Just sharing this here to bring to the attention of all. I suspect the attachment has a payload to it to infect Firefox or the system as a whole, notice the URL and patch are not from Mozilla but instead eekumyoutube ( dot ) org. I was at Wowhead looking up a Reins of the swift Spectral Tiger Mount when all of a sudden one of the ads in the corner of wowhead took over and brought me to what you see in this screenshot. This is the first time ever i have seen Firefox targeted to try to trick someone into running a so called "patch". System I am on has no infections. AVG is clean and Malwarebytes shows clean to, so thats why I am thinking there is a rogue ad associated with wowheads website that trying to get people to click and infect themselves if on firefox. Perhaps this phishing is using the browser detection script in which depending on browser they have a number of different payloads to infect you with.

I took a break from programming in C++ and checked out FACEBOOK and then saw this that caught my attention and then the ultra rare mount I decided to look up and then thats when I got hit with this redirect from wowhead. This link here is the article that I was checking out which was kind of interesting. http://www.gamespot.com/gallery/15-crazy-world-of-warcraft-facts-that-will-impress/2900-678/?ftag=ACQa2186e3&vndid=1852765721&ttag=gs-fb-834&nan_pid=1852765721

Decided to go back to this URL path to see if I can look further into it and its now hidden as if its a 1 time shot, dynamic URL path link, 1 time try to infect and then kill the path possibly to hide its rogue intentions of this website. Interesting! Second screenshot shows me trying to get back to it to poke AROUND and its gone.




[attachment deleted by admin to conserve space]This is the type of stuff that IMO makes using adblock/uBlock worth violating the implicit social contracts of website advertisements.Another attempt to infect me. This came thru from facebook. This time I wanted to see what the payload was and so I agreed to download it, but I didnt run it. I then ran virus scan with AVG on it as well as malwarebytes and it says the file is safe. NICE!!! Not going to run that EXE because I know better, but its flying under the radar of antivirus as well as malwarebytes in patch EXE form. Perhaps once it infects it would then detect it. Not going to run it to find out.

More screenshots and different site with same type of emergency patch junk. This time I viewer the HTML source to see what additional is going on with it. A browser detect is present as seen in source to page.

Note: File size 338k from other site and 482k from this one...

[attachment deleted by admin to conserve space]Opened up the EXE in a hex editor to see whats inside without running using FlexHex.

Screenshots of some of its intent. If anyone wants the Hex dump to dig into I have a 15MB PDF of it too. Just saying in CASE anyone out that is interested in this sort of thing.

[attachment deleted by admin to conserve space]pic 2 of hex

[attachment deleted by admin to conserve space]last pic of SECTION of hex that caught my attention.

[attachment deleted by admin to conserve space]putting in the same URLs, I can't get the page to load at all. First site is gone now entirely and the second one is only a blank page.

I'd be surprised of the program wasn't a .NET Executable. It seems oddly common to use a .NET program for this sort of thing.

It's actually quite common to post such programs as "tools" or "utilities" on game forums. It's common for Minecraft, for example, a user will post tools claiming to give the person full admin access to any server, for example, then steal private information. The fun part is that since they are .NET they are fairly easy to decompile; and while the more clever ones will encrypt the password it's dead-simple to just remove the decryptor and run it separate from the malicious software to get things like E-mail passwords, as they need to have SMTP passwords in the file to send their sweet sweet private info to. In one case the user had even used their own personal E-mail, (connected to paypal, amazon, Steam, Facebook, etc.) so I went ahead and E-mailed his family members from his account confessing some rather questionable feelings. Let's just say things must have been VERY awkward between himself and his sister for a while. Quote

In one case the user had even used their own personal E-mail, (connected to paypal, amazon, Steam, Facebook, etc.) so I went ahead and E-mailed his family members from his account confessing some rather questionable feelings.

Laughing so hard, but yes in order to authenticate the info would be in the source. Shaking my head why they didnt just use an alias to stay hidden. Although to have an alias paypal I suppose they would have had to have had a stolen identity or some means of creating a alias that appears to be a real person with the rabbit hole going deeper into someone opening an account with a bank with fake id / stolen identity etc.

Does .Net hide better against antimalware and antivirus's?

Maybe I'm wrong, but I thought the basis of .Net was to make for better healthier programs that wont BSOD systems etc. Memory managements and tighter execution layer controls etc. So I always thought that if you want to make a program that is going to be naughty it was best to code it up in something that wasnt based around .Net that more readily would allow for you to target memory addresses outside of where the program should be operating etc and overflow conditions etc.