Thema: Kangaroo EA
Einzelnen Beitrag anzeigen
  #219 (permalink)  
Alt 01.03.12
Benutzerbild von Tweety
Tweety Tweety ist offline
Registriert seit: Oct 2011
Beiträge: 53
Tweety befindet sich auf einem aufstrebenden Ast
Standard Kangaroo EA könnte mit einem Virus infiziert sein

Hallo Leute,

heute ereichte mich folgende E-Mail. Bitte prüft euren EA!

Dear Customer,

Last night, CNS (a VPS service provider) contacted us and made us aware that some users running KangarooEA on their VPS were showing abnormal memory usage and leaks.
Further investigation led CNS to believe that the installer package of Kangaroo was infected with a new, undefined trojan.

We are extremely thankful to CNS for bringing this to our attention and for the cooperation they have given us to work together and take appropriate measures for both parties and protect the interest of our clients.

The complete TulipFX team worked around the clock with CNS to pinpoint the source and vector the vulnerability.
We have discovered that through our vbulletin software (the forum), a vulnerability was exploited by a hacker who gained access to part of our server. He modified the installer and added his Trojan.

While we regularly scan our site and have our site monitored by a third party, the trojan was new and undetectable as well.

In short we inform you of our mutual findings:
• While there is no known a/v scanner that can detect the trojan, it appears to infect Windows 2003 OS’s with a new undetectable variant of backdoor:win32/fynloski.a. Past variants of this backdoor allow the attacker full control of the infected system.
• CNS has submitted the trojan to Microsoft for review and acknowledgement and await response (and possibly a cleaner).
• Users who use Windows 7 or run Windows 2008 server software (also available on most VPS services) are likely not affected.
• Customers who downloaded during the months of December and January could possibly be infected.
• We updated our installers end of January/start of February and by doing so the installer was overwritten and does not contain any infection.
• By cross-matching several log files we have identified about 20 customers who might have been infected.
• We have also attached the CNS announcement for your review, see bottom of this email.

Actions we have taken since last night:
• On the download page we have posted a MD5 hash (Checksum). This hash should be identical to the hash of the download package. For user convenience, we have posted a link to a good free MD5 checksum tool as well.
• We are in the process of getting future downloads digitally signed. This means that it will be impossible for anyone to ‘add’ a file, virus, trojan etc. and gives the users a guarantee they download a genuine original package.
• We have identified the vulnerability in vbulletin and reported this to the software company that makes this forum software.
• The forum is closed for now as we’re performing a complete reinstall. We hope to complete this process within the next 24 hours.
• Besides the usual actions (such as changing passwords etc), we’ve installed additional security measures.
• We’ve found the hacker IP address, and have tracked his activities. Seems he works via a proxy server based in Singapore.
• He’s been able to modify the installer package in the direct download link ( but not the download version which was posted on the forum.
• We’ve added htaccess security checks, and we’re investigating software that will notify us when a file (.php, .js, etc) gets changed or added. In this case, the hacker found a hole and added a backdoor. This is now plugged.

How to identify if your VPS or computer might be infected:
• CNS already submitted a complete sample to Microsoft. You can view it here:
• A working anti-virus definition should be out soon. You can still detect the presence by looking in the following folder:
• C:\Documents and Settings\Administrator\Local Settings\Temp
(change Administrator to your user name)
• In this folder, look for a file named winlogon.exe, 772KB in size. If this file is there, it’s infected. Note: There is a legit winlogon in system32 but that one is located one level above this folder.
• CNS have not found a way to safely remove it – it requires a full reprovisioning of the Virtual Machine on VPS. Microsoft may find a way soon.
• We will notify you immediately should we receive the news a cleaner tool has been released by Microsoft or any other instructions are given to remove and clean.

We are extremely sorry this has happened. We take every precaution to protect ourselves from hackers and spammers and it’s a never ending struggle.
Even Facebook got hacked recently and 16.000 personal profiles were compromised before the hack was noticed.
That’s not an excuse but merely shows the increase in online hacking attempts.

Please do not hesitate to contact us should you have questions.

Kind regards,

Ozzie, Dutch and the Tech support team,

RE: VM - Infected VM - Kangaroo EA installer – Trojan backdoor infection

Please be advised we have detected a backdoor trojan outbreak which started from a file named KangarooEA_Setup_v6.4.exe and downloaded from a forum download page. A CNS technician has examined your VM and determined it is infected or has been exposed to the infection and requires further examination.

TulipFX has been informed and they’ve been helpful in providing us with all necessary information to identify potentially affected CNS subscribers.

While there is no known a/v scanner that can detect the trojan, it appears to infect Windows 2003 OS’s with a new undetectable variant of backdoor:win32/fynloski.a. Past variants of this backdoor allow the attacker full control of the infected system, including:

• Full compromise of keystrokes, passwords, etc.
• Capture video from the webcam
• Record sound produced by the computer
• Type text on the screen
• Control the clipboard
• Control the mouse, including the clicks
• Hide the operating system's default screens and windows
• Set a custom background
• Display a message box
• Open and close the CD-ROM drive door

Upon infection the Windows OS may spawn a number of background iexplore.exe processes that consume RAM at a rapid rate, eventually leading to system crash. This may be due to a DoS attack being initiated by the trojan owner. The trojan hooks into the windows registry at a point triggered by a windows login event, so signs may not be evident until a user logs into the VM. There is not yet an a/v scanner that can detect or clean the infection. The only safe resolution to date is to reprovision the VM as new or revert back to a previous VM snapshot.

Please open a support ticket immediately so we can begin the cleanup process. You should also IMMEDIATELY change any passwords you saved in the VM or used to login to other services from the VM.

If you ran the file KangarooEA_Setup_v6.4.exe from your PC then please let CNS support know so we can help you recover your system integrity.


On February 28th, CNS Support received the first support ticket from a subscriber reporting a non-responsive VM. Upon analysis, we found multiple internet explorer processes were being started in the background and consuming RAM very quickly, eventually leading to system crash. During the analysis of this first ticket, a second ticket was received by a different subscriber reporting the same issue. By analyzing both VM’s together, we found a malicious file ‘winlogon.exe’ had been saved to C:\Documents and Settings\Administrator\Local Settings\Temp and hooked to the system via the registry. Also in that folder was a batch file to deploy the infection called tmpcmd.bat. While this is relatively common for Trojans, we found another file common between both VM’s named KangarooEA_Setup_v6.4.exe. These files had matching date and time stamps indicating they had the same source.

A third ticket with the same issue was received shortly after the second. Our investigation found the source of the infection was a forum download of the KangarooEA_Setup_v6.4.exe file. Running this installer will infect the machine with the undetectable trojan, we believe to be a variant of backdoor:win32/fynloski.a.

We contacted the EA publisher TulipFX on February 29th and made them aware of the trojan outbreak. The publisher subsequently shared information with us allowing CNS technicians to examine the VM's of CNS subscribers who may be at risk. This information lead us to examine your VM and ultimately alert you to the issue.

The publisher has told us:

While we scan our sites on a regular basis, we were not aware of this security threat since the trojan is new and undetectable by current anti-malware scanning software.

On February 29, TulipFX received an infected copy of the installer from one of our clients, which allowed us to investigate and identify the security hole and point us to the location where the hacker modified the installer.

After review of our forum logs and access logs we can conclude that in late December, around Christmas our forum got hacked and a trojan was added into the Kangaroo installer package.

Since then the infected installer has been overwritten by uploading new updates of Kangaroo to the forum, as we have updated the download package with a new version of the manual.
These installer versions are clean and not infected, which was also confirmed by CNS.

TulipFX wishes to kindly thank CNS for alerting us and while current downloads are fine and the vulnerability has been patched, we’re taking new security measures to prevent this from happening again.

In addition to these new measures, we are in the process of using digital signing of the download file to ensure safe and genuine downloads for all our (mutual) clients.

What we are doing to prevent further exposure of CNS subscribers:

We are continuing to work with the EA publisher to identify CNS subscribers who may be at risk and inspect their VM's for signs of infection.
We have submitted a sample of the infection to the Microsoft Malware Protection Center so that a/v scanners can begin to detect it.
We are sending you this alert so that we can help you recover from the infection.
And we are working as fast as possible to develop IPS signatures that can detect the trojans activity, stop it and notify us so that we can notify subscribers of suspect activity.

Getting Help:

Thank you for choosing Commercial Network Services. Please let us know if you have any questions or concerns. We are always here to help you. We maintain a ticketing system in order to effectively address and track your support issues. Please login to your Client Area and click "Help Desk" near the top, then click "Submit a Ticket" to send a new support request to our technicians.

NOTE: This message has been digitally signed. For your security, ALL electronic mail sent by CNS is digitally signed. If your eMail client is S/MIME compliant then you will see a digital certificate in the email message. This certificate proves the email was sent to you by CNS. If your email client is not S/MIME compliant, then you will find an attachment smime, which can be safely ignored.