Warning: Original "50 Days of Lulz" Payload is Infected

Monday, June 27, 2011

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

Even after the lulz have officially ended, the adventure continues for the hapless crew of the lulzboat. After piping off the ship and dropping their cargo on "The Pirate Bay" it turns out that the RAR file offered as a torrent download is infected with a backdoor of the "RBOT" class of malware.

This type of malware was commonly used by the lulzsec "hackers" to own other machines, but is a different variant of the tools they normally used to expand their botnet.

Here's an image of the location of the file within the archive:

/uploads/remoteimg/085539c5c332fcf1fc606db09c1a5756.jpg

The "/AT&T internal data/BootableUSB/Program Files/WinRar/WinRar v3.71.exe" file located in the within the "AT&T internal data.rar" file was found to be infected:

http://www.virustotal.com/file-scan/report.html?id=3f171ca8a0e11cea57264f7ad202c703dc1bf23d6d0ecc0139a73134222ddda6-1309093409

The infected torrent was deleted by Pirate Bay after discovery and TPB issued this formal notification:

http://activepolitic.com:82/blog/2011-06-26/ThePiratebay_deletes_50_Days_Of_Lulz.html

The Lulzsec team replaced the file later Sunday with an uninfected version of the same file which was significantly smaller than the original prompting suspicion that a number of other files within the archive were similarly infected:

/uploads/remoteimg/b08383fdb3955b00da77b1b183ae7b52.jpg

An accounting of the drama was posted on Tumblr earlier today:

http://tlan3y.tumblr.com/post/6938716877/lulz-on-you-lulzsec-final-release-contains

The mystery among analysts was whether it was intentionally placed there by the LulzSec crew as final gag on their followers or whether it was actually part of AT&T internal files which would mean that AT&T's own IT staff was inadvertently infecting their own operation.

At this time, only AT&T can confirm or deny whether the files dated 14 February, 2008 are theirs or whether the USB image included in the AT&T heist is actually theirs.

Attempts to contact LulzSec members as to the origin of the file remain unanswered at this time. Others theorize that if lulzsec was the victim of this infection, it was apparently caused by their competitor, TeaMp0isoN:

http://tech2.in.com/news/general/lulzsec-infected-by-teamp0ison/226932

So if you've downloaded this file, it is strongly advised that you scan it first before opening the AT&T section of the file to be sure that the infected bot doesn't end up on Windows clients. It's quite possible that there might be others as well given the plural in TPB's description.

I can't understand why anyone would want to download it in the first place, but apparently a large number of people have and thus this cautionary warning.

Possibly Related Articles:
11444
Viruses & Malware
Information Security
Trojans malware Botnets Hacktivist hackers AT&T Lulzsec
Post Rating I Like this!
4085079c6fe0be2fd371ddbac0c3e7db
Jamie Adams Excellent information. Thank you. Hopefully, no one is silly enough to download it.
1309197646
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey I'm normally not interested in any of the "booty" myself, but when I heard it was infected, I just HAD to know what was inside since I've been doing this since the days when Peter Norton and John McAfee were both selling their primitive antiviruses on my BBS.

I threw away the candy-coated popcorn and peanuts and went straight for the prize inside this one. I wasn't at all interested in any of the lulzdrama, but malcode and examining it makes my day. :)
1309212051
B6f0893230292b638a6419bf566dbda6
cliff sull I blogged about the infection within hours of teh file appearing on The Pirate Bay.
In my opinion the infection is nothing to do with Lulzsec and is a common tool which was not classed as malware up until recently - so Norton now classify it as a malware tool.
Great post.
You will find my original post here - > http://cliffsull.wordpress.com/2011/06/26/downloaders-of-lulzsec-%E2%80%98booty%E2%80%99-filestorrent-be-aware-of-a-virus-in-winrar-folder/
1309213348
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Thanks for that! Given that the file in question has a date stamp on it from three years ago, a rather sad statement on the antivirus industry there. I've been in that industry for 14 years now, I'm the developer of one of the earliest antitrojan programs known as "BOClean" back when the AV's were ignoring RATs and backdoors entirely.

A few years ago, I ended up working for one of the antivirus companies and I was aghast to learn that they merely fed submitted samples into a blender which pooted out a SHA1 signature into their update. If any one bit is different from the sample, then it's not detected at all by a file scan. Our BOClean thingy actually waited for malware to start to execute and matched a hand-written memory signature and so no amount of obfuscation successfully eluded detection. That's the reason why I'm such a cynic about this stuff - I know where the bones are buried. :(
1309214435
B6f0893230292b638a6419bf566dbda6
cliff sull Cynicism's a good trait ;) Given how the nets traversed into a den of inequity and is so far from what we envisaged back in the days of 'Bulletin Boards' and 56k Modems ;)
As for BOClean ...all that really needed was a disk scanning capability ;(
1309214839
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Interesting indeed. Curious how there's no mention of the packer containing anything else - they usually do. When I saw the Delphi sig on a known Borland (yeah, I knew Phillipe Kahn as well back in the day and got a pre-beta of Pascal 1.0 from him) I had enough confirmation of fishy but didn't want to load up a Billyware box to see what it was. I like to get paid for that kind of stuff. Heh.

As for disk-scanning in BOClean, we did provide it since we had a number of volunteers who sailed the seven seas for us in search of booty and so if you right clicked on the top of BOClean, it would scan files. You could also drag and drop one file onto the popup and it would scan just that so we could afford duplication in our lab of already-detected nasties. But we didn't advertise the feature since BOClean was intended to be a secondary detection utility behind your AV and we didn't want to take up a limited system kernel hook when there was only maximum of eight of them available and everybody and his cousin wanted dibs on those.

Oh ... and REAL men did high speed at 300 baud. :P
1309216789
B6f0893230292b638a6419bf566dbda6
cliff sull lol - i had almost forgotten baud rates and tx times...am all nostalgic now ;)
1309218402
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Heh. Life began at 55 baud on a 20 mil loop. And true dumpster-diving. Life was good. :)
1309220181
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey UPDATE!

"Anonymous" answered the question as to who the trojan belonged to officially in this tweet:

@AnonymousIRC AnonymousIRC
@uhhmnet You realize that this malware came from AT&T and LulzSec never actually looked at it? Apparently not; just live in your own world.
7 hours ago via TweetDeck
Retweeted by akuma_river and 3 others
1309225974
6d117b57d55f63febe392e40a478011f
Anthony M. Freed False positive?? "On Monday several antivirus vendors took a close look at the file in question and decided that the program wasn't actually harmful. Consider it an inadvertent parting prank on the security industry the hacking grew took such delight in tormenting. More Lulz for the Lulz Boat."

"Early in the day, 26 of the 42 security companies whose scanning products can be tested on the VirusTotal Web site reported that a file within LulzSec's "AT&T internal data" folder was malware, designed to give hackers remote access to the victim's computer.

"But by Monday night Kaspersky Lab, McAfee and Trend Micro all reported that this was incorrect."

http://www.computerworld.com/s/article/9217971/LulzSec_s_parting_Trojan_is_a_false_positive
1309271870
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Makes me wonder if the detections of LOIC (Low Orbit Ion Cannon) as a multidropper trojan is also an FP. Ah well ... I took virustotal's word for what was found when I wrote this up - since I don't use windows, no worries even if it was infected. :)
1309307135
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.