Hi all,
I need some help. I just stumbled upon the flame war over at the Overclock.net site regarding the swedish overlocker “The Stilt” releasing a simple timing checker app which seems to be a trojan horse malware.
Can someone with knowledge of these things look into this if it is something quick to do as I have installed that software on 10 different computers in last 2 months for my customers as I was getting them ready.
If someone had installed/downloaded that software in the last 2 months on a windows 8 or 10, please let me know if it is really malware. I appreciate this community <3
ps. Wendel your beard is the fountain of all linowledge!
It is not clear, it seems to be some AutoIt script that unpacks during run time. The Stilt is saying that is to protect some secret Zepellin registers, but I am not sure.
I called my customers, things seem to be fine, although a few had some problems with bluetooth and reboots.
Scary! Please keep me posted, oh the word we live in
Well I should have looked at this damn thing earlier.
Used it a few times on a testbench, but never on a working machine.
Certainly looks suspicious as all hell. All it should really need is WinRIng0 for reading hardware specific details.
Certainly includes AutoIT.
I just tested it after stripping out WINSOCK and all of the network code and the thing still works. Mind you I didn’t do It neatly. Just the sledgehammer approach.
I haven’t got time to do a full analysis. Reversing this thing isn’t done in an afternoon. It’s essentially built like most malware, with a healthy amount of obfuscation.
Severla things about it stand out:
Using AutoIt packed into an Exe. - Major Red Flag. This tool can do just about anything.
VM Detection code.
Using a mix of upx packer and some custom packing.
The Handling of the matter by the Stilt such as threads and entire pages of content simply being deleted.
I’m not sure how deep it goes.
Everything about it stinks and I’m not willing to trust it implicitly.
It’s also been passed on to some Malware Researchers. Might pop in a writeup someplace soon.
I’ll see about extracting the AutoIT script from the binary.
This entire thread was also deleted instead of being handled/debunked in a normal way.
No explanation just escape and evade played by the stilt.