Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 50

Thread: Mamba Black Copy and the Chinese

  1. #21
    Join Date
    Jan 2006
    Location
    Charleston, SC
    Posts
    2,147,489,446

    Default

    Quote Originally Posted by -bart- View Post
    Somehow, this story has some kind of don't-use-illegal-software-because-it-contains-viruses-boogyman feel to it.
    What? What possible motivation would I have to create a "boogyman" story? Have I ever misled people here? Ever?

    Seriously, why would you think that? Because I'm more than a little upset that you'd insinuate I'm lying about this.
    What was the exact name of the threat/trojan etc, etc.
    I do not know. I was not the person that performed the service. I apologize if I do not have all of the details. (However, the person that did the service is also a member here on PL. If he chooses to share further details of this event, that is his prerogative, though his client would probably appreciate at least some anonymity.)

    And what, exactly, would the NAME of the malware do for you anyway? There are thousands, tens of thousands of viruses in the wild. And apart from a few high-profile ones (conficker, nimda, sasser, code red) the names are irrelevant. I seriously doubt that the client wrote down the name of the malware either, but I can ask...
    Don't get me wrong i hate piracy, but this claim just needs more details filled in.
    I don't know what virus checker they used on the new machine, but I know it was a newly-purchased machine (as in less than a month old). I know that the Mamba software identified itself as version 1.6-something. I don't remember if it was 1.61, or 1.63, or 1.6 something else. (Who cares, really? Is there that much difference between 100ths-place version numbers?)

    Also, there may be some confusion due to terminology. I identified the malware as a trojan horse, because it was contained within a valid software product. I do recognize that there are specific definitions for a virus, a worm, and a trojan. In my haste to post (and my desire to avoid being pedantic), I did not consider that it might be more appropriate to call it a virus or a worm. But again, I didn't not work on the infected machine myself, so I can not say exactly what it was trying to do - beyond the fact that it *did* try to infect all the executable files on the drive.
    Quote Originally Posted by keeperx View Post
    a Trojan does not eat processor cycles. It sits and waits for an event or trigger to activate it.
    And typically, once it activates it downloads a payload (or simply executes the payload if it was already contained within the trojan) which first tries to infect other executables on the host computer's hard disk - and this will slow the machine to a crawl. I don't need a lecture in how viruses, trojans, or worms operate...

    I do not know if the machine "phoned home" to download a payload, or if the malware was fully contained within the software on the CD. The infected computer *was* connected to the Internet for at least a short period of time, because the client tried to update his Mamba Black to the latest version. (This, of course, didn't work, because the cracked versions don't have the Rockey-4 dongle, so they didn't have a serial number they could register to get an update.) So it's possible that it tried to download a payload. However, this is not the case with new machine.

    The new machine was not connected to the Internet when they attempted to install the software. The virus checker popped up an alert window as soon as autoplay started. I don't know how far the infection got on the new machine. They immediately reset the machine, removed the CD, and booted to safe mode. Then they ran the virus checker and it was able to clean the machine. There were several files that had to be cleaned.

    That's all the details I can remember from the phone conversation. If that's not enough for you, then by all means - jump on e-bay and buy one of these pirated copies of Mamba Black for yourself. Then you can perform your own diagnostics to satisfy your curiosity as to the specific malware that is included on the disc.

    But for the rest of the group, the existence of this trojan embedded in the cracked Chinese version of Mamba Black has been documented in serveral places, including numerous discussions on the ILDA mailing list. More to the point, I'm not an employee of Medialas, nor would I have any other motivation to make up "ghost stories" about this. (I'm a Pangolin user, remember?)

    Finally, consider the fact that Bill Benner posted a warning about this being a cracked version above... Bill doesn't work for Medialas either. So why would he have any motivation to lie about it? Unless maybe he was sharing information in an effort to help people avoid getting screwed...

    And if you *still* believe that I'm telling ghost stories, go check out the ILDA list server and read the notices from Medialas (and others) about the malware contained on this disc.

    Adam

  2. #22
    mixedgas's Avatar
    mixedgas is offline Creaky Old Award Winning Bastard Technologist
    Infinitus Excellentia Ion Laser Dominatus
    Join Date
    May 2007
    Location
    A lab with some dripping water on the floor.
    Posts
    9,890

    Default

    Gentle Readers,

    Sometimes when folks give out warnings, they have to protect their business and the clients reputation.

    If you want to find out which little snippet of infectious code is there, set up a spare, isolated , machine, download the code, and see what happens. I mean it only takes, what, about 2 hours to set up a windows machine ??? Then when your done spend another 20 minutes low leveling the hard drive and another two hours to recover the machine.

    Make sure set up a INTRANET inside the firewall so it thinks its at home.

    Steve
    Qui habet Christos, habet Vitam!
    I should have rented the space under my name for advertising.
    When I still could have...

  3. #23
    Join Date
    Dec 2007
    Posts
    284

    Default

    mixedgas, ever heard of virtual machines?
    and yes, of course medialas will claim that the cracked version contains malicious code. i'd do the same thing if i were them to scare ppl that intend to use it.

  4. #24
    mixedgas's Avatar
    mixedgas is offline Creaky Old Award Winning Bastard Technologist
    Infinitus Excellentia Ion Laser Dominatus
    Join Date
    May 2007
    Location
    A lab with some dripping water on the floor.
    Posts
    9,890

    Default

    [QUOTE=decix;95304]mixedgas, ever heard of virtual machines?


    I thought about that, and then decided the best way to deal with it is to hardware contain it. Since I used to be responsible for about 25 computers used by grad students who downloaded much stuff out of China, I tend to err on the extreme side of virus prevention.

    There used to be, and still probably is this browser plugin that never goes away called Red Star News. For some reason, Chinese students loved it,
    dispite its habits of seizing the machine, burning 80 of available resources, and sending byte by byte of the hard drive some place. Once on a machine it was self installing, again and again and again, so the only quick way to ditch it was to low level format the machine.

    It nicely put up its ICON to let you know it was back.

    Regedit was no help either.
    Qui habet Christos, habet Vitam!
    I should have rented the space under my name for advertising.
    When I still could have...

  5. #25
    Join Date
    Jul 2008
    Location
    Maryland
    Posts
    1,691

    Default

    i would setup a VM for this but i do not have the pirated software to test.
    I quite happy not having it but would test it if someone actually wanted me to..

    Thank you for the detail Adam, that does actually clear things up. If the virus was embedded in the autorun of the CD, or the installer file (triggered by the autorun), then it probably was/is a dropper.

    The software is illegal and pirated, so it should NOT be used at all, but if the trojan is recognized by up2date virus protection, you should not have any issue.

    Again it is pirated software so it comes without warranty and could screw up your system.
    Quis custodiet ipsos custodies?
    Solid State Builders Group

  6. #26
    Join Date
    Jan 2006
    Location
    Charleston, SC
    Posts
    2,147,489,446

    Default

    Quote Originally Posted by decix View Post
    of course medialas will claim that the cracked version contains malicious code. i'd do the same thing if i were them to scare ppl that intend to use it.
    Except that in this case, they are not trying to "scare" people. The threat is real and has been reported by several different ILDA members. I can understand why you'd be skeptical if Medialas were the only one's talking about this, but that's not the case here. The threat is real.

    Adam

  7. #27
    Join Date
    Jan 2006
    Location
    Charleston, SC
    Posts
    2,147,489,446

    Cool

    Quote Originally Posted by decix View Post
    Don't like the snake.
    HAHAHA!

    I had to think a moment about that before I got it... Yeah, it is sort of creepy when you see that big snake on the cover of the user manual!

    Adam

  8. #28
    Join Date
    Sep 2006
    Location
    Netherlands
    Posts
    1,435

    Default

    Sorry buffo, I did not want to piss you off, I never said you have a double agenda.

    My point is, that your post just did not contain that much new information.
    I just thought you would fill in the details, but instead you go ballistic, calm down man.

    You don't have to convice me that mamba contains a threat, adding more information to it would just add more credibility to the claim.

  9. #29
    Join Date
    Apr 2007
    Location
    Toronto Canada
    Posts
    1,120

    Default

    he virus checker popped up an alert window as soon as autoplay started.

    Thats autoplay virus. It put entry into Autorun.inf file. So when system scans for new drive computer is infected.
    MS32dll.vbs run.bat run.exe are the file it referees to which is hidden and sit in root. Also virus changes registry and blocks ability to see hiden files. It puts autorun.inf together with a executable file on evey drive. You insert flash drive...booomm it's infected!
    I hired an Italian guy to do my wires. Now they look like spaghetti!

  10. #30
    Join Date
    Nov 2007
    Location
    Cairns, Australia
    Posts
    1,896

    Default

    Also keep in mind, it is *CRACKED* software, so it may even have the cracking program on the disk, to crack the program when it runs! In that case, your AV would be picking up the keygen/cracking proggy, and not the program itself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •