Advanced Onion Router 0.3.0.20

Changes in 0.3.0.20
- corrected: the subdomain was not removed from an .onion address when searching for its rendezvous descriptor (thanks to AyrA for reporting this problem on sf.net)
- the OpenSSL library was updated to openssl-1.0.1g
- geoip_c.h was updated with GeoIPCountryWhois.csv released on April 2nd; there are 93477 IP ranges having 102 ranges in the fake "A1" country; 98 ranges were approximated to real countries

File information: Advanced Onion Router 0.3.0.20
Posted by advor on 17/04 -14 21:49 | 0 comments

HeXHub 5.12

Changes in 5.12
- when fake share detection is enabled and a passive search result is sent with no path in it, the user is kicked
- new event for plugins: onBadSettings(userId,63) ("passive search result without file path")
- GeoIP information was updated with GeoIPCountryWhois.csv from February 5th

File information: HeXHub 5.12
Posted by hexhub on 01/03 -14 08:15 | 0 comments

BitCoin Miners and DirectConnect Bots

Imagine, if you will, a new user who just heard about the DirectConnect network and downloaded a NMDC client (may that be DC++, StrongDC++, Greylink++ or other client). The client is started and the user clicks the "Public hublists" button. A new normal user, of course, would join the first few biggest hubs. A few file lists are downloaded and.. what's next? A search. A search for something Google can't find. What if there are no results from all hubs the new user is in ? Well.. there are! Search for any random string and you get at least one result from a bot that has a file named by your searched string which ends with ".exe"!



You can notice that there is no path for the shared executable file. An attempt to get a bot's file list will get your IP blocked and all further connection requests to it rejected. The bot can provide an .exe and that's it. Currently, its IP in all hubs is 198.52.199.120 , and it can be reported to abuse@avantehosting.net and to abuse@centarra.com .

But, the big question is, what does the trojan do?

The trojan is a WinRAR self extracting archive that executes the following install script:

Code
Setup=ncmd.exe exec hide "dep.bat"
TempMode
Silent=1
Overwrite=1

The archive contains the following files:

Code
02/20/2014 10:46 PM 248,980 32.rar
02/20/2014 10:46 PM 239,972 64.rar
02/20/2014 10:47 PM 1,382,636 at.rar
02/17/2014 11:24 PM 969 dep.bat
01/23/2014 07:16 PM 77 ms.vbs
08/11/2013 03:41 PM 44,032 ncmd.exe
02/20/2014 10:48 PM 2,836,268 nv.rar
12/01/2013 02:08 PM 306,776 svchost.exe
8 File(s) 5,059,710 bytes

All the .rar archives are password protected. The password to extract files from them is 12345 . Each archive contains a coin mining tool (minerd 32/64, cgminer and CudaMiner). By default, they use the mining server from eu.wafflepool.com:3333 and they update the BitCoin wallet 1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 using the password x . Svchost.exe (306776 bytes) is the renamed command line RAR, ncmd.exe (44032 bytes) is the NirSoft command line utility that can hide the console, dep.bat (969 bytes) is the actual installer that extracts files from password protected archives to %APPDATA%\WinUpdate\, and ms.vbs (77 bytes) is a command line message box popup generator.

Code
Set objArgs = WScript.Arguments
messageText = objArgs(0)
MsgBox messageText

Ms.vbs is used by dep.bat, after installing all the svchost.exe's and winlogon.exe's from the password protected archives to show a message box with the following string: "Error loading dll.".

If you are infected with this trojan, your overall system performance is decreased because your system resources are used to generate money for the trojan spreader.

How much money did this trojan make for its owner? You can check its infection stats here: http://wafflepool.com/miner/1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 (in case you need a password, you can use "x").

Do not download anything from these bots and use the +report command to report them to the operators that are online in the hubs you found them!
Posted by Vektor on 28/02 -14 23:18 | 0 comments

Hub voting system

Finally I had some time to re-add good old hub voting system to hublist engine. The voting is made two ways, good votes and bad votes, it's up to you which to choose. Remember, you can only vote for a hub once a day and voting for banned hubs is forbidden. You should also know that all votes are logged using your IP address, and if we find out that you're trying to cheat by using different IP addresses, your hub will get banned. Good luck.
Posted by RoLex on 28/01 -14 22:08 | 0 comments

Hublist registration server

We've done huge improvements on hublist registration server which is running on address hublist.te-home.net:2501. Now it supports up to 1000 simultaneous registration requests. Here is how you add it to your hub:

HeXHub
!set hls server add hublist.te-home.net

Verlihub
!set hublist_host hublist.te-home.net
Posted by RoLex on 15/01 -14 13:45 | 0 comments
« Back | 1 | Next »
Copyright © 2002-2014 Team Elite | All rights reserved | Cookies