klient v2.0.14 / Malicious

[c4p0ne]

This is actually an interesting story as I have never run into cracked software that has been so blatantly modified to perform malicious actions on the user. Klient is a superior IRC client for win32 that has been under development for years and is available at htEtEp://www.klient.com. Recently I ran into multiple "malicious" cracked releases of Klient on the internet from IRC, Newsgroups, G2, FastTrack, you name it. Before I go on I would just like to point out the proper MD5 signatures of the malicious files in case any of you would like to take a look at this (trust me the story gets better):

For "Klient.v2.0.12.2215.WinAll-PH.rar" :

E0635965E173B38D1E1A8664394A3094
-and-
DEAD5549D33DC46C2F632575588CC8AB

For "Klient.exe" itself which is after installation:

EE808460F0DC0B84F3FAB0DF1231C568
-and-
3F2950537AD2C500CAC2C374469B2CB1

There are CERTAINLY more variations of this malicious phrozen hell "release" floating around that I haven't tested including a v2.0.14 version that I lost somehow before I got to fingerprint it.. Anyway, since I am a network engineer and no where near the programmer I would like to be yet, I do not posses the required skillset to take-apart malicious executables and run thru the code to see "whats up". Thus, like a crippled man, my other "senses" had to increase in order to compensate for my grotesque defficiancy in programming (like a blind man with superhearing).

I set up some traffic analysis on the wire and ran Klient to see what the f*ck was going on. I discovered that once connected to a network/channel, in secret, klient would immediately (yet randomly) start spamming everyone in the channel(s) you were in with a message similar to "Hey I use cracked software, Hmmm, wonder what else this exe is doing to this computer. I really am a jackass for using software hacked by some lamer. use !jackass to disconnect me. Who knows maybe the next release will have a !format command?"

Thru further investigation I discovered that in certain "releases", anyone actually COULD format your hard-drive by using the !VBS command in a channel. At first I was upset that some crack-addict would make a mod like this to a perfectly good application. I even wondered for a while if this was a delibarate hack from phrozen hell themselves but I later disguarded that theory because I never heard of any problems with their releases. Then yesterday it dawned on me. I believe that this is actually the diabolical work of the obviously disgruntled PROGRAMMER OF THE APPLICATION himself!!!

I believe that phrozen hell was actually TRICKED into believing that once the protection was removed from klient.exe that their job was done, "crack completed, pack, distribute". But now I see it is clear that there was EXTRA code in klient.exe that PH had OVERLOOKED which was placed there by the coder specifically to detect if the program has been "tampered" with and to subsiquently enable these malicious and vicious features!

I still have the original malicious executable if one of the gurus would like to take a shot at it but the whole package can be found pretty much anywhere on the internet. I would really like a clean version because as it is, in order to successfully use this malicious version I have had to set up EXTENSIVE firewall/ids rules to deny this malicious behaviour literally at the TCP level; which is very annoying and like Michael Jackson, makes me feel betrayed.

-Thanks for the help guys.

look at underpl's proper release for klient...it works for me but some poeple say that it gets expired after 30 days

Zoom player 3 pro also appears to have some mal code.

I tried unpacking it with upx -d --force option.

generates .upx file. Touch(select) the file -explorer freezes.

try zip/rar/hex edit the corresponding app frrezes.

try virus scan all virus scanners freeze

I dont know what it contains

BEWARE

[c4p0ne]

The latest discovery (probably TOO late) I've made are "softwares" using API hooking techniqes to hide from OS level shyt like file listing, registry listing, and most importantly, COMPLETE STEALTH from standard NETSTAT.

scary. no, really it IS because if *I* had a bitch of a time pinning stuff like this down and erradicating it by hand, then imagine those poor souls who're still having trouble finding notepad.exe so they can type something.

(!)