WSA finds w32.infostealer.zeus in Kerbal Space Program

Discussion in 'Prevx Releases' started by justenough, Aug 20, 2013.

Thread Status:
Not open for further replies.
  1. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    WSA found w32.infostealer.zeus in Kerbal Space Program a month ago so I did a system image install and kept Kerbal off. Just now I downloaded and ran Kerbal and again WSA found w32.infostealer.zeus while Kerbal was starting up. I stopped the program in mid-load. Kerbal is a fairly popular program, but its website has had a couple of major crashes in the past because of malware or hacking. One time it was down for a week while they sorted things out.

    I don't have a log to send, sorry, I deleted and erased everything as quickly as possible. I could download and run the program again if absolutely necessary just to get a log, but I'd be happier if someone at Webroot did that. https://kerbalspaceprogram.com/

    Doing a search didn't turn up much that was useful, just this Kerbal forum thread where they didn't take the threat very seriously: http://forum.kerbalspaceprogram.com/showthread.php/39086-Patcher-security-concerns-split-post

    Post #9 seemed to be from someone who knew what they were talking about:
    "A lot of programs that try to update themselves get incorrectly identified as trojans by antivirus programs, as that's how many trojans operate: They worm their way in, then download a payload that does things, or just update themselves to the latest edition. In this case, the patcher's (broken) autoupdate feature is what's making your antivirus freak out."

    "If you're concerned, here's a link to an analysis of the Windows patcher. As you'll note, it's UPX packed, which makes it smaller, but also sets off some antiviruses. UPX is basically a ZIP file around the EXE. This site doesn't analyze the file while it's running, so it's not going to detect the self-downloading feature."

    I would just go with his assessment except for one thing: I think a month ago when I started up Kerbal and WSA found w32.infostealer.zeus there were also other files being flagged rapidly that had nothing to do with Kerbal or anything else on my computer, it was as if they were being downloaded or they came with zeus. Like this time, in my hurry to abort Kerbal while it was starting up and get everything off my computer, I didn't save the information.

    Let me know if you need anything else.
     
  2. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    How will the Kerbals get home now! They have families, think of the families! :blink:
     
  3. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    On my Kerbin it was a lucky Kerbal who returned to his family. The ones who didn't blow up on liftoff usually wound up drifting without fuel between the planets. Amazingly for such an inept species they had somehow gotten cloning right. Never ran out of Dillorfs and Wehrbles and Dunbros and Johndons and Thompguns and Fredfurts etc.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'll pass it onto our threat research team - thanks! :)
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Hello justenough,

    Can you please install the program again as one of Webroot's Threat Researchers was looking at this thread and asked if you could and Submit a Support Ticket and put in the subject line DanP so that he can get some logs from you? He downloaded and installed and didn't find anything so it would be very helpful.

    TIA,

    Daniel
     
    Last edited: Aug 20, 2013
  6. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509


    Okay, infostealer.zeus was detected again, log file has been sent.
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Thank you. Can you post the infected lines from the scan log for us?

    TIA,

    Daniel ;)
     
  8. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Sure, which of these lines do you want that won't reveal personal information?:

    Automated Cleanup Engine
    Starting Cleanup at

    Starting Routine>
    Deleting File>
    Closing Handle>
    Writing Registry Value>
    Deleting Registry Value>

    Automated Cleanup Engine
    Starting Cleanup at

    Starting Routine>
    Deleting File>
    Closing Handle>
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's the cleanup log - we'd need the scan log.
     
  10. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Sorry, I was looking in the wrong place. Turns out I didn't need to reload KSP today, the scan logs were intact from yesterday. I think this is what you wanted:

    Infection detected: c:\users\name\documents\ksp\ksp-win-0-21-1\ksp_win\patcher.exe [MD5: 137415EA7BE76B0FED6FA6D6183C469B] [3/00080000] [W32.Infostealer.Zeus]

    File blocked in realtime: c:\users\name\documents\ksp\ksp-win-0-21-1\ksp_win\patcher.exe [MD5: 137415EA7BE76B0FED6FA6D6183C469B, Size: 311296 bytes] [524288/00000003] [W32.Infostealer.Zeus]

    Determination flags modified: c:\users\name\documents\ksp\ksp-win-0-21-1\ksp_win\patcher.exe - MD5: 137415EA7BE76B0FED6FA6D6183C469B, Size: 311296 bytes, Flags: 00000020

    Performing cleanup entry: 1
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Thank you that's it let us know the outcome! :)

    Daniel
     
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    @ justenough the file has been Whitelisted so please do a scan and everything should be fine now.

    Cheers,

    Daniel ;)
     
  13. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Praise Kerbin! :thumb:
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    The Kerbal's can come out to play! :D

    TH
     
  15. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Good news, thanks. Kerbals better hold on tight, they're going for a ride.
     
Thread Status:
Not open for further replies.