1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XRumer Backdoored (Other thread is giving 406 error)

Discussion in 'Black Hat SEO' started by October, Oct 23, 2007.

  1. October

    October Registered Member

    Joined:
    Oct 15, 2007
    Messages:
    52
    Likes Received:
    68
    (Reposting this thread since the other one is giving a 406 Not Accepted error for some reason.)

    While debugging an application, I noticed connections being made to a website that should not be made.

    This system is only used for development, and just recently installed XRumer.

    After monitoring the connection with Wireshark (the new Ethereal), I noticed it periodically making an http connection to xeka.ru

    It makes a POST to /re4m/1/stat.php with the following data.

    id=xLIAN-10_20EC7AC4&build_id=1092B5C

    Using Process Explorer and TCPView by Sysinternals, I noted that it is running as svchost.exe, but as a user application instead of a system service.

    Screenshots of what sysinternals and wireshark showed.

    http://img205.imageshack.us/img205/7176/tcpviewgt9.jpg
    http://img205.imageshack.us/img205/8496/procexpwf5.jpg
    http://img205.imageshack.us/img205/8299/wiresharkxg1.jpg


    Article about BlackEnergy DDoS bot.

    http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
     
  2. titalian

    titalian Junior Member

    Joined:
    Aug 31, 2007
    Messages:
    175
    Likes Received:
    62
    Is it still worth 450$? LOL

    Nice find...
     
  3. October

    October Registered Member

    Joined:
    Oct 15, 2007
    Messages:
    52
    Likes Received:
    68
    No, it does not work as advertised. The ONLY forums it posts to are the ones that are already spammed. As I said earlier, after 5000 forums of my choosing, it would not post to ANY.

    Charging you $450 for a program that does not work and then installing a botnet on your PC is just plain evil.
     
  4. astro18

    astro18 Registered Member

    Joined:
    Oct 18, 2007
    Messages:
    99
    Likes Received:
    4
    Good to know, now i will sure think more time before buy it!
     
  5. caroz

    caroz Registered Member

    Joined:
    Aug 23, 2007
    Messages:
    60
    Likes Received:
    1
    October, can you please pm me your username to botmasters private forum if you got a legit copy and not a cracked one with a trojan included.
     
  6. yato

    yato Newbie Premium Member

    Joined:
    Sep 18, 2007
    Messages:
    49
    Likes Received:
    10
    Id like to hear more about this supposed trojan too.
    I was just thinking about emailing the guys in Russia about this because I was going to buy it.
    Doesnt make sense to sell high dollar software with trojans ,word would get around and then they'd be done.
    October are you sure that proccess isnt just checking your license or something?
     
  7. October

    October Registered Member

    Joined:
    Oct 15, 2007
    Messages:
    52
    Likes Received:
    68
    Caroz, I bought Xrumer, who are you?

    Anyway, i find it quite funny that my IP is blocked from this forum. Is it because I reveal the truth about Xrumer?
     
  8. nova

    nova BANNED BANNED

    Joined:
    Jul 23, 2007
    Messages:
    256
    Likes Received:
    41
    Not quite... svchost.exe is the generic host process name for services that run from dll's. So a software that's running a service can have this instance running.. of course i'm not sure if xrumer 4 does run some kind of service..

    October that url you provided which xrumer contacts is giving a 404.. wonder if its changed?

    Also how did you come to the conclusion its a blackenergy ddos bot? Any footprint?
     
  9. Essential Clix

    Essential Clix Executive VIP Premium Member

    Joined:
    Jul 30, 2007
    Messages:
    1,755
    Likes Received:
    2,791
    Location:
    USA
    Damn, those are some pretty serious accusations. Can't wait to see how this turns out.
     
  10. sambenoit

    sambenoit Newbie

    Joined:
    Oct 18, 2007
    Messages:
    15
    Likes Received:
    129
    guess we will not find out
     
  11. Botmaster_Support

    Botmaster_Support BANNED BANNED

    Joined:
    Oct 26, 2007
    Messages:
    42
    Likes Received:
    22
    If You are using nulled version of Xrumer it may appear different problems. So I advice you before to start any accusation to think and use official version.
     
    • Thanks Thanks x 1
  12. Botmaster_Support

    Botmaster_Support BANNED BANNED

    Joined:
    Oct 26, 2007
    Messages:
    42
    Likes Received:
    22
    blackhatworld.com/blackhat-seo/black-hat-seo/1752-paying-150-xrumer-4-0-non-cracked.html
    As I can see You are using nulled version of Xrumer, so that why you have such problems. So I advice you before to start any accusation to think and use official version.

    PS: Botmaster team doesn't have any connections to this forum.
     
    • Thanks Thanks x 1
  13. Botmaster

    Botmaster Newbie

    Joined:
    Oct 2, 2007
    Messages:
    31
    Likes Received:
    7
    The XRumer HAS NO any trojan code. It is connects with Botmaster.Net server on startup - for user verification, via port 80.

    Topicstarter attached screenshot img205.imageshack.us/img205/8299/wiresharkxg1.jpg - we can see on it, thats program connects to the xeka.ru/re4m/1/stat.php - BUT, this urs show "404 Not Found". But, the xeka.ru have forum - forum.xeka.ru , probably XRumer tryed to make topic on it.

    XRumer use another ports, not 80, only if user switched on the checkbox "Use proxy" - then XRumer will use ports from proxyes.

    ANY our legal customer can check it. We are working more than 2 years in this business.

    But, there is a lot of forums, that was hacked, and they have trojans. It you open it in browser - and you browser not updated, then you can got virus. If you want, a can give samples.
     
  14. October

    October Registered Member

    Joined:
    Oct 15, 2007
    Messages:
    52
    Likes Received:
    68
    Ok, an FYI, there are two people posting from this. The first post in this thread was made by me (the programmer), the others by my boss.

    This is not a hacked version of XRumer, it was bought.

    It is not attempting to access the xeka.ru forums to spam, because XRumer is completely closed and shut off.

    There are no new services registered on the system, so the instance of svchost.exe is not a legitimate service that I can disable and unregister.

    (And for those who simply "don't believe" we bought it, here is the e-mail)


     
  15. Botmaster

    Botmaster Newbie

    Joined:
    Oct 2, 2007
    Messages:
    31
    Likes Received:
    7
    A lot of customers, who bought the XRumer, checked it for any backdoors, troyans, etc. And didn't find that. I can give any evidence, that XRumer has no troyan code.

    I have following assumptions:
    1.) Topicstarter looked in browser forums list, and opened some hacked forum with troyan (there is a lot of hacked forums with that, just Google it)
    2.) October wants to do black PR on Botmaster.Net - there is a lot of reasons: he bought program several days ago, but immediately thereafter purchasing - maked this topic; he tryed to buy program from other customers.
     
    • Thanks Thanks x 1
  16. Botmaster

    Botmaster Newbie

    Joined:
    Oct 2, 2007
    Messages:
    31
    Likes Received:
    7
    That is amoral desinformation, and I want to solve this situation. Can give access to program to moderator of BlackHatWords forum, or to forum member with hight reputation.
     
  17. Essential Clix

    Essential Clix Executive VIP Premium Member

    Joined:
    Jul 30, 2007
    Messages:
    1,755
    Likes Received:
    2,791
    Location:
    USA
    Botmaster - look for moderators Dave, Ruck, or Lutherz

    I'd offer my assistance, but I have no previous experience with xrumer.

    With that being said, October are you sure that you didn't fool around with a cracked version before purchasing the full version? If you did, it could have installed a trojan that might not have been deleted if/when you deleted the cracked version to make room for the legit copy you purchased. Surely one of the many xrumer users out there would have noticed some unusual activity as well?
     
  18. October

    October Registered Member

    Joined:
    Oct 15, 2007
    Messages:
    52
    Likes Received:
    68
    Botmaster, I will reply to everything said here as soon as I am unbanned from this forum? Why? I dont know.
     
  19. Gallardo

    Gallardo Newbie

    Joined:
    Aug 11, 2007
    Messages:
    44
    Likes Received:
    39
    Thanks October for informing

    And, thanks botmaster for explaining.

    It's good that such issues are discussed.
     
  20. eljugo

    eljugo Newbie

    Joined:
    Dec 19, 2006
    Messages:
    15
    Likes Received:
    0
    im enjoying this program .. happy customer..