Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Denis2016-01-21 05:50:50
Malware
Denis, 2016-01-21 05:50:50

Question for those who use TorChat under windows (backdoor)?

Hello, I want to understand one difficult situation, and I hope for your help.
Recently I needed to install the torchat client on windows, the first links in Google led to the project pages in the github and the forge (sourceforge), actually from the last one:
sourceforge.net/projects/torchat/files/latest/download
I leaked the latest version a week ago: torchat -windows-0.9.9.553.zip md5 torchat.exe binary hash - af9a116cf91e8fa504dc1683253573b9
Installed, everything works... But a couple of days ago I noticed strange network activity, started to find out what was wrong.
Locations:
C:\Users\%username%\AppData\Roaming\Adobe\AdobeUpdate.exe
C:\Users\%username%\AppData\Roaming\Adobe\srvchost.exe
These two executables were running in processes, both hidden in the system. I began to analyze them. The executable srvchost.exe is the most common tor client tor.exe opened on the default port 9050
But AdobeUpdate.exe is an incomprehensible backdoor, a link to the virustotal report: https://www.virustotal.com/ru/file/e5e8c45440f762c...
More I began to dig how these ekzeshniki got to my computer, and even started and AdobeUpdate.exe registered in the registry. Since lately I have not installed anything from the Internet except for this sticking out, I began to monitor its activity.
Indeed, when running the torchat.exe binary, the md5 checksum of which is af9a116cf91e8fa504dc1683253573b9, it created these two files at C:\Users\%username%\AppData\Roaming\Adobe\, hid them, registered AdobeUpdate.exe in the registry and started AdobeUpdate.exe
Where the application broke, what it did, and what it transmitted, unfortunately I can’t find out, since I am not a reverser. Only through Process Explorer I saw how AdobeUpdate.exe after some time still starts the cmd.exe process (apparently bind cmd backdoor through the tor)
But most importantly, there is no information on the Internet about this incident, probably compiled executables on github -they can be together with the backdoor, they hang, judging by the date, for more than a year.
An interesting messenger is sticking out, no less interesting than the TOX messenger, but if it has been delivered openly like this for more than a year with an outright backdoor, why is everyone silent?
Now, in parallel, I wrote my question to the github support and sourceforge, but your opinion on this issue is also very interesting.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
E
Evgeny Petrov, 2014-08-08
@princesssluck90

I have not seen this, but there is something from Skribler

Report
Y
Yuri Lobanov, 2014-08-08
@iiil

This is a decorative font.
Do you want to be more precise? Ugly decorative font.

Report
N
NickMN, 2014-08-08
@NickMN

Try changing the color in Photoshop (let the white text be black and the background white). Then search for pictures on google. In general, the question is meaningless.

Report
L
Lisonok, 2014-08-08
@Lisonok

I don’t think there is such a font, rather, someone photoshopped it

Similar questions
V
Vyacheslav Grachunov2016-07-16 13:44:06
Has a virus threat been detected or what is happening on a virtual machine with ubuntu? 1Reply
D
Denis Goncharenko2016-07-16 18:37:27
What to do so that svchost does not eat traffic? 2Reply
B
Bodrosh2020-10-21 12:13:16
How to find wordpress hack site? 4Reply
C
Console692022-03-10 18:15:04
How to remove Miner from PC? 1Reply
N
nowaycantstay2019-01-23 22:15:49
Where can I read about how antiviruses work? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question