Dissecting the “free L$” viewer scam – Chaser Zaks

The last several days have seen the circulation of news regarding what is patiently a scam viewer. The item in question is being “promoted” by means of an IM circulating to users promising all sorts of goodies and advantages: free Linden Dollars! Freedom to build where you please! And so on.

Most established users are a little too wily to fall for such promises – and the IM has apparently given rise to a number of Abuse Reports being filed, with additional warnings going out via social media. However, those not so familiar with such schemes might be tempted by promises of free L$ and so on, and others might be tempted to “just give it a quick try” to “see what it is all about” – neither of which would be especially wise, as the “viewer” in question does far more than might initially be suspected.

To discover the threats posed by the “viewer” in question, programmer and Firestorm Bug Hunter (and also animator and modeller) Chaser Zaks risked taking a look under the covers of the code that is supplied, and published his findings on Github Gists. So as to (hopefully) help spread the word more generally, I asked Chaser if I could repro his notes here, to which he agreed.

In his document, Chaser neatly encompasses the high-level claims of the “viewer” before dismantling them, before going on to describe the threats posed by installing it. For ease of reference, I’ll summarise the realities behind the claims made by the “viewer” in my own words in the table below, and then turn to Chaser’s notes directly on the threats posed by the “viewer”, if installed on a computer.

Claim Reality
Unlock unlimited Linden Dollars (L$) This isn’t possible. Linden Dollars are created and controlled by Linden Lab through the LindeX mechanism, which is not a part of the viewer. Therefore, any claim of being able to access / generate unlimited Linden Dollars outside of this mechanism constitutes the crime of fraud and is a violation of both the Terms of Service and (among others) US federal law. Further:

 

  • Linden Lab has the capability to immediately identify and track fraudulent transactions – and to take action (up to and including) banning accounts engaging in such transactions, as well as reporting such activities to the relevant authorities.
  • The Lab can also identify and block malicious viewers (and similarly take action against accounts using such viewers).
Fly to Unlimited heights This is already possible; Linden Lab removed the limit on flying to any altitude a fair while ago, and most third-party viewers allow users to fly as high as they like (Building, however does remain constrained to below 4096 metres – but’s that’s a different matter).
Build on any land Not possible; land permissions are checked by the simulator, not the viewer, the the permissions set by a land holder as to what can / cannot be done on their land cannot be overridden.

For the rest, I’ll refer directly to Chaser’s notes.

So What Does It Actually Do?

A lot of stuff you don’t want happening. I’ll break it down into steps:

  1. You are instructed to download viewer.exe, upon execution it will pretend to install a viewer so that it looks legitimate.
  2. Upon running the newly installed program, it will run builddata.bat.

This script elevates the permission to administrator permissions on your computer! This is incredibly dangerous as it allows whatever is running to do what it wants. In specific, this script will download and execute the files called “V1”, “Q”, and “A”.

  • “V1”, will install files “1” and “2”.
    • “1” is Trojan.CobaltStrike, which is a penetration testing toolkit which cybercriminals often abuse in order to do remote administrative access.
    • “2” will install Trojan.Molotov/Reflo. While I am not 100% sure about what it does, it is very likely another remote administration toolkit.
  • “Q” will install Quasar, which is also a remote administration toolkit.
  • “A” will install AsyncRAT which is also a remote administrative toolkit.
  • Some of these toolkits will automatically install additional stuff not included in the script, such as a cryptominer.
  • The script will execute start.vbs – which shows a fake dialog saying that there was an error.

Why So Many Remote Administrative Toolkits?

Attackers will intentionally install as many backdoors as possible so that it becomes increasingly difficult to remove to the point where you should probably just wipe your hard drive and re-install your operating system.

What Does a Remote Administrative Toolkit Do?

A remote administrative toolkit(also known as a RAT), is basically like giving someone physical access to your computer. They can, but are not limited to, do the following:

  • Steal your username / passwords
  • Steal your browser cookies
  • Steal your files
  • Steal your banking information
  • Steal your L$
  • Steal your REAL WORLD money (through credit / banking / wire fraud)
  • View your webcam and take pictures/videos
  • View your desktop
  • Install additional software
  • Encrypt your files
  • Delete your files

What Does a Cryptominer Do?

A cryptominer abuses your GPU to mine cryptocurrency such as bitcoin. This wastes electricity, computing power, and also degrades your graphics card. And you do not see a dime of what they make. It’s basically turning your computer into a mining slave.

Does it Install Anything Else?

Yes and no:

  • No: The script it’s self doesn’t install anything else
  • Yes: However, when each of the remote administrative toolkits are installed, it pings as server, which that server can tell the toolkit to install even more stuff.
  • While I could do further investigation, it involves going further than I feel reasonably safe doing so.

    Help! I installed it! What do I do?

    1. Turn the computer that you installed it on OFF immediately! If the computer is off, they can’t access it. Make sure you do not put it in a “sleep” state where the CPU is still operating in a lower power mode, make sure it is OFF off!
    2. Take your device to a computer technician who is specialized in removing viruses and malware. Be prepared to have to have your files backed up and system re-installed.
    3. Do not be tempted to use it until it is cleaned! Malware can spread over internal networks, and every moment it is on is a chance that the hacker will be able to steal any or more data from you!

     

    Closing Notes (from Inara)

    “Viewers” like his are not a new phenomena, although not all of them are as blatantly suspicious in terms of up-front claims as this particular example. Some are extremely subtle, seeking to trick users into downloading them (such as by spoofing the genuine download address in a manner which makes it look like you’re going to the official website when you are not). To this end, when it comes to installing viewers:

    • Stick to recognised viewers such as the official Second Life viewer or those listed on the Lab’s Third Party Viewer Directory.
      • While the latter are self-certified and not validated directly by the Lab, the fact that they have registered for inclusion on the Directory generally means they are regularly updated, ensuring stability, security, and compatibility with the platform.
    • Only download such viewers directly from their “official” websites. Do not use links supplied via random IMs or notecards, and carefully check the links provided by other website and blogs (even this blog!) to ensure they are pointing to a valid download page for a viewer.
    • If you are on X (or as most of us – and quite frequently, the platform itself – still prefer, “Twitter”), then follow Soft Linden for news and information on dealing with malware in general.
    • Keep an eye on the Second Life forums for warnings about bad faith viewers, etc. These may be posted in the General forum or within the Technology forum.

    My thanks to Chaser Zaks and Inara Pey for allowing me to reproduce his work here and for his work in investigating the “viewer” in question; also thanks to Soft Linden for pointing me towards Chaser’s Github document. Do be sure to read the latter as well, as it also includes code snippets for those with a more technical interest.

    Be Safe and DON’T CLICK ON ANYTHING FROM ANYONE YOU DON’T KNOW!
  • Zoha Islands/ Fruit Islands