- Jul 29, 2017
- 10,095
- 117,951
Downloading from f95zone.to security concern
- Thread starter MrSolid
- Start date
- Jan 19, 2023
- 605
- 581
So update:
Did a full scan of the drive with malwarebytes, offline scan with windows defender
Downloaded bitdefender total security trial and did a attack trace scan and system scan. Luckily nothing found.
Im thinking since my windows is up to date the default antimalware protection blocked the threat even tho i authorized it with admin privilege's to run the setup nothing happened and i could see the antimalware service kick in taskbar
Did a full scan of the drive with malwarebytes, offline scan with windows defender
Downloaded bitdefender total security trial and did a attack trace scan and system scan. Luckily nothing found.
Im thinking since my windows is up to date the default antimalware protection blocked the threat even tho i authorized it with admin privilege's to run the setup nothing happened and i could see the antimalware service kick in taskbar
I just assumed it was a repository of downloads related to the forum like those old rom sites which had forums and download siteThe fact that the site looks completely different didn't make you suspicious?
- Jul 16, 2021
- 2,858
- 9,473
That's good to know
Yeah Bitdefender's security/system scan should give you the reassurance that you need that there are no threats.No, typically we don't (i.e., F95) doesn't archive a content repository of other downloads/files on another mirror site. We also don't store any files on the site, but merely link to other sites/services.
Even if we had one of those, the logo would still be the same.
Original:
Fake:
Look here, it's the offical status site for F95zone. It's not .to but .com and has the same logo.
You must be registered to see the links
- Jul 16, 2021
- 2,858
- 9,473
So lore update:
I wanted to know more about the malicious file so i redownloaded it but this time without running (let alone admin authorization)
Since its a password protected file, I unpacked it and repacked it wihout password to so Total Virus could scan it (650MB limit)
Heres what it found:
Using this as reference i downloaded Kaspersky to scan the malicious file and unlike the rest (malwarebytes, windows defender, bitdefender) Kaspersky actually detected the malicious file as HEUR:Trojan.Win32.Lazzzy.gen
Did a quick search and found this
So i think I understand now what happened, since its a win32 virus it wouldn't run on my 64bit windows 10 installation and thank god i did not click on the run in compatibility mode prompt i got after the setup failed to run
I think im clear but just to be extra careful, im now running a full scan with Kaspersky
Leaving this final update so it can hopefully be indexed by search engines and help other horny bastards in the future
I wanted to know more about the malicious file so i redownloaded it but this time without running (let alone admin authorization)
Since its a password protected file, I unpacked it and repacked it wihout password to so Total Virus could scan it (650MB limit)
Heres what it found:
You must be registered to see the links
Using this as reference i downloaded Kaspersky to scan the malicious file and unlike the rest (malwarebytes, windows defender, bitdefender) Kaspersky actually detected the malicious file as HEUR:Trojan.Win32.Lazzzy.gen
Did a quick search and found this
You must be registered to see the links
So i think I understand now what happened, since its a win32 virus it wouldn't run on my 64bit windows 10 installation and thank god i did not click on the run in compatibility mode prompt i got after the setup failed to run
I think im clear but just to be extra careful, im now running a full scan with Kaspersky
Leaving this final update so it can hopefully be indexed by search engines and help other horny bastards in the future
I blame my horny brain, rookie mistake that should not have happened by nowEven if we had one of those, the logo would still be the same.
Original:
View attachment 4441666
Fake:
View attachment 4441665
Look here, it's the offical status site for F95zone. It's not .to but .com and has the same logo.
You must be registered to see the links
View attachment 4441676
- Jul 16, 2021
- 2,858
- 9,473
Ah, Kaspersky, yes they also provide good A/V software too. I was gonna recommend them as a close second to the ones I indicated in my previous post.
Yeah, that's good to know. Doing a full system scan with Kaspersky would be a good option as a follow-up system health check procedure
Yeah, it's good to raise awareness of other copycat sites if others might make the same mistake. It's not a big deal, dw about it
We all overlook such things from time to time, as it's in human nature to misremember and/or make accidental errors here and there. Accidents happen after all What matters more is that you uncovered the likely cause and took the appropriate follow-up measures. So, all's well that ends even better
- Jun 10, 2017
- 11,191
- 16,846
There's only one site, and it's F95zone.to
For legacy reasons, there's also few other domains, like f95zone.com. But if you try to access them, you'll see that the address is changed in "f95zone.to" in your browser navigation bar.
It it isn't, then it's not a legit site and you should run away as far as you can.
- Jul 16, 2021
- 2,858
- 9,473
- Aug 24, 2019
- 153
- 252
That... does seem kinda scary. I would consider reinstalling Windows.
There was also a thread about running games with Sandboxie on this site.
Full system scan done, no detectionsYeah, that's good to know. Doing a full system scan with Kaspersky would be a good option as a follow-up system health check procedure
Im probably good, but my paranoid self has been contemplating that
- Feb 5, 2018
- 150
- 379
another example of crappy AI generated answers. it's worded in a way that is misleading / essentially misinformation
32 bit executables run just fine without the "run in compatibility mode" option. the compatibility it's talking about is built in to modern windows and works in the background automatically. think its what the whole windows\sysWOW64 directory is for.
the "run in compatibility mode" option is mostly for emulating legacy windows directory structures that aren't used anymore so old programs can find what they're looking for where they expected things to be
there are plenty of modern programs that aren't even compiled 64 bit because they don't need the extra address space or want any needless overhead, & you wouldn't even notice any difference between most 32/64 bit versions of programs on the surface
the fact it "failed" to run is likely intentional. it serves as a logical distraction that's better than silently doing nothing in the background every time you click on it. the end user just assumes it doesn't work and goes on to the next thing.
meanwhile it's actually running some crap it dropped in the temp folder, copying cached credentials or whatever it wants and sending it off to the bad guys C2 server
which is what it looks like this malware did. as virustotal shows it reaching out to some random .shop & .biz domains that are often used by stealers as they don't really care about complaints or some shit
You must be registered to see the links
You must be registered to see the links
might be lumma stealer? the other detections are just generic heuristicsso if you used this computer to log into emails or other important shit just secure those accounts and change your passwords and you should be fine. it probably didn't infect you with malware, just stole your data.
maybe that's better for business for them or something so people keep coming back for more shitty downloads & they get some juicy accounts or crypto wallets every now and then, to use or just sell off
Interesting, I will add however that I did multiple full scans with multiple antiviruses (Eset, Bitdefender, Kaspersky, Malwarebytes, Windows Defender) and none of them detected any infections
If this stealer was imbedded into the system running in the background stealing data those antivirus would have detected it right? Bitdefender even did a trace attack scan and nothing found
I would also add that after ended the setup.exe on the taskbar since it wasnt doing anything other than kicking Windows AntiMalware service into overdrive i got a prompt to run in compatibility mode which i rejected
But yeah, I will probably use this as an excuse to clean install windows anyways
- Feb 5, 2018
- 150
- 379
idk how well malwarebytes is with real time detection, if you even had that active (isn't that a premium feature?)
defender is famously bad at stopping shit in real time. and stealer type malware is designed to not raise alarm. copy browser cache /extension data or whatever and send off to a random server then its done
i don't mean to sound like a fearmonger or something but some of the popular youtube cybersecurity channels ( like thepcsecuritychannel) have demonstrated malware like lumma and redline that just steal your data quickly and delete themselves without any persistence, so the victims never even realize they were attacked.
later down the line their accounts or money is stolen in some way because they never thought to change their passwords or anything, they didn't realize they had run malware
i would too, just for peace of mind. it's good to do every once in awhile anyway
Thats what im asking tho, it could not have stealed anything before cause i didnt open any emails or accounts before doing a full scan with malwarebytes and the other antivirus i mentioned all with a full protection 30 day trial.
If it did steal anything before i installed those antiviruses it would just be random inputs from me playing a game and browsing online
So which accounts would i even change the password to if i did not open anything before doing the full scans with the anti viruses i mentioned
- Feb 5, 2018
- 150
- 379
there's more possibilities than just keylogging
one method is that the data that keeps you logged into things in your browser is just sitting in your appdata folder, malicious scripts can just copy data from there and use it to "impersonate" your logged in sessions. or copy your crypto extensions like metamask or something if you had them. afaik these types of attacks still work today for many sites/services
browser password managers also exist as a vulnerable file sitting on your computer, the credentials may be hashed but now they're exposed to offline bruteforcing attempts at least, if they even need to go that far to use them
- Jun 10, 2017
- 11,191
- 16,846
Brute force isn't mandatory.
Nowadays we all log-in to a service so many time a day. Globally speaking, it suffice for the malware to wait for one of those log in and keylog the global password used for the password manager. Or it can have hooked itself to the said password manager. Then he don't even have to listen for the keyboard entry, at one time the global password will sent in clear to a function, and intercepted at that moment.
Then, as you said, the malware can remove itself. So it will be present for something like a hour, and it will be enough to steal all the credentials.