IPB





Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Punkbuster Trojan?, Trojan infecting Punbuster?
HarkinFell
post Mar 14 2008, 05:28 PM
Post #1


Peasant
*

Group: Members
Posts: 35
Thank(s): 0
Points: 0
Joined: 29-February 08
From: UK
Member No.: 83




Recently Punkbuster has been reacting weirdly..usually when I play BF2 I put my Bitdefender into Game Mode, this allows Punkbuster to freely do what it wants to etc.. Otherwise it usually kicks me. But since a few days even when my Ainti-Virus is in Game Mode I get kicked from the server. So now I have to manually disable Real-tine scanning and then it allows me on the server no probs. As a hunch I looked at my Bitdefender logs and came across this:

And it seems that a file somewhere in Punbuster or on the PB server is infected, it seems Alot of peeps are getting kicked randomly, maybe because of this. I'm not sure at all how PB works but i thought i would share this with you Fiend cos you seem to know alot about PB and how it works...so what do you think is happening here?
Go to the top of the page
 
+Quote Post
MonkeyFiend
post Mar 14 2008, 08:34 PM
Post #2


Security and Projects
**********

Group: Clan Dogsbody
Posts: 4,687
Thank(s): 1098
Points: 2,440
Joined: 31-August 07
From: A Magical Place, with toys in the million, all under one roof
Member No.: 1




PB released a new server version the other day with a few major changes to it. Some Great changes - partially written by a skilled and quite probably handsome person (tongue.gif)

As you may know you computer will run the processes pnkbsta and pnkbusterb -it also runs pnkbstrk as a windows service

The K service is executed from C:\WINDOWS\system32\drivers\PnkBstrK.sys

The packing of the file means that it can't be scanned by antivirus - this packing makes it harder for hack makers to tinker with the internal workings of the PB software.

Bitdefender is falsely identifying the K service as a virus.. see here:

http://forum.bitdefender.com/index.php?sho...amp;#entry23995

The real virus however drops and execute a program that will install a second component (wincom32.sys) which is a rootkit component that will hide itself and its configuration file wincom32.ini. The following key (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wincom32) is created in order ensure that the driver is loaded when Windows starts. The “ini” file (wincom32.ini) contains a white list (a peers list of infected machine) and a black list. Wincom32.sys contains a secondary executable file that updates wincom32.ini. This executable can also download and run different files. It uses port 7871 UDP to communicate with other hosts (similar with a P2P network). It may receive commands to download from one of this hosts.

Basically a false positive.


--------------------

Go to the top of the page
 
+Quote Post
HarkinFell
post Mar 14 2008, 09:06 PM
Post #3


Peasant
*

Group: Members
Posts: 35
Thank(s): 0
Points: 0
Joined: 29-February 08
From: UK
Member No.: 83




QUOTE(MonkeyFiend @ Mar 14 2008, 08:34 PM) *
PB released a new server version the other day with a few major changes to it. Some Great changes - partially written by a skilled and quite probably handsome person ( tongue.gif )

As you may know you computer will run the processes pnkbsta and pnkbusterb -it also runs pnkbstrk as a windows service

The K service is executed from C:\WINDOWS\system32\drivers\PnkBstrK.sys

The packing of the file means that it can't be scanned by antivirus - this packing makes it harder for hack makers to tinker with the internal workings of the PB software.

Bitdefender is falsely identifying the K service as a virus.. see here:

http://forum.bitdefender.com/index.php?sho...amp;#entry23995

The real virus however drops and execute a program that will install a second component (wincom32.sys) which is a rootkit component that will hide itself and its configuration file wincom32.ini. The following key (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wincom32) is created in order ensure that the driver is loaded when Windows starts. The "ini" file (wincom32.ini) contains a white list (a peers list of infected machine) and a black list. Wincom32.sys contains a secondary executable file that updates wincom32.ini. This executable can also download and run different files. It uses port 7871 UDP to communicate with other hosts (similar with a P2P network). It may receive commands to download from one of this hosts.

Basically a false positive.


Haha Nice 1 Fiend, show them Punky boys how to do it properly...

Yeah I just wasn't sure what it was, what I ended doing was adding the Pb folder to the Exceptions list, and so far it seems perfect. Just a heads up about it, cos I rem that guy from your clan was having similar problems yesterday after he re-installed BF2 and everything, and he was still getting kicked immediately. Maybe it had something to do with this false-positive
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



RSS Lo-Fi Version Time is now: 23rd November 2024 - 02:37 PM
Sneaky Monkeys Clan :: MonkeyFiend.com