101537 To=810088376 L=28
2014-03-15 18:20:09 - TeamViewer logs that the session is connected.

2014/03/15 18:20:09.455 3396 6396 S0 CT43 GWT.CmdUDPPing.PunchReceived, a=91.187.174.140, p=50502
2014-03-15 unknown - The backdoor script kiddie sends everyone a link to the Dropbox file mentioned above, checks EBay, etc. His EBay login is stored on my computer due to a browser extension I have installed. His email address is of domain auto.lt

2014-03-15 18:59:56 - A user who was added without me being at the keyboard contacts the account asking to buy a TF2 item via PayPal.

[2014-03-15 18:59:56] [76561198044742121] jkskiier: hey
[2014-03-15 18:59:57] [76561198043243931] EvilJackCarver - WORK: ♫ Answering Machine: [02:35:00] Reason: [(╯°□°)╯︵ ʞɹoʍ]
[2014-03-15 19:00:10] [76561198043243931] EvilJackCarver - WORK: hello
[2014-03-15 19:00:40] [76561198044742121] jkskiier: hey, you added me and left a comment to another profile
[2014-03-15 19:00:44] [76561198043243931] EvilJackCarver - WORK: oh
[2014-03-15 19:00:45] [76561198043243931] EvilJackCarver - WORK: sorry
[2014-03-15 19:00:46] [76561198043243931] EvilJackCarver - WORK: my bad
[2014-03-15 19:00:54] [76561198043243931] EvilJackCarver - WORK: how many buds do you have for paypal?
[2014-03-15 19:01:20] [76561198044742121] jkskiier: got 5 left currently
[2014-03-15 19:01:29] [76561198043243931] EvilJackCarver - WORK: i can buy all
[2014-03-15 19:01:44] [76561198044742121] jkskiier: aight, do you have any rep or a verified paypal/
[2014-03-15 19:02:00] [76561198043243931] EvilJackCarver - WORK: my paypal is verified
[2014-03-15 19:02:19] [76561198044742121] jkskiier: have you done other paypal trades in the past?
[2014-03-15 19:02:24] [76561198044742121] jkskiier: and just curious, what was the link for?
[2014-03-15 19:02:54] [76561198043243931] EvilJackCarver - WORK: it'' s another
[2014-03-15 19:02:55] [76561198043243931] EvilJackCarver - WORK: seller
[2014-03-15 19:02:56] [76561198043243931] EvilJackCarver - WORK: :)
[2014-03-15 19:03:02] [76561198043243931] EvilJackCarver - WORK: i have a few
[2014-03-15 19:03:40] [76561198044742121] jkskiier: alright, are you ok with going first and covering fees?
[2014-03-15 19:03:44] [76561198043243931] EvilJackCarver - WORK: yes
[2014-03-15 19:03:44] [76561198044742121] jkskiier: i can show you some rep if you'd like.
[2014-03-15 19:03:48] [76561198043243931] EvilJackCarver - WORK: give me email
[2014-03-15 19:04:17] [76561198044742121] jkskiier: can i have the email you're sending from, so i can verify that it'se verified?
[2014-03-15 19:04:43] [76561198043243931] EvilJackCarver - WORK: <REDACTED - PERSONAL DATA>
[2014-03-15 19:05:19] [76561198044742121] jkskiier: alright, when you're ready, send $170 to <REDACTED - PERSONAL DATA>, with your steamid64 in the notes.
[2014-03-15 19:05:25] [76561198044742121] jkskiier: let me know once you've senmt.
[2014-03-15 19:05:27] [76561198044742121] jkskiier: *sent
[2014-03-15 19:05:48] [76561198043243931] EvilJackCarver - WORK: what is steamid can i wjust write
[2014-03-15 19:05:52] [76561198043243931] EvilJackCarver - WORK: eviljackcarver
[2014-03-15 19:06:23] [76561198044742121] jkskiier: just a quick question
[2014-03-15 19:06:45] [76561198044742121] jkskiier: on your profile, there's a very well typed-out info page with steam id's, steamrep, and all
[2014-03-15 19:06:50] [76561198044742121] jkskiier: i'd assume you know what a steamid is?
[2014-03-15 19:06:58] [76561198044742121] jkskiier: since...you have it on your profile.
[2014-03-15 19:07:00] [76561198043243931] EvilJackCarver - WORK: you said
[2014-03-15 19:07:02] [76561198043243931] EvilJackCarver - WORK: steamid64
[2014-03-15 19:07:29] [76561198044742121] jkskiier: yes.
[2014-03-15 19:07:34] [76561198043243931] EvilJackCarver - WORK: ok
[2014-03-15 19:07:35] [76561198044742121] jkskiier: that's the steamid with the long string of numbers
[2014-03-15 19:08:39] [76561198044742121] jkskiier: and why were you leaving comments with steamid's on other sellers's profiles?
[2014-03-15 19:08:49] [76561198044742121] jkskiier: i'm seeing /mlgm on yours, /jkskiier on mlgm's...
[2014-03-15 19:10:25] [76561198044742121] jkskiier: hey, don't send the payment just yet.
[2014-03-15 19:14:18] [76561198044742121] jkskiier: are you there? i'm getting a little suspicious.
[#EOF]
2014-03-15 19:07:32 (PayPal time) - An attempt to send $175.23 is tried, but rejected (NSF)

2014-03-15 19:09:59 (PayPal Time) - An attempt to send $140.91 is tried, but rejected (NSF)

2014-03-15 19:19:31 - TeamViewer logs a session disconnect.

2014/03/15 19:19:31.904  2072  7936 D1   Received Control_TerminateProcess
2014/03/15 19:19:32.009  3396  5112 S0   CT42 CT.Run.LoopEnd
2014/03/15 19:19:32.009  3396  5112 S0   CT42 CT.Disconnect
2014-03-15 22:45 - Clock-out time stub at work.

RECOVERY

One of the administrators of the clan posted this on the Steam group.

 

Hello <REDACTED - CLAN NAME> members,

I'm sure some of you have got a message from random players (e.g. random friend invite) to click something, whether it be a false steam community link, a mention of photos, or even a .rar file. If you've been lucky and this is the first you're hearing of this, you are incredibly lucky. It's been happening for the past few weeks/going into over a month now.

A few <REDACTED - CLAN NAME> members have already been hacked or phished, and taking the necessary steps to remove it all. Below are the instructions.

Phishers: False SteamCommunity links.

<REDACTED - IRRELEVANT>

Hackers: .rar files, etc.

These are the schmucks who will have you click a link that ends with .rar or something like that. The message usually begins with "Explain these images to me" or something of the like.

1. If you do click, do NOT save anything.

2. If by some chance something saved, do NOT open it.

3. Open the Run dialog by pressing WindowsKey+R on your keyboard. Type "%appdata%" - without the quotes.

4. This should open Explorer into <User>/AppData/Roaming

5. If you see a folder with a random name (e.g. z435m54t) delete it (the trojan will be inside - a .exe and a .exe.lnk. Do NOT click it)

6. After deleting it, run WindowsKey+R again, and this time type "msconfig" (again without quotes) into the box and run it.

7. Go to Startup Items tab and check for your trojan around here too. Will likely have an Unknown manufacturer and a random name, linking to the folder you recently deleted.

8. Uncheck this, apply/save and quit.

9. Enter Safe Mode on your computer. To do this restart your computer and spam F8 before the Windows logo appears until it asks you to start in Safe Mode (this is for Windows 7 - check Google for other OSes)

10. Repeat Steps 3 to 8 again - checking for the trojan and startup items again.

11. Should be clean now. You can repeat Step 9/10 again if you're paranoid.

12. Change your email password.

13. Change your Steam password.

This should be all the steps needed. Needless to say, do not click any unknown links from people for a while.

If - per chance, though slim chance - I have sent anyone this, or anyone has been sent this, be suspicious. I personally will use either Imgur or Puush for screenshots, no exceptions.

Stay safe out there, folks.

Edited by EvilJackCarver

Wenn ich Deutsch sprechen, enschultigung: Mein Deutsch ist nicht sehr gut.

gATXSNG.png

 If you are replying to something I have posted, you may wish to quote me for faster response times; I do not usually follow threads I reply to.
My personal inbox is not the support forum. I don't mind helping  you with your issues, but you are responsible for your research.  I am not a page in a manual, Google, or the forum search function - look through all three before asking.
A link to a handy how-to guide for getting useful solutions to your problems, and useful answers to your questions. A lot of it may seem irrelevant, but it outlines some great practices to use when seeking answers or solutions.

Link to comment
Share on other sites

Buds for TF3..what's that???

Earbuds (commonly abbreviated to simply "buds") are an item in Team Fortress 2, and one of the higher-value item due to their relative scarcity. For simplicity's sake, this is all rounded - each bud costs roughly 25 keys, last I checked. A key is an item that can be purchased via microtransaction for $2.50.

Also apparently the forums have some sort of malware detection. Message to staff - if these posts triggered it, a Turing test would do no good; the backdoor is TeamViewer-based; there's a human at the controls.

Edited by EvilJackCarver

Wenn ich Deutsch sprechen, enschultigung: Mein Deutsch ist nicht sehr gut.

gATXSNG.png

 If you are replying to something I have posted, you may wish to quote me for faster response times; I do not usually follow threads I reply to.
My personal inbox is not the support forum. I don't mind helping  you with your issues, but you are responsible for your research.  I am not a page in a manual, Google, or the forum search function - look through all three before asking.
A link to a handy how-to guide for getting useful solutions to your problems, and useful answers to your questions. A lot of it may seem irrelevant, but it outlines some great practices to use when seeking answers or solutions.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...