Scam/Malware Warning

[makkE]

Someone has created a website called assault-cube.com ,where they pose as the game authors, and use a modified installer and package of AC to spread malware.

Do not download the game from this site.

I have contacted them, and also the virus-check sites they abused to lure people into false security. I suspect that the "installer" is malware free, since it's very small I guess it's just for downloading their tainted package after you execute it.

If it weren't that sad, I'd be amused at what sort of pathetic low-lives creep around out there...

[Gibstick]

It means we're popular enough to be impersonated!

[Habluka]

That's an ugly website. Don't click the link because it will hurt your eyes.

[Alien]

no worries :P internet dont cover these assholes :P

1. report it at registrator http://www.namecheap.com/
Domain Name: ASSAULT-CUBE.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS.SOURCEDNS.COM
Name Server: NS1.SOURCEDNS.COM
Status: clientTransferProhibited
Updated Date: 16-sep-2010
Creation Date: 16-sep-2010
Expiration Date: 16-sep-2011


2. hosting
http://www.liquidweb.com/

NetRange: 69.167.128.0 - 69.167.191.255
CIDR: 69.167.128.0/18
OriginAS: AS32244
NetName: LIQUIDWEB-9
NetHandle: NET-69-167-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.LIQUIDWEB.COM
NameServer: NS1.LIQUIDWEB.COM
RegDate: 2009-02-23
Updated: 2009-02-23
Ref: http://whois.arin.net/rest/net/NET-69-167-128-0-1

OrgName: Liquid Web, Inc.
OrgId: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US
RegDate: 2001-07-20
Updated: 2008-12-19
Ref: http://whois.arin.net/rest/org/LQWB

ReferralServer: rwhois://rwhois.liquidweb.com:4321/

OrgAbuseHandle: ABUSE551-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-800-580-4985
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE551-ARIN

OrgTechHandle: IPADM47-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-800-580-4985
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/IPADM47-ARIN

[Ronald_Reagan]

Should we cube, carve, slice, slash, butcher, shank, hash, knife, or shred them to pieces by (killers) knife?

[mikebefore]

i posted a thread about a google ad i viewed after going to sourceforge a day after the 1.1.0.3 release. it had a slightly different file name to click on(but i didn't). anyone know if that was official or not ? i just downloaded it from sourceforge the normal way but watched the ad that had video of people playing the game. the ad was in a window on sourceforge.

[Vermi]

(Content removed)

Mod edit: Do not pust stuff like this in future. And stay on topic when posting.

[Huntsman]

..... NOT MEAT SPIN


fml......

[RandumKiwi]

If imitation is the highest form of flattery, then I hope the owner of that site is a beautiful woman, not an ugly old man.

[RandumKiwi]

If someone sees one of these assaultcube adverts, that are not for assaultcube (i.e. malware) can you please copy/paste the page source (in firefox, click "view" then "pagesource") and send all of that in an email to me.

[Shorty]

Could a mod or dev please censor the link.. seeing as we have 'minors' viewing these forums..

[tempest]

[SELECT ALL] Code:

[standard@nemo ~]$ hexdump -C /tmp/AssaultCube-Installer.exe | grep -in nsis
1837:000076f0  73 2e 73 66 2e 6e 65 74  2f 4e 53 49 53 5f 45 72  |s.sf.net/NSIS_Er|
1843:00007750  70 00 00 00 4e 53 49 53  20 45 72 72 6f 72 00 00  |p...NSIS Error..|
3338:0000dc20  6c 6c 73 6f 66 74 2e 4e  53 49 53 2e 65 78 65 68  |llsoft.NSIS.exeh|

Indeed, NSIS.
Do you know for sure that it installs malware? (yes, I know that this whole website and stuff stinks as hell, but I don't actually feel like trying it out...)

[Ghost]

Well, unless anyone wants to be our guinea pig for the day.....

[Bullpup]

One of you 'tec' types could run it in a virtual sandbox and then you would know.

[JGAN]

honestly i will be happy to be your guinea pig. how do i do this? just download and install the program?

school computers ftw! ;)

[tempest]

Oh no, you better don't. This appears to be an installer hidden in an installer (PeaZip ftw, it can extract compiled NSIS archive-executables)

The actual payload:
http://img842.imageshack.us/img842/3326/stinks.png
Definitely not what should be there, and I bet it's full of bad stuff. If you're lucky, it's just adware.

[ärkefiende]

Most complains I heard about it´s adware installing Bing as default search engine and such dumb stuff. Anyways, it´s illegal and does harm our image ...

[tempest]

Most complains I heard about it´s adware installing Bing as default search engine...

Now what the hell would that be good for? Lol, those guys are so incredibly stupid.

[eynstyne]

Can someone PM me the link to the suspicious file?
I may be able to examine it in full detail. I'll try my best.

Thanks

[Gibstick]

eynstyne: read the first post.
OH NO, it's Bing!

[eynstyne]

Please DO NOT under any circumstances download any files from that domain.
Below is my analysis from the exe/server

I can assure you IT IS NOT just a Bing toolbar installer

The main index.html page

[SELECT ALL] Code:

<?php
$referrer = $_SERVER['HTTP_REFERER'];
if (preg_match("forum.cubers.net",$referrer)) {
      header('Location: ');
} else {

};
?>   completely visible and shows bad coding in general

Some javascript is completely obfuscated (gpl_lp.js)

[SELECT ALL] Code:

Open Ports on 69.167.x.x Thanks NMAP :)

21/tcp   open   ftp      PureFTPd
22/tcp   open   ssh      OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 3f:c9:96:84:9f:37:6a:20:4c:90:44:47:5b:ec:0e:05 (DSA)
|_2048 4b:80:de:1f:ad:3f:25:f4:a7:52:f9:6f:98:23:68:de (RSA)
53/tcp   open   domain
| dns-zone-transfer:
| assault-cube.com            SOA     ns1.awesomefreegames.net sid18.gmx.com
| assault-cube.com            MX      assault-cube.com
| assault-cube.com            NS      ns1.awesomefreegames.net
| assault-cube.com            NS      ns2.awesomefreegames.net
| assault-cube.com            A       69.167.170.233
| cpanel.assault-cube.com     A       69.167.170.233
| ftp.assault-cube.com        A       69.167.170.233
| localhost.assault-cube.com  A       127.0.0.1
| mail.assault-cube.com       CNAME
| track.assault-cube.com      A       69.167.170.233
| www.track.assault-cube.com  A       69.167.170.233
| webdisk.assault-cube.com    A       69.167.170.233
| webmail.assault-cube.com    A       69.167.170.233
| whm.assault-cube.com        A       69.167.170.233
| www.assault-cube.com        CNAME
|_assault-cube.com            SOA     ns1.awesomefreegames.net sid18.gmx.com
80/tcp   open   http     Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.14)
| robots.txt: has 3 disallowed entries
|_/final-step/ /track/ /files/
|_html-title: AssaultCube
|_http-favicon: Unknown favicon MD5: BDF12BD1423753562AAFB2E4E2CE9600
110/tcp  open   pop3     Courier pop3d
|_pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINI
NG LOGIN-DELAY(10) TOP OK(K Here s what I can do)
143/tcp  open   imap     Courier Imapd (released 2008)
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDP
LUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
443/tcp  open   http     Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.14)
|_html-title: Site doesn't have a title (text/html).
465/tcp  open   ssl/smtp Exim smtpd 4.69
|_sslv2: server still supports SSLv2
| smtp-commands: EHLO host.awesomefreegames.net Hello 206-248-163-81.dsl.teksavv
y.com [206.248.163.81], SIZE 52428800, PIPELINING, AUTH PLAIN LOGIN, HELP
|_HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
993/tcp  open   ssl/imap Courier Imapd (released 2008)
|_sslv2: server still supports SSLv2
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UI
DPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
995/tcp  open   ssl/pop3 Courier pop3d
|_sslv2: server still supports SSLv2
|_pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING OK
(K Here s what I can do) TOP LOGIN-DELAY(10)
3306/tcp open   mysql    MySQL (unauthorized)
6666/tcp open   melange  Melange Chat Server 1.10
Device type: WAP|general purpose|firewall
Running (JUST GUESSING) : Linksys Linux 2.4.X (92%), Linux 2.4.X|2.6.X (91%), Ch
eck Point Linux 2.4.X (86%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
1%), Linux 2.6.20.6 (87%), Linux 2.6.19 - 2.6.24 (87%), Linux 2.6.18 (86%), Linu
x 2.6.18 - 2.6.21 (86%), OpenWrt Kamikaze 7.09 (Linux 2.6.17 - 2.6.21) (86%), Li
nux 2.6.22 (Fedora 7) (86%), Check Point NGX R65 firewall (Linux 2.4.21) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: host.awesomefreegames.net

TRACEROUTE (using port 20/tcp)
HOP RTT       ADDRESS
1   26.00 ms  206.248.154.104
2   79.00 ms  69.196.136.34
3   92.00 ms  peer1.bdr02.tor.packetflow.ca (64.34.236.121)
4   119.00 ms 10ge.xe-2-0-0.tor-151f-cor-1.peer1.net (216.187.114.145)
5   121.00 ms 10ge.xe-0-0-0.tor-1yg-cor-1.peer1.net (216.187.114.133)
6   123.00 ms 10ge.xe-0-0-0.chi-eqx-dis-1.peer1.net (216.187.114.141)
7   125.00 ms ge-6-23.car4.Chicago1.Level3.net (4.71.102.13)
8   128.00 ms ae-32-56.ebr2.Chicago1.Level3.net (4.68.101.190)
9   130.00 ms ae-5-5.ebr2.Chicago2.Level3.net (4.69.140.194)
10  142.00 ms ae-2-52.edge2.Chicago2.Level3.net (4.69.138.163)
11  225.00 ms GLOBAL-INTE.edge2.Chicago2.Level3.net (4.59.29.78)
12  193.00 ms lw-core4-te91.rtr.liquidweb.com (209.59.157.206)
13  163.00 ms lw-dc3-dist8-po5.rtr.liquidweb.com (69.167.128.133)
14  139.00 ms 69.167.170.233    <---- The webserver

Location: Lansing, Michigan, United States

Exe file installer :
Unpacks the following in temporary directory

NSISdl.dll <-- NSIS silent downloader. Attempts to download Zugo which is known for distirbution of malware
gmx-silent-1.exe <-- Spawned subprocess from the assaultcube-installer.exe file
getCountry <-- Text file containing region acquired from windows
System.dll <-- Set PAGE_EXECUTE_READWRITE on a certain block of Virtual memory
Math.dll <-- safe NSIS file
inetc.dll <-- Attempts to download any files from a remote ftp site (safe NSIS file)
nsisos.dll <-- Profile OS as winnt,9x,31 or unknown (safe NSIS file)
GetVersion.dll <-- Gets current version of windows. Checks for SP6 (safe NSIS file)
MD5dll.dll <-- Its fine...
registeraction
and much more, but I stopped debugging at that time

The sub installer gmx-silent-1.exe queries Application Data/Mozilla Firefox/profiles.ini
Reads under profiles/<name>.default/prefs.js
Reads browserconfig.properties

Checks for various registry keys
- HCKU\Software\Wyzo, Some firefox keys
And changes browser search settings to definitely unwanted stuff

Attempts to Install items in Program Files\GMX

Finds Internet Explorer, Opera, Firefox
Attempts to Install C:\Program Files\Search Toolbar

ShellExecute (Call the fake web page with some BS locale info gathering)

Installs Registry Key under HKCU\Software\Zugo
Subkey SID with string data 24xvb

Self Destruct

BTW, Still looking into it

[Brahma]

Great work in debugging, eynstyne! :)
Does it try to get passwords and other secured info?

[Ghost]

So now that we've found out that these guys are distributing malware / adware. What can we do to take them off the web?

[eynstyne]

Well, with lots of ports open and some unprotected services, it is possible but not exactly ethical to bring it down by using exploits on the particular service versions running. Or simply DDOS them with hping.

Just Ideas, but not going that far. The data should be enough to contact the proper authorities to get this fixed.

@Brahma
No it doesn't keylog, or install rootkis/spyware. The installer is merely like a trojan to fetch bad search providers and change as many browser preferences as possible on as many browsers. It is the toolbars and payload it fetches that is the most concern.

[JGAN]

._. that looks deadly...

eynstyne should be given a medal of honor for saving innocent people from fake-ac malware :D

[vonunov]

Since no one else did it yet, I booted up the ol' Windows VM to see what it does on a practical basis.

It starts out appearing as a normal AC installer, ending with the expected opening of the AC website:

1. https://uloadr.com/u/l5p.png
2. https://uloadr.com/u/onc.png
3. https://uloadr.com/u/8lg.png
4. https://uloadr.com/u/6t3.png
5. https://uloadr.com/u/cny.png
6. https://uloadr.com/u/958.png
7. https://uloadr.com/u/jrt.png
8. https://uloadr.com/u/3p4.png
9. https://uloadr.com/u/t4m.png
10. https://uloadr.com/u/3ng.png
11. https://uloadr.com/u/87d.png

During and after this installation, Process Explorer shows no malicious processes:

12. https://uloadr.com/u/654.png
13. https://uloadr.com/u/tuy.png

The AC which was just installed launches OK:

14. https://uloadr.com/u/u6n.png

After launching AC and after closing it, there are still no malicious processes:

15. https://uloadr.com/u/81p.png
16. https://uloadr.com/u/5q2.png
17. https://uloadr.com/u/3yb.png

At this point I rebooted just in case any malware needed a chance to get going.

Updated MBAM and ran a quick scan (full scan is not necessary):

18. https://uloadr.com/u/49j.png

While that was running, I ran a checksum on the "fake" AC installer and the "real" one hosted on the genuine site. They match (fake first, real second):

19. https://uloadr.com/u/am0.png
20. https://uloadr.com/u/0ok.png

The MBAM scan completed clean:

21. https://uloadr.com/u/i05.png

As a final check, GMER (rootkit detector) was also clean. (No screenshot included as there is absolutely nothing to see.)

Conclusion: No malware or anything otherwise malicious -- the installer wasn't even tampered with -- except misdirecting users, possibly in an attempt to get advertisement hits or to establish the false site as genuine for future attacks.

Also, browser search settings were not tampered with, nor were any toolbars or other unwanted packages installed.

[RandumKiwi]

They changed the executable download. I'm sure it used to direct somewhere else, where-as now it directs to sourceforge (our host) to download our file.

[V-Man]

Sure makes Bing.com look bad (I mean worse than it already looked).

I remember being taken to assault-cube.com after clicking a Google ad for AssaultCube from Sourceforge... Does Google have anything to do with it / know about this travesty?

As for what we should do, ...is there a specific target? Where is the fraudulent Facebook account so we can report it to the Facebook staff?

[Lightning]

Let's get Undead to DDoS them :P

I reported the website to Google and Mozilla. For gorgery and as a security threat.

[eynstyne]

When you first enter the site, the download is the proper one. However, moving anywhere else on the site such as the screenshots page will also contain a download link. This is where I got the file, not the index page.
This is the same link that has the assaultcube-installer.exe fake package

However, today the links point to a mediafire file. Which is indeed a properly sized Assaultcube installer file!
Either they are trying to cover their tracks, or an XSS exploit was found.

Still, the facebook link with the naughty file is still active

If you wish to contact these ppl... http://72.52.143.151/cgi-sys/ will link you to a 403 forbidden, but contains a link to mail to these ppl / subhumans.
Mailing address: [email protected]

Here is some more stuff -> http://72.52.143.151/cgi-sys/defaultwebpage.cgi (Running Apache 2.0.63 with WHM)
http://72.52.143.151/~facebook/ <-- Error, which can potentially lead to exploit

NMAP scan shows the exact same ports open and exact same versions of services:

[SELECT ALL] Code:

PORT     STATE  SERVICE  VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp      PureFTPd
22/tcp   open   ssh      OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 f9:d3:d6:85:43:46:32:57:40:48:c2:d6:b8:af:00:0d (DSA)
|_2048 03:da:1f:cd:ba:5c:63:5e:de:a5:d3:e6:e3:5b:b0:89 (RSA)
53/tcp   open   domain
| dns-zone-transfer:
| superfastredirect.com            SOA     ns1.superfastredirect.com sid18.gmx.c
om
| superfastredirect.com            MX      superfastredirect.com

| superfastredirect.com            NS      ns1.superfastredirect.com

| superfastredirect.com            NS      ns2.superfastredirect.com

| superfastredirect.com            A       72.52.143.151

| 1.superfastredirect.com          A       72.52.143.151

| www.1.superfastredirect.com      A       72.52.143.151

| ftp.superfastredirect.com        CNAME
| lambda.superfastredirect.com     A       72.52.143.151

| localhost.superfastredirect.com  A       127.0.0.1

| mail.superfastredirect.com       CNAME
| www.superfastredirect.com        CNAME
|_superfastredirect.com            SOA     ns1.superfastredirect.com sid18.gmx.c
om
80/tcp   open   http     Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.9)
|_html-title: Site doesn't have a title (text/html).
110/tcp  open   pop3     Courier pop3d
|_pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINI
NG LOGIN-DELAY(10) TOP OK(K Here s what I can do)
143/tcp  open   imap     Courier Imapd (released 2008)
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDP
LUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
443/tcp  open   http     Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.9)
|_html-title: Site doesn't have a title (text/html).
465/tcp  open   ssl/smtp Exim smtpd 4.69
|_sslv2: server still supports SSLv2
| smtp-commands: EHLO host.superfastredirect.com Hello 206-248-163-81.dsl.teksav
vy.com [206.248.163.81], SIZE 52428800, PIPELINING, AUTH PLAIN LOGIN, HELP
|_HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
993/tcp  open   ssl/imap Courier Imapd (released 2008)
|_sslv2: server still supports SSLv2
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UI
DPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
995/tcp  open   ssl/pop3 Courier pop3d
|_sslv2: server still supports SSLv2
|_pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING OK
(K Here s what I can do) TOP LOGIN-DELAY(10)
3306/tcp open   mysql    MySQL (unauthorized)
6666/tcp closed irc
Device type: WAP|general purpose|firewall
Running (JUST GUESSING) : Linksys Linux 2.4.X (92%), Linux 2.4.X|2.6.X (91%), Ch
eck Point Linux 2.4.X (86%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
1%), Linux 2.6.20.6 (87%), Linux 2.6.19 - 2.6.24 (87%), Linux 2.6.18 (86%), Linu
x 2.6.18 - 2.6.21 (86%), OpenWrt Kamikaze 7.09 (Linux 2.6.17 - 2.6.21) (86%), Li
nux 2.6.22 (Fedora 7) (86%), Check Point NGX R65 firewall (Linux 2.4.21) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 20/tcp)
HOP RTT      ADDRESS
1   15.00 ms 206.248.154.104
2   15.00 ms 69.196.136.34
3   15.00 ms peer1.bdr02.tor.packetflow.ca (64.34.236.121)
4   15.00 ms 10ge.xe-2-0-0.tor-151f-cor-1.peer1.net (216.187.114.145)
5   0.00 ms  10ge.xe-0-0-0.tor-1yg-cor-1.peer1.net (216.187.114.133)
6   31.00 ms 10ge.xe-0-0-0.chi-eqx-dis-1.peer1.net (216.187.114.141)
7   78.00 ms ge-6-23.car4.Chicago1.Level3.net (4.71.102.13)
8   31.00 ms ae-31-53.ebr1.Chicago1.Level3.net (4.68.101.94)
9   31.00 ms ae-6-6.ebr1.Chicago2.Level3.net (4.69.140.190)
10  31.00 ms ae-1-51.edge2.Chicago2.Level3.net (4.69.138.131)
11  32.00 ms GLOBAL-INTE.edge2.Chicago2.Level3.net (4.59.29.78)
12  32.00 ms lw-core4-te91.rtr.liquidweb.com (209.59.157.206)
13  16.00 ms lw-dc2-core4-ge2-15.rtr.liquidweb.com (209.59.157.106)
14  31.00 ms lw-dc2-sec1-dist2-po2.rtr.liquidweb.com (209.59.157.130)
15  31.00 ms host.superfastredirect.com (72.52.143.151)

Same exact location : Lansing, Michigan. But different server
So they have 2 of them, maybe even more.