Date: Sun, 05 Oct 2014 20:55:12 -0400 From: - TopicsExpress

Date: Sun, 05 Oct 2014 20:55:12 -0400 From: [email protected] To: security@valvesoftware Subject: New malware/spam spreading on Steam Got a message on my Steam account today, Did some light research on it. Here is my findings. Regards, VTSTech ( VTS-Tech.org ) VTSTech (Veritas Technical Solutions) -- New malware/spam spreading on Steam! gyazo/99771d20592a9b139e1f0d55da575076 Link redirects to Google Docs hosted PE Executable. Link: hxxp://screen-host Redirect: Links broken on purpose to prevent careless infection. hxxp becomes http to restore links. May do writeup with more details soon. Detections ESET-NOD32 MSIL/Stimilik.B F-Secure Gen:Variant.Kazy.466636 Avira TR/Crypt.Xpack.97762 BitDefender Trojan.GenericKD.1904187 URL hxxp://screen-host Redirects to File name: Image_905.scr;filename*=UTF-8Image_905.scr File size 1.2 MB ( 1279674 bytes ) Detection ratio: 10 / 55 Analysis date: 2014-10-06 00:00:19 UTC ( 7 minutes ago ) PE header basic information Target machine Intel 386 or later processors and compatible processors Compilation timestamp 2014-09-29 15:18:33 Link date 4:18 PM 9/29/2014 MD5 beeb53d8b3737d3ee02643152c431e44 SHA1 8a0e387627056b115f662e92407127e4b06afdea SHA256 e91712af1a4410f72479d0e39bed44269559198a8a942d838fdb91eafd32479d Some interesting string references: -- get_SteamID set_SteamID JCJYsuH4wRMHl0rlIt OfferID OfferToken SteamID GetString bytes Char imageToByteArray Byte Image System.Drawing imageIn MemoryStream System.IO MakeFTPDir pathToCreate ftpAddress login password FtpWebRequest Stream FtpWebResponse NetworkCredential upftp filename ip user passf -- Based on strings, Seems to grab Steam ID, Username, Password and sets up an FTP Server on the infected machine. Stores farmed passwords to file. More evidence of grabbing Steam User/Password. Parsing Registry for Steam Install path -- steamLogin570440730!steamLoginSecure753OHKEY_LOCAL_MACHINE\SOFTWARE\Valve\SteamInstallPath\config\*.vdfssfn*profiles/!/inventory/json//2/success -- Multiple References to SteamCommunity. I suspect this is using something in here to spam itself using the farmed credentials. Also a few different UserAgents in there, indicating it is acting as a HTTP Client, Also reference to acting as a ValveSteamClient -- ]{40}3hxxp://steamcommunityGET€text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Origin5Mozilla/5.0(Windows;U;WindowsNT6.3;en-US;ValveSteamClient/1393366296;)AppleWebKit/535.19(KHTML,likeGecko)Chrome/18.0.1025.166Safari/535.19

Those of you who know me know I LOVE to travel. If you do too,

Never settle for a mate who is all about themselves, lack

The Supreme Court is on the brink of doubling down on the Citizens

Kill lists at New York Citys Animal Care and Control for Sunday,

Does your family LOVE pizza? My family does! Try this protein

cant think of anything to comment so Im just going to post a

From the creator of Ghost in the Shell and the director of

finished Man on the Run..Paul McCartney in the 70s this

The mission is winding down. Medic Paul gave pastor a well check

William is trying to quit smoking and quit chewing with nicotine

Well January 1,2002 was a good day at first but turned into my

A Fitness Club Specially designed for Women, featuring a complete

" Bechara Ghareeb Nawaz Shareef

R. Entertainment Network- Mauritius wishes to inform you again

From a member: I am not writing this to hear suck it up baby and

Some more nostalgia for you all: Notable residents: Notable

Do you want to earn with your spare time? Then, you must not miss

We are alive ... Giving thanks for life and Jah many

STF decide pelo início das penas para maioria dos condenados do

Dear Friends, I finally decided to fulfill my dreams and start

Trick Photography No

Dissabte, 2 de novembre QUI PERD ELS SEUS ORÍGENS, PERD LA