Forum

An explanation of SteamStealer aka "Ebola.scr"

Created 21st December 2014 @ 14:38

Add A Reply Pages: « Previous 1 2 3 Next »

Flow.

Nein

Quoted from CHERRY

Who the fuck writes a virus in C#?

Apparently somebody, who obfuscates the code with a bad open source packer. I guess this stuff is patched together from several code snippets. I don’t complain at all, because they just made my work easier. I only had to de-obfuscate to get to the source instead of reading a lot of stuff in my debugger xD. But writing it in C# doesn’t mean it’s less harmful…

Phnx

Online

Quoted from CHERRY

Who the fuck writes a virus in C#?

lol I actually understood it.
wow that’s not that difficult to create haha.

CHERRY

Quoted from Flow.

[…]
Apparently somebody, who obfuscates the code with a bad open source packer. I guess this stuff is patched together from several code snippets. I don’t complain at all, because they just made my work easier. I only had to de-obfuscate to get to the source instead of reading a lot of stuff in my debugger xD. But writing it in C# doesn’t mean it’s less harmful…

My country’s electoral calculator was written in C# guess how it ended?
.
.
.
.
.
https://github.com/wybory2014/Kalkulator1
They even included pdo files with executable :D


Last edited by CHERRY,

Flow.

Nein

Oh look what I’ve found ;)
http://steamstealer.com/

I guess I’ve got their latest source code for free which they had “protected” … Suddenly C# makes sense when you want your customers to be able to edit it to their needs. Valve REALLY needs to patch the security flaw in steamclient.dll …

rockie

wow good job man, definitely interested to see what else this thing hides, does this malware affect other steam accounts on the pc, or just the one you’re currently using?


Last edited by rockie,

Flow.

Nein

Quoted from rockie

wow good job man, definitely interested to see what else this thing hides, does this malware affect other steam accounts on the pc, or just the one you’re currently using?

I think Steam creates and saves the hashes only for the current account. So if you switch users, the previous one should be fine. Since I don’t exactly know how Steam works, I can’t tell for sure. Let’s just hope that Valve is aware of this and stops these guys from making profit by selling this stuff to scammers.

CHERRY

Quoted from Flow.

[…]
I think Steam creates and saves the hashes only for the current account. So if you switch users, the previous one should be fine. Since I don’t exactly know how Steam works, I can’t tell for sure. Let’s just hope that Valve is aware of this and stops these guys from making profit by selling this stuff to scammers.

I don’t think it works like that, not 100% sure though.

CHERRY

Quick fix for sending mass messages http://teamfortress.tv/thread/21707/how-to-protect-yourself-from-steam-viruses#376836

Kengur

volvo is stupid to stores obvious cookies with steamID

MatchCollection matchs = new Regex(“7656119[0-9]{10}%7c%7c[A-F0-9]{40}”, RegexOptions.IgnoreCase).Matches(preparedIDs);

Untill this shit is fixed there’s little to be done elsewhere.


Last edited by Kengur,

CapTVK

HoT<3

Thank you for your informative post. I’ve received several of these sorts of these “friend” invites on a weekly basis for a very long time so i’m om my guard.

I’ll definitely going to edit my host file. This won’t affect any of steam’s normal functions?

I do have a question about the backpack that’s used for storage for stolen items. You mention there are stolen items in it, does that mean it’s set to public on steam? It’s kind of odd as you would expect it being set to private to prevent someone tracing the items. Or is there some trick to view private backpacks online?

konr

Good job dude. This should be extremely easy to patch for Valve. Makes me cringe looking at someone doing memory editing so much and still using C#.
Quoted from CHERRY

[…]
I don’t think it works like that, not 100% sure though.

It should. I haven’t read it fully at all but if it’s using conventional cookie grabbing it should only affect stuff that is currently logged in.


Last edited by konr,

jx53

Quoted from CapTVK

Thank you for your informative post. I’ve received several of these sorts of these “friend” invites on a weekly basis for a very long time so i’m om my guard.

I’ll definitely going to edit my host file. This won’t affect any of steam’s normal functions?

I do have a question about the backpack that’s used for storage for stolen items. You mention there are stolen items in it, does that mean it’s set to public on steam? It’s kind of odd as you would expect it being set to private to prevent someone tracing the items. Or is there some trick to view private backpacks online?

Trade offers require public backpack

CHERRY

Quoted from konr

Good job dude. This should be extremely easy to patch for Valve. Makes me cringe looking at someone doing memory editing so much and still using C#.
[…]It should. I haven’t read it fully at all but if it’s using conventional cookie grabbing it should only affect stuff that is currently logged in.

I still don’t see why Steam couldn’t store different profiles.

CHERRY

Quoted from CapTVK

Thank you for your informative post. I’ve received several of these sorts of these “friend” invites on a weekly basis for a very long time so i’m om my guard.

I’ll definitely going to edit my host file. This won’t affect any of steam’s normal functions?

I do have a question about the backpack that’s used for storage for stolen items. You mention there are stolen items in it, does that mean it’s set to public on steam? It’s kind of odd as you would expect it being set to private to prevent someone tracing the items. Or is there some trick to view private backpacks online?

This won’t affect how your Steam works since API is intended for 3rd party developers, chances are you’ll never need to use it.

CHERRY

https://github.com/Kuba77/SteamWall

May conflict if you have many custom rules in the firewall

Add A Reply Pages: « Previous 1 2 3 Next »