Wendy? Yes, Lisa? Is the water warm enough?

Five hours' New York jet lag, and I wake with my face pressed into my keyboard, the edge of the letter K jabbing into my eyebrow. I've completely thrown off my sleep pattern playing malware hunter - my circadian clock blinks. Power's out, but I'm still at home. Still jacking rhythms on the percussive keyboard. Still hitting the splash cymbal with each crack of a fresh can of Pepsi. I'm fuckin' lighting up this place, a one-man band pulling patterns out of nothing, weaving rugs of magic for carpet rides through atmospheric code. I'm Aladdin, right down to my pointy-toed, blue satiny shoes and gaucho pants. Rub my lamp and see your wishes granted, POOF! Were you busy trying to empirically determine what we know and don't know? Attempting to trick the paranoia radar into picking up my virginal radio signals? Hmm. Interesting. I took a different track: I zipped around the inside loop and zoomed right along the Highway to Missing Things to the end of the road.

What the hell was behind these crazyshit server infections festering on the webhost? Correction: not only this webhost, but another one, too. A lot of the shit left behind looks like stuff hackers use to slip in and out, so I hustled my white ass over to some of my favorite hacker/cracker file swarms. Any of those hacking tools use some of the freaky phrases from our favorite server intrusions? A little Xé:3a? Maybe a touch of Sothoth? he asked, pulling a cigarette out of his pocket.

Zippo. An empty lighter.

Jumping categories, I started hitting cherries with each pull as the little wheels spun. "Cracked software" - my nickel slot with the big payoff. I got a pile of matches, but on really strange file results that made no sense, like audio editing software. Surprise, surprise. Some enterprising Russian cracker had taken to bundling his file uploads with a few tasty pieces of payload, all of which offer CPA programs that are probably reeling in the rubles for the man with the plan. Cha-ching!

Or however they say that in Russia - Krakov-King! or Smirnoff-cha! or something. Vodka!

So in the pile of autoinstalling excitement is some strange Windows traybar application called "Lucky 5." It claims to turn "unused cycles C P U in FIELD LUCKINESS it surrounds you." If you can turn off your pedantry for a few more minutes and click your way through the installation without gouging your eyes out, it produces a traybar app with an L5 icon in blue that apparently does nothing except... sit there. It is parasiteware, though, so it must do something besides attempting to make a love connection to an IP address on start. It doesn't look like it's getting a good pillow fluffing at this point - some more fondling of Lucky is clearly warranted to get it to release its secret load.

In the installation files is a configuration file that looks like a veritable orgy of those phrases I was searching for - Sothoth times ten, naked and running through the fields like a stoned hippie. The Outpost will probably look upon that text with fond familiarity, and any other compromised webservers haunted by files with similar text might also be victims of FIELD LUCKINESS.

Oi! It surrounds you!

I’m uploading the extracted installation file and making it available for download below, but PLEASE BE EXTREMELY CAUTIOUS. This is an Internet-active parasiteware payload that could be connected to compromised servers. Only professional malware investigators (like myself - props to me!) should even CONSIDER installing this on a machine, and then only on a machine with enough security layers to prevent further compromise.

Or don't take my warning and just be stupid and download this willy-nilly onto whatever device you want. I'm cool with that, too, because of the following responsibility clause, cleverly written to cover my ass:

YOU ACCEPT ALL RESPONSIBILITY FOR DOWNLOADING THE MALICIOUS SOFTWARE, "LUCKY 5," BY CLICKING THIS LINK.
FURTHERMORE, YOU ACCEPT THAT STU IS A RIGHTEOUS DUDE*.

* I won't hold you to that last part about my righteousness, 'cause it's a pretty unenforcible clause, but I would like to suggest that you keep it in mind from time to time.

Posted by StuR on August 8, 2007 01:56 AM | Permalink