General Category > Off-Topic (Spam)

Removing/Disabling the RAT from google

Pages: (1/2) >>>

kinky whip:



Newty:

Is his server on the status list? Post the link and I'll remove it as well as ban his account.

kinky whip:

/top-rsps/=162.218.48.101

Is his advertisement, he's already lost Affiliate on R-S over this, just it seems to be bouncing around R-S and his own forums rather then being public knowledge.

Moparisthebest:

I downloaded the gamepack.jar applet, and the Launcher.jar launcher.  The launcher simply does this:


--- Code: ---wget -U 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36' '_version=3' -O gamepackphp.jar

--- End code ---
And runs the jar, it is the same as the gamepack.jar applet which is good.

I decompiled all of them and searched for anything it downloads, it *looks* like it just downloads the cache, from here:
--- Code: ---_Storage.zip
--- End code ---

None of these files contain any native binaries like .exe, .dll or anything that wouldn't legitimately be found in a runescape cache or java jar file.  I uploaded all 3 files to virustotal and they were all clean.

Next I fired up windows 8.1 in virtualbox, installed firefox, java 8, and wireshark.  I recorded in wireshark and ran the applet, and also later the launcher.  I tried to log in to play but it said the login server was down.  As far as I can tell the only thing either one downloaded was the cache, which it extracted it my user directory.  I also checked for background processes before and after running them and didn't see any new ones, and none named javaw.exe like the original post said.

I also updated and ran a full windows defender scan which found nothing, then I installed malwarebytes, updated the definitions, then rebooted in safe mode and run a full malwarebytes scan which also turned up clean.

So as far as I can tell, at the moment I tested all of this stuff it is clean.  It's possible it waits to do bad things, or the bad things don't work on Java 8 or Firefox or Windows 8.1 or something like that as well, so I can't say it's 100% clean, but I couldn't find anything wrong with it so I guess I won't remove it from the server status page for now.

RuneAgent:


--- Quote from: Moparisthebest on January 19, 2015, 12:59:23 PM ---I downloaded the gamepack.jar applet, and the Launcher.jar launcher.  The launcher simply does this:


--- Code: ---wget -U 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36' '_version=3' -O gamepackphp.jar

--- End code ---
And runs the jar, it is the same as the gamepack.jar applet which is good.

I decompiled all of them and searched for anything it downloads, it *looks* like it just downloads the cache, from here:
--- Code: ---_Storage.zip
--- End code ---

None of these files contain any native binaries like .exe, .dll or anything that wouldn't legitimately be found in a runescape cache or java jar file.  I uploaded all 3 files to virustotal and they were all clean.

Next I fired up windows 8.1 in virtualbox, installed firefox, java 8, and wireshark.  I recorded in wireshark and ran the applet, and also later the launcher.  I tried to log in to play but it said the login server was down.  As far as I can tell the only thing either one downloaded was the cache, which it extracted it my user directory.  I also checked for background processes before and after running them and didn't see any new ones, and none named javaw.exe like the original post said.

I also updated and ran a full windows defender scan which found nothing, then I installed malwarebytes, updated the definitions, then rebooted in safe mode and run a full malwarebytes scan which also turned up clean.

So as far as I can tell, at the moment I tested all of this stuff it is clean.  It's possible it waits to do bad things, or the bad things don't work on Java 8 or Firefox or Windows 8.1 or something like that as well, so I can't say it's 100% clean, but I couldn't find anything wrong with it so I guess I won't remove it from the server status page for now.

--- End quote ---
did you check to see if it pulled anything like I had where it would load a class with urlclassloader? it was convenient for making changes but could easily be used for malicious activities

Pages: (1/2) >>>

Go to full version