Pages

Wednesday, February 6, 2008

Trojans in uTorrent Mods and BitTorrent (Armadillo) Mods packed?

sb-innovation.desb-innovation.de BitTorrent 6.x SBI Mods (Armadillo 5.x) - http://www.sb-innovation.de
check by some mods outgoing connections / requests activity to program exe's when the bittorrent 6 mod is closed. See firewall log by enable and disabled rule for bittorrent_mods exe's.

Remarks:
Kaspersky, BitDefender have a unpacking engine include for PECompact and Armadillo 4 - 5 also manual unpacking shows the same result in multi_100_seeder and one kind of mod by Bittorrent 6

uTorent seeder x100 Mods (PEcompact ver.2.78a ~2.80 with ADDED DLL INJECTION)
see screenshot:

NEW AV Signature Updates 05.02.2005

BitDefender Internet Security 2008 v11.0.15
Virus Database Date: 06.02.2008
Known Viruses: 979216

Now new av signatures improved. Detect already in inno setup installer: µtorrent 1.7.7 LP_setup.exe and others

AV-Signature + engine and modules hourly updates:
BitDefender Internet Security 2008 v11.0.15 German
Virus Database Date: 06.02.2008
Known Viruses: 979232

The 3th AV def. update today does not more show the above screen but by doing innounp / inno unpack or running setup, one mod utorrent 1.7.x. multi100_seeder.exe found positive Trojan AX patched in the temp folder and by skip also in the unpacked folder.

Software Description Software Version Virus Database Date Known Viruses
BitDefender Internet Security 2008 11.0.15 06.02.2008 979348

-------------------------------------------------------------------------------
Some (packers) are not detected:
new Backdoor

Creates the following files to Windir\Media folder (same as some very old Backdoors but different signatures):
C:\WINDOWS\Media\csrss.exe
C:\WINDOWS\Media\MSWINSCK.OCX

Adds to the value "Shell"="explorer.exe"

"Shell"="explorer.exe" C:\WINDOWS\Media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

and maybe like the old Backdoor:
"RegWrite"="c:\windows\media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run



After executing it run a "fake" csrss.exe from folder windir\Media in process manager as soon windows starts together with the original \system32 Microsoft Corporation Client Server Runtime Process (csrss.exe) and connect to a webserver.


After removing these files under windir\Media appears :

receive an error message upon startup that reads
No AV, Anti Spyware, Anti Malware Program or Startup Manager Tools ever monitored logon shell:
WinLogon = Explorer.exe for changes
extensions for example :

"Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe"
"Shell"="explorer.exe C:\any application to run with startup test.dll"

13 comments:

Anonymous said...

Looks like its in all seeder multi 100 mods 'code parts' Trojan connect to someone if seeding torrents. Dangerous Brothers

Anonymous said...

there are no virus in the files its only the mode as its packed that results as a virus because the av apps doesnt recognize it right

Anonymous said...

are you sure cause I unpacked / removed the protection fixed IAT etc... and did just a dump but all solutions showing the same as well in clean unpacked status. Is it possible that leecher multi 100 have in the code changes an embedded positive string since the very first source?

Anonymous said...

Kav have an unpacking engine for the latest armadillo and pe compact, bitdefenders engine was come a update this day for the module pe compact 2.8x / inno 5.x with added dll's to the packers. Detection error?

Anonymous said...

is multi_100_seeder different packed as all others? Get Virus alert only by multi100_seeder mods.

Anonymous said...

Anyone can prove that they are clean ? Show me

Anonymous said...

I don't think seba put trojans in the exe files if not anyone was give him a 'bad' source.

Anonymous said...

Why have it been packed so bad that virus scanner detect trojan??? Why doe it need to be packed?
-------------------------------------
"there are no virus in the files its only the mode as its packed that results as a virus because the av apps doesnt recognize it right"

Anonymous said...

There are no virus or trojan in these mods. Seba and the SBI people only change the original with hexeditors and don't compile it new with a virus in it.
Your screenshot is about sebas utorrent mod why you post the sbi link together with it? Sebas site and the SBI forum are different places...
The problem with bittorrent is a general problem and has nothing to do with the sbi mod. They've created it for people which want use this client. But if there's spy function in it you must find it in the original too and than we should warn all people about this security risk.

Anonymous said...

If the Top 10 AV scanner goes on you know whats wrong. About the 5 others in VirusTotal which almost shows positive, we all know they can be wrong. Scan original scan the mods there are quite different results. 5 BitTorrent Mods and always the x100 seeder mod is infected. I hope this site admin post from the email the unpacked one I did to see the exe protected and unpacked.
They should better use a "more" compatible exe compressor.

Anonymous said...

NoCompl_Report-Seeder_Multi-100x is a decent nice backdoor inside. Maybe the Packer patch it in, exe packer crk v possible. Connect to a server in xx. Try run without dl/up (idle) a torrent and see the Wireshark logs.
Put it later on ollyice to see if its w/o Arm too. Compared to original no connection to that server. IP to country database server lookup exclude and the rest of bt/ut.
AV don't give any interrupt but overall the result is horrible:
http://www.virustotal.com/analisis/663ec4d97ab4bcd95d8e6c04d57a2363

Anonymous said...

maybe used the armad. packer from team ... ? ? ?

Anonymous said...

Thanks for testing the file.
Then the packer must be the problem. I've used this version for packing and to include the splash screen.

SoftwarePassport/Armadillo Protection System v5.0

On their homepage you can download a trialversion for their newest release v5.4.
http://www.siliconrealms.com/

Post a Comment