Seems like somebody broke into a TS server and planted a "patch" full of malware. From SANS:
http://www.incidents.org/diary.html?storyid=2634
http://forum.goteamspeak.com/showthread.php?t=37007
QUOTE Gaming Malware
Published: 2007-04-15,
Last Updated: 2007-04-15 21:57:36 UTC
by Marcus Sachs (Version: 2)
A reader alerted us to new malware aimed at online gamers. Over at Teamspeak (providers of a very popular voice communications program used by gamers) some users signed up for their discussion forums received an email like this:
-----Original Message-----
From: nospam@goteamspeak.com
Sent: Saturday, April 14, 2007 8:49 PM
To: <deleted>
Subject: New Team Speak Patch [Link Inside]
Now you can download new Team Speak patch. It will help you to use our
Team Speak servers.
We advise you to download it now
hxxp://www.goteamspeak.com/downloads/patch.exe
Many of our seasoned readers know where this is going. Unfortunately many gamers are not as aware of computer-based social engineering tricks and very likely downloaded "patch.exe" without a second thought. We downloaded the malware (it is no longer available, so happy hunting if you are looking for a sample) and ran it through VirusTotal. The results were not encouraging. The only hits we received were:
Antivirus Version Update Result
CAT-QuickHeal 9.00 04.14.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.15.2007 Trojan.Spy-4392
Fortinet 2.85.0.0 04.15.2007 W32/LdPinch.BEO!tr.pws
Ikarus T3.1.1.5 04.15.2007 Trojan-PWS.LDPinch.1607
Kaspersky 4.0.2.24 04.15.2007 Trojan-PSW.Win32.LdPinch.beo
Panda 9.0.0.4 04.15.2007 Suspicious file
Webwasher-Gtwy 6.0.1 04.14.2007 Win32.Malware.gen (suspicious)
Aditional Information
File size: 48640 bytes
MD5: 488b22114f1a08dc68a7e2cc34bf1d01
SHA1: 3da87252c917493e591c6ea222637910fff07a5e
There was some discussion a few hours ago in the TeamSpeak forums, but currently the forums appear to be offline. We'll keep monitoring this and will post any updates if needed.
UPDATE (2157 UTC) The forums are alive again. Follow the link above to see what is being discussed. There is a lot of speculation that the evil file was inserted due to vulnerabilities in TeamSpeak's forum software.[/quote]
So, if you have already installed it you will have to do some serious cleaning of your computer...
Do *NOT* download the Teamspeak patch!
Last edited by Avalanche on Mon Apr 16, 2007 4:03 pm, edited 1 time in total.
/Avalanche
Any technology, no matter how primitive, is magic to those that do not understand it. (Mark Stanley, Freefall, 1999)
Quod licet Iovi, non licet bovi
12/27/07 20:48:39: <Player in trouble> (all): Run its AVA
Any technology, no matter how primitive, is magic to those that do not understand it. (Mark Stanley, Freefall, 1999)
Quod licet Iovi, non licet bovi
12/27/07 20:48:39: <Player in trouble> (all): Run its AVA
*Points up and points out that NOD32 was not among those actually catching the malware...*
Seems to be an exploit in their message board system that they used to inject the file.
Seems to be an exploit in their message board system that they used to inject the file.
Last edited by Avalanche on Mon Apr 16, 2007 1:29 pm, edited 1 time in total.
/Avalanche
Any technology, no matter how primitive, is magic to those that do not understand it. (Mark Stanley, Freefall, 1999)
Quod licet Iovi, non licet bovi
12/27/07 20:48:39: <Player in trouble> (all): Run its AVA
Any technology, no matter how primitive, is magic to those that do not understand it. (Mark Stanley, Freefall, 1999)
Quod licet Iovi, non licet bovi
12/27/07 20:48:39: <Player in trouble> (all): Run its AVA
-
AdmiralKirk
- Posts: 14
- Joined: Mon Feb 12, 2007 10:52 pm
If they used an older version of IPB thier was a vulnerability that allows you to run PHP code embeded in a post, which can allow you to upload a PHP script that will give you full control over anything PHP can touch. (Usualy the entire webserver). I had this happen to a forum system I admined once, pain in the but. Crazy nice php control script though ^^ In russian but it could do almost anything.
