Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

#1 Before February 2015

Persona
Guest

Beware of False Krock Bot!

Krok in PM (Name is not a typo) wrote:

Hey man!

I would just like to say thanks for advertising my EE bot. In return I would like to give you the newest version of my bot. Nobody has it yet, and I would like you to test it! You can download it at -snip-

Thanks again!

-Krock

First, I am not advertising his bot, I don't even have the site.
This is the third program made for me to aim at stealing my account.

Last edited by Persona (Jun 28 2012 1:00:50 pm)

#2 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

Alright, taking a look. Okay, I suggest you take down the post so he doesn't see what I'm up to.

Last edited by ?tilla (Jun 28 2012 12:58:51 pm)


signature.png
*u stinky*

Offline

#3 Before February 2015

Persona
Guest

Re: Beware of False Krock Bot!

Some more tips:
-Krock does not host his bots on a mediafire.
-He hosts them on his site.
-He would tell me directly, not just in a PM.
-Krock's EE username is Krock
-Krock's F EE username is Krock.
-Why would the bot not be given to other people..?   Is there like some new feature?
I did not hear about one, which I would expect.

#4 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

The file in that link is not made in C#, it is made in C++ 7.0.

The entrypoint: 00042B4F, file offset 00041F4F, linker info: 7.10
EP section: .text
first bytes: 6A,60,68,88
subsystem: Win32 GUI

EDIT: scanned it for cryptology, found 1 crypto signature.
CRC32B [poly] :: 00050379 :: 0040F79

Whoever did this isn't as stupid as the rest.

Fake user made in this forum: http://eeforumify.com/profile.php?id=7331
I suggest mods to take a look at the IP address for this, maybe I could have it and do an EE search of logged ips? :-3

Last edited by ?tilla (Jun 28 2012 1:09:08 pm)


signature.png
*u stinky*

Offline

#5 Before February 2015

Persona
Guest

Re: Beware of False Krock Bot!

So do we know that this is not safe?   Not that I have any intent to use it?

#6 Before February 2015

capasha
Member
Joined: 2015-02-21
Posts: 4,066

Re: Beware of False Krock Bot!

?tilla wrote:

The file in that link is not made in C#, it is made in C++ 7.0.

The entrypoint: 00042B4F, file offset 00041F4F, linker info: 7.10
EP section: .text
first bytes: 6A,60,68,88
subsystem: Win32 GUI

EDIT: scanned it for cryptology, found 1 crypto signature.
CRC32B [poly] :: 00050379 :: 0040F79

Whoever did this isn't as stupid as the rest.

Fake user made in this forum: http://eeforumify.com/profile.php?id=7331
I suggest mods to take a look at the IP address for this, maybe I could have it and do an EE search of logged ips? :-3

Give me the file in pm.

Offline

#7 Before February 2015

Fdoou
Banned

Re: Beware of False Krock Bot!

Someone really wants you dead.

#8 Before February 2015

~Omri~
Guest

Re: Beware of False Krock Bot!

*waiting to hear from a player that got scammed..*

#9 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

It is unsafe, obviously. It was made in C++ and within the DLL references there is no use of the playerioclient.dll included.

@Persona: Have you opened the file?

Last edited by ?tilla (Jun 28 2012 1:21:15 pm)


signature.png
*u stinky*

Offline

#10 Before February 2015

Different55
Forum Admin
Joined: 2015-02-07
Posts: 16,575

Re: Beware of False Krock Bot!

The IP is a proxy and nobody else has used this proxy on these forums before.


"Sometimes failing a leap of faith is better than inching forward"
- ShinsukeIto

Offline

#11 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

Different55 wrote:

The IP is a proxy and nobody else has used this proxy on these forums before.

Cyclone should definitely add a page that redirects idiots to a flash file, having the flash file collect their real IP address.
Not too sure about the legality of that.. however..
I'm sure it could be subsided as a testing subject.

alright. It seems like the file is a download tool from what capasha has told me.
We'll see how it goes from there.

Last edited by ?tilla (Jun 28 2012 1:30:02 pm)


signature.png
*u stinky*

Offline

#12 Before February 2015

JadElClemens
Member
From: Colorado, USA
Joined: 2015-02-15
Posts: 4,559

Re: Beware of False Krock Bot!

?tilla wrote:

I suggest mods to take a look at the IP address for this, maybe I could have it and do an EE search of logged ips? :-3

Different55 wrote:

The IP is a proxy and nobody else has used this proxy on these forums before.

Accually is TOR exit node. I doubt anyone using TOR for the usual purposes would want anything to do with the EE forums (especially with the slow speeds), so it's not unusual that it's not been used here.


4RNmJ.png

I hate tall signatures.

Offline

#13 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

Alright, success. The link the downloader tool was found, so now we have the ability to deompile.

Here's some more facts about the downloader tool:
Write to foreign memory areas: This executable tampers with the execution of another process.        
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.        
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.        
Execution did not terminate correctly: The executable crashed.        
Spawns Processes: The executable produces processes during the execution.        
Performs Registry Activities: The executable creates and/or modifies registry entries.

The tool is getting update version from: http://nimg.x90x.net/ee_bbk_d/ee_vers.txt

Last edited by ?tilla (Jun 28 2012 1:39:00 pm)


signature.png
*u stinky*

Offline

#14 Before February 2015

lrussell
Member
From: Saturn's Titan
Joined: 2015-02-15
Posts: 843
Website

Re: Beware of False Krock Bot!

You may find more information about said security issues here: http://anubis.iseclab.org/?action=resul … ormat=html

Offline

#15 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

It is a legitimate and non-harmful bot that it downloads, but however that may be the downloader tool messes with your registry and seems to be a keylogger as well.

The DNS queries point to a dropbox, already got that file and to
showpath.com.nu 78.46.103.47

So, showpath is either being framed or is apart of this.


signature.png
*u stinky*

Offline

#16 Before February 2015

Persona
Guest

Re: Beware of False Krock Bot!

No, I didn't even download the the file.

Spawns Processes: The executable produces processes during the execution.        
Performs Registry Activities: The executable creates and/or modifies registry entries.

The tool is getting update version from: http://nimg.x90x.net/ee_bbk_d/ee_vers.txt

That Url..!
I can confirm who is doing this now.

(Maker of Helpbot.)

Last edited by Persona (Jun 28 2012 2:02:51 pm)

#17 Before February 2015

capasha
Member
Joined: 2015-02-21
Posts: 4,066

Re: Beware of False Krock Bot!

?tilla wrote:

Alright, success. The link the downloader tool was found, so now we have the ability to deompile.

Here's some more facts about the downloader tool:
Write to foreign memory areas: This executable tampers with the execution of another process.        
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.        
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.        
Execution did not terminate correctly: The executable crashed.        
Spawns Processes: The executable produces processes during the execution.        
Performs Registry Activities: The executable creates and/or modifies registry entries.

The tool is getting update version from: http://nimg.x90x.net/ee_bbk_d/ee_vers.txt

That is the version for EE. That krock is downloading. I have the same for one of my bots.

Offline

#18 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

I know, I realize that. Just digging up information.


signature.png
*u stinky*

Offline

#19 Before February 2015

planecool
Member
From: SN2006gy
Joined: 2015-02-17
Posts: 304
Website

Re: Beware of False Krock Bot!

Wow, ive been goasting the fourms, watching al this bot viruse stuf play out. And yah somone hates persona's "non violent bot support movement" i'm hopeing it gets figured out. Good luck digging up infromation...

Edit: starting to belive that bots are bad mabye persona should stop playing with all these bots...

Last edited by planecool (Jun 28 2012 2:23:23 pm)


* CYPH1E > YOU: [I'm] half bot pig man bear.

yEe4NdJb.jpg

50 dollars + salvaged computer parts.

Offline

#20 Before February 2015

Persona
Guest

Re: Beware of False Krock Bot!

Back when the project started, a user by the name of dav(numbers) gave a bot to SmileyGod.   When I saw his level, the bot was named EX Shift Bot.   SmileyGod, did not have the faintest idea what it did.   So when I asked for him to send it to me, what-the-hell, I could probably fix the crashing, it was dubbed "HelpBot".   With out any precautions, I tried it, and it crashed, numerious times.     About a week had passed, and I was watching a couple of videos.   When I was done watching one, I switched to an new one, and a firefox 64x popup said it liked the old one better.   Curious, I opened up taskmanager, and another popup saying "You won't find me in task manager -.-".   After I tried rebooting my computer, and when it started, another popup came up "We can talk about this in your tinychat".   I "faked" as my dad telling him an investigation would begin (okay, I was desperate) His username in the tc was "Undefined".   It did scare the hacker.   Few days passed, and I noticed I could not log into EE.   Tried email, 2 of my emails were hacked.

So,   after a long day of stress, using google's investigation tool, I was able to get my account back.   In one of them, I kept getting logged out, so I just deleted the email.   The only thing on it was a few sites, and I had them switched before I deleted the email anyways.   I noticed a few of my other accounts were hacked, after a long day in the Cold Storm, I did learn (or he was trolling) that ThuggishPrune did do all of it.   He even admitted it himself.   (Call me gullible if you want) A user named dav(numbers) said the real hacker is in your tinychat.

I noticed my tinychat was indeed hacked, and after a few seconds with the hacker, ThuggishPrune (An OP of my tinychat??) banned me.
After me rebooting my computer, and backing up my D drive onto   a seperate drive, all while my ethernet was unplugged, I reentered the tinychat, and there undefined was.

After telling me helpbot was what he used, and assuming that is how he spied on me, and got what I was doing, I knew who he was.   He was distrubuting it, and smileygod even confirmed it.

It was dav(numbers).

I told him I knew who he was, and he told me that was not him, he used a shared account (Cherry) to disrubte it.   First, I have to ask how did he know the hacker was in the tinychat.   Big coiencidence.

After a day, I get an noreply email from the everybody edits team stating about an account verifyer.   I did open the program, but I did not use it.
You, the community helped me out immesnly.   I learned alot about saftey just in that one topic.   I thank you for that.   Anyways, It pointed to the same url.

Then today, Krok bot.

If anyone knows someone with dav(and about 4 numbers), he did this.

#21 Before February 2015

planecool
Member
From: SN2006gy
Joined: 2015-02-17
Posts: 304
Website

Re: Beware of False Krock Bot!

Fdoou wrote:

Someone really wants you dead.

sadly thats true once whe figure out who did this can we ban him. also can chris ip ban people...

Last edited by planecool (Jun 28 2012 2:30:54 pm)


* CYPH1E > YOU: [I'm] half bot pig man bear.

yEe4NdJb.jpg

50 dollars + salvaged computer parts.

Offline

#22 Before February 2015

XxAtillaxX
Member
Joined: 2015-11-28
Posts: 4,202

Re: Beware of False Krock Bot!

Alright. Well, I do know that Dav112 (you are referencing to him, Persona) is a friend of Showpath.
And I'm assuming that thuggishprune has gotten into the scene, so thus all-in-all the people who are included in this
scenario are:

Showpath
Dav112
ThuggishPrune

If activity like that was happening on your computer then the downloader tool was packed with a virus.
The downloader tool does have weird activity following it, so that explains it all.

However, you said that the downloader tool was after all of that had happened, and the files that I looked at the source (helperbot etc) doesn't include RAT components,

so there must be a different tool that you have run that has done this.

Last edited by ?tilla (Jun 28 2012 2:34:15 pm)


signature.png
*u stinky*

Offline

#23 Before February 2015

Fdoou
Banned

Re: Beware of False Krock Bot!

Lol, that's a scary virus!

But what can really be done about this? Is your computer de-virused? Who is still attacking you?'

BF2012 sure caused a bit of.... this.
I'm glad I don't do bots.

Last edited by Fdoou (Jun 28 2012 2:36:54 pm)

#24 Before February 2015

272
Guest

Re: Beware of False Krock Bot!

I on't get it??? maybe it's cause I hate reading //forums.everybodyedits.com/img/smilies/tongue

#25 Before February 2015

planecool
Member
From: SN2006gy
Joined: 2015-02-17
Posts: 304
Website

Re: Beware of False Krock Bot!

well its simple someone sent person a bot with a viris if she/he had downloaded it bam she download a differnt virsus too the mods and big guns are   try to figure out who did it and last but not least i want a avatar like personas... does taht explain i think i said it all rieght...


* CYPH1E > YOU: [I'm] half bot pig man bear.

yEe4NdJb.jpg

50 dollars + salvaged computer parts.

Offline

Persona 142391404147391

Board footer

Powered by FluxBB

[ Started around 1731797561.4921 - Generated in 0.138 seconds, 12 queries executed - Memory usage: 1.76 MiB (Peak: 2.02 MiB) ]