Malware & Stealth Keyloggers within
Published on April 12, 2011 By karmat In WinCustomize Talk

I just wanted to post news of what's going on at deviantART the past few days to warn people of the infected skins that are getting uploaded to the Rainmeter Gallery there.

We have found 20 rainmeter skins so far (almost 4,000 downloads so far) that:

1) contain malware, trojans, worms, and stealth keyloggers

2) are complete copies of other artists skins, right down to the same preview and description

A couple of ways to recognize a potential bad skin is that the person:

- is a brand new member

- they have their comments turned off

- they have no personal info on their profile page

- they don't have anything else in their gallery or they have the two or three infected skins from this week

We've been doing numerous testing, reporting, warning, blogging, etc etc, still waiting for dA staff to show signs that they are alive and interested.

I'm pretty sure it's someone that was banned that is now trying to wreak havoc, but there's no way of proving it unless dA decides to get involved. Needless to say, our group there and at the Rainmeter Forum are pretty upset by this and we're trying to keep on top of it, but it's pretty hard to do without assistance from dA. As soon as we find/test/report/blog one infection, another one has popped up.

For people here who download (or have downloaded any in the last week) rainmeter skins from dA, please read the full post at our Rainmeter Group there first, we are keeping it updated with news of infected skins as we find them along with the virus reports http://rainmeter.deviantart.com/blog/39762918/

Most important, if you download there, don't if it is a .exe file. It should either be .rmskin or a zip file with .ini and .png files.

As you know, here at WC, your rainmeter downloads are completely safe because they actually moderate here, novel concept!

If you have any questions or news, you can contact me here, private pm or at deviantART http://karmat111.deviantart.com/.

Keep it safe!

Karen


Update - Here is a screenshot of the Rainmeter Gallery with the infected skins circled in red - stay away from them.


Comments (Page 1)
2 Pages1 2 
on Apr 12, 2011

Thanks for the info karmat.

on Apr 12, 2011

Handy info, and thanks so much for the warning, karmat.

on Apr 12, 2011

Thanks Karen

on Apr 12, 2011

Thanks Karen 

on Apr 12, 2011

Thank you, Karen ...

You would think the guys at dA would be faster to fix this, it's only hurting their site.

on Apr 12, 2011

Thanks Karen. I'll be sure to restrict my browsing there for the time being. Once before someone tried getting da involved eliminating stolen skins and last time I looked the guy was still there and I'm not allowed to comment still.

on Apr 12, 2011

WTF is going on at Deviantart lately!??!?!?!?!?! Folks stealing art and skins and now this. Have they just grown to big for their own good or what? What's really funny (or not) is that at one of my customers sites, you can't access it on their system because their filter recognizes it as a 'social network/site' right up there with MySpace.

on Apr 12, 2011

They don't disallow .exe uploads?  They don't virus scan all uploads automatically?  They don't moderate uploads?  They have no one that can tell a piece of stolen or ripped artwork?  They don't respond to emails sent to them?  They don't immediately take down stolen or ripped works and delete the submitters account?

Gives you some idea why I quit that site years ago.  I suggest you do the same.

on Apr 12, 2011

PoSmedley
WTF is going on at Deviantart lately!??!?!?!?!?! Folks stealing art and skins and now this. Have they just grown to big for their own good or what? .

What we've heard back so far....

"..Currently, CEA is dealing with a backlog of nearly 700,000 reports in the Moderation Desk alone! A very large percentage of those are reports which were already reviewed by staff and, once again, still deemed unworthy of administrative action. Having to close reports on the same submissions over and over and over again has not only proved to be a big consumption of time which could be spent on actual violations, it is also demoralizing to staff and it generally does not get through to the people who insist on reporting the same deviation for an invalid reason over and over again..."

Now, I understand they have a lot of really young members who complain about every little thing (someone ripped their little sketch of anime or someone called them a name) that clog up the Help Desk but I think they need to reorganize their reporting procedures so that reporting viruses get through immediately.

 

LightStar
Gives you some idea why I quit that site years ago. I suggest you do the same.

Seriously thinking about it, but I have a 15-month subscription :groan:


on Apr 12, 2011

Young members? Sounds like a bunch of whiners and crybabies. I thought about a sub a DA some time ago, back when I was still working. Glad I didn't.

on Apr 13, 2011

The DA system is a bit 'clunky' and appears to fall over when the site grows to an 'ungainly' size.

I think there can be ways it [Devart] could function efficiently regarding 'Policy Violations'....and I'm not all that sure how they're doing it now but to a degree all they 'need' is an 'Admin' for each specific gallery/department with the power/authority/blessing to excise anything AND anyone who is found to be an issue.

Eg,  One overseer of 'Rainmeter' skins .... who directly receives the Pol Viol related to [say, this issue].... who checks it...and responds, with there being no 'need' for anyone else to intercede.

The last person I had removed from Devart was a repeat offender....even I knew he was, and I'm not an admin there, but forwarding that info saw him banned.

The frustrating failing in having no pre-emptive moderation is that before anyone becomes aware, an offender will have numerous Violations to be dealt with, each causing public 'harm', and seemingly no method of recording 'history', particularly when the problem uploads have their comments disabled.

I always thought distributing virii, etc was/is a CRIMINAL offence, which, if unchecked would mean Devart unwittingly is aiding and abetting.

As Karmat commented, reports re virii really NEED to be fast-tracked, not apparently lost amongst a dross of BS whining, whatever.

Re '700,000' reports .... if that's the case there's a very real problem with the design of report handling.  Devart was and has always been a great example of 'nifty' functionality of social site design, ever since she first opened doors a decade ago, but it looks like as a sister skin site she has problems.

Most of us here probably only interact with Devart via the skinning sections and if their 'handling' was solved we'd all be laughing, and I bet the vast majority of those '700 thousand' aren't skin - related anyway...

on Apr 13, 2011

A couple of months ago I downloaded a Photoshop brush from (DA) that was infected with this same key logger and Trojan. I ended up with $500 charged to my credit card through DA which did not have permission to store my information. The end result, I got my money back, but DA took no responsibility for the infected file nor did they ever offer an apology. I really don't think they give a damn about what consequences befall us and certainly do not scan files uploaded before posting them.

on Apr 13, 2011

LightStar
Gives you some idea why I quit that site years ago. I suggest you do the same

Been there, done that. I'm still there, but my skins aren't.

I have been told recently, by a friend, that as a good member of the skinning community, I should support all skinning sites, including DA.

Dunno......

I see to many things going on at DA that aren't being dealt with. I can't support that.

I do tend to be a little lazy, and mainly just upload here....gonna fix that soon. SDN, SA, Skinnalicious, here I come!

on Apr 13, 2011

Update to  post

Moonglow v3 ...................... ~thehoffisback
Speed v 2.0 ...................... ~thehoffisback
Enigma Rainmeter v3.2 Final ...... ~gvr1313
TABDRIVE v.3 ..................... ~tejasrathod
Enigma v3.0 ...................... ~thehoffisback
Enigma v3.1 ...................... ~hpdarkman40
Enigma v2.7 ...................... REMOVED
Simplicity ....................... ~easy-art
MAC BAR 2 New edited Version ..... ~momuki
Pi Cubed V.3 ..................... REMOVED
DeadSpace V.4 Updated Rainmeter .. REMOVED
Ironman Jarvis V2.0 .............. ~fenox456
DeadSpace V.3 Updated Rainmeter .. REMOVED
Black transparent dock ........... REMOVED
Moonglow v2.0 .................... REMOVED
desktop Customizer V2.1 .......... ~TheMysterious0ne
Minimal Greeno HOT ............... ~Schiefz0
RainMeterSpace HOT ............... ~Schiefz0
JSClockWeather v2.0 .............. ~Jawbonemc
BlueAfterBurnerv4 ................ ~cathykaty
BlueAfterBurnerv3 ................ ~Schiefz0
Figures for Rainmeter V3.1 ....... REMOVED
Rainbar_V4.3_ Modifed by Amy ..... REMOVED
Dead Space Skins ................. ~TheWitcher99
Figures for Rainmeter V2 ......... REMOVED

the REMOVED just means NO results came up for it
=========================


~mpomis commented on (Enigma Rainmeter v3.2 Final ~gvr1313) might want to watch ~mpomis for uploads

Simplicity =karmat111 if this is you you gave NICE WORK to ~easy-art is this one a bad one?


RuneScape ........................ ~TheWitcher99
RuneScape Theme XP ......... ~TheWitcher99 not sure if it's bad but two others out of 3 are

on Apr 13, 2011

UPDATE - dA Admin has stepped in to resolve the issue, see below for her comments (we'll keep monitoring it though)...


From $chix0r (dA staff) 13 hours ago:

I apologise for this situation reaching the level that it has for you. Obviously we're eager to remove all the files that are warez/malware.

I'm going to go through the listing that was passed to me from one of the rainmeter groups and remove the associated files, and ban any accounts that have uploaded warez/malware. I'm also going to make sure that we amend the reporting system to give a specific flag for such things so that we can monitor the level of malware reporting easier. We recently added a specific tag for warez, so it should improve over the next few weeks.

With regard to your comment about help desk backlog, I think that you may be confused about what that actually means. Our actual help desk that responds to customer queries and complaints (not deviation reports) has no backlog at all. It's the moderation desk (handled by the CEA team) that has backlog, and it's currently in a period of upgrades and enhancements that are reducing the backlog greatly each day. Last week the team closed over 6000 tickets and they are on track to beat that this week. We're also going to be recruiting for additional CEA members in the near future to bring more resources into the team, which will ultimately provide enhanced response times.

I'm sorry if you feel you have been brushed off. It's not that at all, more that every genre or category believes that their issue should be the top priority, and we've been swamped with duplicate reports.

So, I think we should make some headway on getting back on track to a better way of dealing with these reports by the end of the week. I hope this reassures you someway -- we love Rainmeter too!

From $chix0r (dA staff) 12 hours ago:

Looks like I've removed all the files that were listed, I've banned the accounts too.

If you find any in future, report them using the "report deviation" tool that's on each image. Later today we should have a specific tag for malware so maybe give it 24 hours before you report any more? That will help me monitor the reporting levels and keep track of any trends.

We're always eager to improve things so I'll speak with the CEA team about putting together a specific guide for Malware issues.



2 Pages1 2