Monday, 2 July 2012


I received a mail with an interesting stealer, thanks Raoul.
A fake Steam login who have a size of 6Mb, but why the size is so huge ?
Because they drop the PHP5 engine and load the script.
Here is a picture of the routine:

Create the file "php5ts.dll"


A ELF file is un-bunziped and loaded via the php:

Then delete

Loaded php5 dll:

Loaded fake login:

After that you filled fields and send, the second windows is show:

With the SteamGuard protection hackers need now to have access on the E-mail adress used on Steam.
Datas are finally sent to the server after pushing the login button.
• dns: 1 ›› ip: - adresse: HTTPZ.RU

To a fake gif image, i've already see that on Spyeye gates, with rules like this on htaccess:
AddType application/x-httpd-php .php .phtml .jpg .pdf

When datas are sent the following windows is show

And then ask you a serial (???):

Who call another url:

If the code is good (DIFG-47JU-NUS4-PO46) the app just close, if the code is bad the app do nothing.
This Stealer is not new, according to VirusTotal the bzip2 compressed archive was first scanned the 2011/03/24.

Also if you have hl2:dm and want to play, add me :)

I 'm just back from Eurockéennes, it's for that these days i was not really online, here are two pics i've taken (Dionysos and Justice)



    blackhole nigga

  2. It's php devel studio. Script packed in overlay, gz format.