Monday, 2 July 2012
I received a mail with an interesting stealer, thanks Raoul.
A fake Steam login who have a size of 6Mb, but why the size is so huge ?
Because they drop the PHP5 engine and load the script.
Here is a picture of the routine:
Create the file "php5ts.dll"
A ELF file is un-bunziped and loaded via the php:
Loaded php5 dll:
Loaded fake login:
After that you filled fields and send, the second windows is show:
With the SteamGuard protection hackers need now to have access on the E-mail adress used on Steam.
Datas are finally sent to the server after pushing the login button.
To a fake gif image, i've already see that on Spyeye gates, with rules like this on htaccess:
When datas are sent the following windows is show
And then ask you a serial (???):
Who call another url:
If the code is good (DIFG-47JU-NUS4-PO46) the app just close, if the code is bad the app do nothing.
This Stealer is not new, according to VirusTotal the bzip2 compressed archive was first scanned the 2011/03/24.
Also if you have hl2:dm and want to play, add me :)
I 'm just back from Eurockéennes, it's for that these days i was not really online, here are two pics i've taken (Dionysos and Justice)