BREAKING NEWS: TSR INSTALLS SPYWARE!
Leticron:
For what it's worth, I ran some tests on the latest TSRW.exe 07/24/09
MD5:521605E8B73BA0BD98AD72CFF3AD14D0
CRC-32: A3952AF2
Neither Jotti (0/21) nor VirusTotal 0/40) found anything.
During Installation both parts (SlimDX and TSRWorkshop.exe) asked for net access, which I had blocked.
Next I tested the just installed TSRWorkshop.exe
MD5: 84D590202FC53AA752831288D0775BBC
CRC-32: 155F574A
on VirusTotal (0/40) and on Jotti (0/21)
The program started and seemed to work (I'm no modder so don't take my word for it).
Conclusion: Either the Program itself has been modified after Pescado's discovery or the warning was a hiccup on TrendMicro's side and the scanstrings have been updated/adapted/corrected accordingly.
What I didn't test was, if the program loads any unwanted payload after it's given net access.
After uninstall 101Reg-keys were left (mostly under HKEY_LOCAL_MACHINE which also includes the now obsolete firewall settings to block this prog. and HKEY_CLASSES_ROOT those were mostly Installer related).
As expected with runtimes SlimDX hat to be uninstalled separately.
-le
Nightmare:
Quote from: J. M. Pescado on 2009 July 23, 05:49:25
Jfade is clearly not familiar with the many techniques which exist for sending messages without including the content of the message in the actual message, however. That is the obvious approach that would be used in such a scenario, which is why it escapes packetsniffing. Everyone knows that everyone and their dog has access to a packetsniffer, and if you want to hide a message in a transmission, you cannot obviously place the message in the transmission, and even encrypting the message so it looks like gibberish is suspicious: You have to hide the message in the metadata of the transmission. A pattern of seemingly innocent requests, a specific timing of requests, or even the fact that the request was made at ALL can all constitute a message hidden from plain sight. You can clearly see that this is happening, because the message is not apparently inside the actual transmission. The fact that it has been hidden in such a manner proves its malicious intent.
PEs, provide an scientifical way of reproducing your input, otherwise IŽll have to discard this news as false. I will feel backstabbed, as IŽve trust you many times and now I feel thereŽs no scientifical substance here.
*back to my Vmware tests*
J. M. Pescado:
Quote from: Leticron on 2009 July 24, 15:28:45
For what it's worth, I ran some tests on the latest TSRW.exe 07/24/09
MD5:521605E8B73BA0BD98AD72CFF3AD14D0
CRC-32: A3952AF2
I get an entirely different md5sum, 51e41f48f7aceef99c3ed57f0e072e2c for TSRW.exe, meaning your version is newer and has been altered, probably to better hide the evidence now that they know they have been caught. They are probably using a new trick that fools your particular scanner.
Quote from: Nightmare on 2009 July 24, 15:58:14
PEs, provide an scientifical way of reproducing your input, otherwise IŽll have to discard this news as false. I will feel backstabbed, as IŽve trust you many times and now I feel thereŽs no scientifical substance here.
I'm not exactly sure what you want. You want me to provide a demonstration of steganographically concealed transmissions in innocuous data? Just look at the Splotch Creatures. They are PNG files. Totally harmless PNG files. If you examined them, you would find harmless PNGyness. But they contain DATA in them and can be used to reconstruct a Splotch critter. Admittedly, this is a completely benign implementation done for reasons unrelated to nefariousness, and the fact that it is not nefarious is why we know of it, as the game never really attempts to conceal this fact from us. TSR, however, is known to be a nefarious operator: They have acquired and then misused or released to third parties personal information from users in the past. It is reasonable to say that they do so regularly and there is absolutely no physical reason why they would have stopped, and therefore, there is every reason to believe the practice continues. In fact, on PMBD, Johan himself came over to gloat about how undetectable his new system was, because he just couldn't resist the temptation to brag and gloat smugly.
Leticron:
Quote from: J. M. Pescado on 2009 July 25, 07:54:59
I get an entirely different md5sum, 51e41f48f7aceef99c3ed57f0e072e2c for TSRW.exe, meaning your version is newer and has been altered, probably to better hide the evidence now that they know they have been caught. They are probably using a new trick that fools your particular scanner.
That's why I included the checksums to begin with ;). Additionally I wasn't able to find any evidence of "run at startup" in this version.
I checked with msconfig, autoruns, Hijack This and manually via regedit (clearly I have way too much time on my hands ;D ).
Security software installed here includes Avast, Ad-Aware and Mark Russinovich's Rootkit Revealer.
Again mind you, the program was never allowed to connect, so I have no idea what it might have done/loaded/installed after contacting its home server.
So until someone finds more evidence, the program in its present form appears to be safe to use .
-le
Rhayden:
Quote from: Drakron on 2009 July 21, 18:16:46
Quote from: Korochuun on 2009 July 21, 17:13:51
I posted a link to this thread on GOS but apparently it got deleted.
Simsecret is open until Friday.
Bah, SimSecret. MSTY is vastly superior.
Navigation
[0] Message Index
[#] Next page
[*] Previous page