Pirated Windows 7 Builds Botnet with Trojan

[Airbot]

Security researchers at Damballa report shutting down the command and control server of a botnet built by a Trojan bundled with pirated copies of Windows 7 RC. The Trojan is believed to have infected thousands of users.

Attackers pushing pirated, malware-laced copies of Microsoft's upcoming Windows 7 operating system have been actively trying to build a botnet.
According to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet's command and control server May 10, but by that time infection rates had risen as high as 552 users per hour.

"Since the pirated package was released on April 24th, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on May 10th," said Tripp Cox, vice president of engineering at Damballa.

eweek

 

[Romulinx2]

Thanks for the warning. Glad I waited for the official download.

 

[Lordbob75]

LOL. Why?

The RC is free..... Why are people so stupid?

~Lordbob

 

[Night Hawk]

Well it was I tried to point out before and got a lot of back talk about people matching up hashes there are ways around things in order to slip bugs into the various leaks. Earlier you saw the MS official warning about downloading from torrent sites. Now you see a strong one here about the RCs being polluted.

And the 4/24 date sounds awful familiar doesn't it? Airbot

Another sentence to add here is the start of the following paragraph in the article seen at the link there. "Targeting users through pirated software is nothing new for hackers." It makes far more sense to stay with the genuine article coming direct from Microsoft rather then thinking you are getting something still good elsewhere and to run into something like that.

I just got pointed to another article on this seen at http://news.idg.no/cw/art.cfm?id=35BFBE79-1A64-67EA-E422F341C24AC242

 

[DocBrown]

The 4/24 date shows up in History as the leaked torrent date

 

[Night Hawk]

Evidently the tampered with leak was uploaded on the same day it got out. For many it was late in the day or at night time when people started jumping on it at that time.

 

[barney]

Has anybody identified or caught this trojan within their own operating system?
I have seen lots of discussions but no obvious candidates, what are its characteristics?
is there no proprietary programs available to capture it.
Keen to understand above the chatter

best

barney

 

[Pogi]

Perhaps it is possible to identify the exact source(s) of this infected Windows 7?

I guess people were just over eager and tried to get their hands on first available new builds, and noticing new improvements over other builds somewhat blindsided them out on security issues.

If it's not too much to ask, what are the manifestations of the malware, anyway?

 

[Night Hawk]

I never got any detailed description when being informed on prior occasions about some leaks having malwares well hidden that the average user won't even notice. Those could be anything from adbots to keyloggers for gaining credit card and other information useful in identity theft as well as things that would suddenly see Windows crash for no apparent reason.

The people planting bugs know how to write malwares that are intended for a specific purpose. You can run a search all day and still not find where they get the tools for that however. From the article seen there like a few others lately the intent by hackers is to build a "botnet" or best known as an army of zombie home pcs where the users are unaware that their machines are infected. One reference for this is seen at What is botnet? - a definition from Whatis.com - see also: zombie army, bot network

 

[Captain Zero]

At this point, stealing Win7 is like trying to do a dine-and-dash in a soup kitchen.

Wat?

 

[Night Hawk]

People are anxious to look for leaks once 7 reaches the RTMs to no avail. That's precisely where hackers would have a field day! At this point there's no further point to rush any leak to begin with. Simply go direct to MS and download a nice fresh copy of 7 totally 100% guaranteed to be free of any "hacker's delight"!

 

[jimbo45]

Hi all

Why don't people EVER give PROPER info for this stuff

1) If MS knows that these are "Infected" - give the hashes for the "Infected" builds -- we've all got the hashes for the Official builds so it's easy to check.

2) Say WHAT BUILDS are infected. Microsoft has been burying its head like an Osterich in the sand even refusing to ACKNOWLEGE any builds other than the BETA 7000 and the official 7100 EVEN EXIST.

3) If this stuff has a botnet / trojan in it publish a method of detection -- some people will ALWAYS use stuff from "dubious" sources -- and in doing so can transmit stuff to software obtained Legitimately.
By just saying certain downloads might contain a Botnet etc without publishing methods of detection etc is just being PLAIN IRRESPONSIBLE.

Information such as saying "XXXX" might contain a virus / malware etc doesn't actually help ANYBODY and merely re-inforces the perception that they are just scaremongering.

If your build matches the Official one it WON'T contain anything it shouldn't.

Of course with the Official RC being easily (and quickly) available it really doesn't make any sense to download it from a torrent -- but that is a TOTALLY different issue.

Cheers
jimbo

 

[barney]

Jimbo ditto, the chatter is crazy, no solutions, no symptoms, no victims just noise!

best

barney

 

[Uber Philf]

Uhmm, this might be a dumb question, but will stop me from being freaked ive got a "bot version", but if all the hash's from my copy (torrent) match exactly to the ones from microsoft, am i safe to say that my copy is 100% trojan free?

Enzo.

 

[Night Hawk]

One reason no one can specify just what any malware does is first identifying the function it was written to do. Botnets are simply one form of bug there. With certain tools hackers can custom design malwares for various purposes.

Do you know how many there are? Even MS has lost count! That's why they provided an option recently for reporting contaminated sites to improve the antiphising filters in IE another area all together. With IE security tools being more common apparently they are looking at the interest seen in 7 as another means there.

 

[kpo6969]

Well it was I tried to point out before and got a lot of back talk about people matching up hashes there are ways around things in order to slip bugs into the various leaks. Earlier you saw the MS official warning about downloading from torrent sites. Now you see a strong one here about the RCs being polluted.

And the 4/24 date sounds awful familiar doesn't it? Airbot

Another sentence to add here is the start of the following paragraph in the article seen at the link there. "Targeting users through pirated software is nothing new for hackers." It makes far more sense to stay with the genuine article coming direct from Microsoft rather then thinking you are getting something still good elsewhere and to run into something like that.

I just got pointed to another article on this seen at Pirated Windows 7 software part of criminal botnet

Hi all

Why don't people EVER give PROPER info for this stuff

1) If MS knows that these are "Infected" - give the hashes for the "Infected" builds -- we've all got the hashes for the Official builds so it's easy to check.

2) Say WHAT BUILDS are infected. Microsoft has been burying its head like an Osterich in the sand even refusing to ACKNOWLEGE any builds other than the BETA 7000 and the official 7100 EVEN EXIST.

3) If this stuff has a botnet / trojan in it publish a method of detection -- some people will ALWAYS use stuff from "dubious" sources -- and in doing so can transmit stuff to software obtained Legitimately.
By just saying certain downloads might contain a Botnet etc without publishing methods of detection etc is just being PLAIN IRRESPONSIBLE.

Information such as saying "XXXX" might contain a virus / malware etc doesn't actually help ANYBODY and merely re-inforces the perception that they are just scaremongering.

If your build matches the Official one it WON'T contain anything it shouldn't.

Of course with the Official RC being easily (and quickly) available it really doesn't make any sense to download it from a torrent -- but that is a TOTALLY different issue.

Cheers
jimbo

Excellent post and agree 100%
The one's that got a clean, untampered with leak know who they are and knew what it was they were downloading.
Time to move on and stop whining..

 

[Plantje]

No worries...

Well, if you do install the RC from torrents, check this:

If you do install an official RC build then you should confirm that the MD5 checksum on the ISO is the same as a known safe MD5. Known safe MD5s are:

Windows 7 RC Build 7100 x86 is 8867C13330F56A93944BCD46DCD73590

Windows 7 RC Build 7100 x64 is 98341af35655137966e382c4feaa282

And:

Apparently someone released an ISO distribution with a trojan attached to the setup.exe

MD5/SHA1 etc they are check sum control numbers, and it is used to identify whether two files are the same / different. Basically if two files have eeven a single byte different, their checksums will be way different.

Hash Calculator to Get, Compute and Calculate MD5 and SHA1 File Checksum or Hash Value » My Digital Life

Also sometimes downloaded files may be corrupted during download due to various causes, bad data coming from the routers, bugs in the download programs etc, checking your downloaded file checksum against what the provider numbers ensures the file integrity, in this case the .ISO image.

I got this from:
Dan Dar3: Windows 7 beta build 7057 on ASUS R2H

 

[Night Hawk]

Uhmm, this might be a dumb question, but will stop me from being freaked ive got a "bot version", but if all the hash's from my copy (torrent) match exactly to the ones from microsoft, am i safe to say that my copy is 100% trojan free?

Enzo.

When in doubt toss it out! Simple solution! I posted a few screens on one that did have something "ususual" found and simply wiped the drive later.

Excellent post and agree 100%
The one's that got a clean, untampered with leak know who they are and knew what it was they were downloading.
Time to move on and stop whining..

You know that! I know that! But some are still insistant.

 

[Meyithi]

Apparently someone released an ISO distribution with a trojan attached to the setup.exe

MD5/SHA1 etc they are check sum control numbers, and it is used to identify whether two files are the same / different. Basically if two files have eeven a single byte different, their checksums will be way different.

Hash Calculator to Get, Compute and Calculate MD5 and SHA1 File Checksum or Hash Value » My Digital Life

Also sometimes downloaded files may be corrupted during download due to various causes, bad data coming from the routers, bugs in the download programs etc, checking your downloaded file checksum against what the provider numbers ensures the file integrity, in this case the .ISO image.

That is correct, it's the padded setup.exe that is more than likely responsible. Also, affected will be people who upgraded from their previous OS as if booted from the ISO, the setup.exe would not run or be accessed in any capacity.

So if you ran an upgrade from an earlier Beta or previous OS using the leaked torrent, you are more than likely "botting"

 

[brusse01]

LOL. Why?

The RC is free..... Why are people so stupid?

~Lordbob

I second that.... downlaoding from a Torrent is like somebody slipping you a mickey and the next morning you're sitting in your undies wondering what happened....