IOBit forum hacked?

Status
Not open for further replies.

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,919
A few weeks ago, I registered to the IOBit Software Support Forums to report a bug in their software. Yesterday, I received an email (appearing to be) from them awarding forum members "a free 1-year license" with download link.

I'm usually a tech savvy guy and know better to download/run strange software, but everything looked legit (email address, artwork, link on their URL), so I downloaded the "freebie" patch that all alleged to register my IOBit software.

Hours later, my computer was completely trashed. Fortunately, I backup my boot drive every month and was able to get a working system again, but the damage the malware did was extensive and I need help recovering.

The malware went through my computer and changed the extension of over 121K files to ".DeroHE". Worse, it either corrupted the headers of those files or they are only fragments of files.

Text files are no problem. Simply change the extension to ".txt". But thousands of other files were not only renamed, but the file type was stripped from the header (bmp, ico, png, jpg, zip, rar, pdf... you name it. Trashed.) Trashed files can't be even be identified by examining the header in "Notepad++". Source code files belonging to my "Visual Studio" projects also trashed. The damage (and possible loss) is extraordinary.

And "Windows Defender" missed it all.

To recover from this disaster, I need two things: A utility that can identify/fix the now unidentifiable files, and a program that can find & rename every file whose extension was changed (preferably one program that can do both.) Do you know how long it would take to go through 121K+ files by hand, identify them (if possible) and rename them? Just the text messages alone would take ages.
I'm beyond pissed. Even the "IOBit" website appears to be down as I tried to report the problem (either hacked or they took it down themselves till they remedy the hack.)
 
Last edited by a moderator:

plat1098

Level 25
Verified
Sep 13, 2018
1,419
FireHammer said: Sounds really awful, I am very sorry this should blowback on you, you are in my thoughts @Gandalf_The_Grey.:mad:

I don't think it was Gandalf_The_Grey personally, lol. Sounds anecdotal. It's a cry for help actually, in the BC ransomware removal forums.

I looked there, there are 34 users reading the thread, that's a LOT, right?

bcforumpost.PNG
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,919
It wasn't me, but it never hurts to warn.
Could well be like @upnorth said a case of accidentally click and download from a source in the email that wasn't IOBIT.
But the post from @Trismer indicates there could be a problem.
That's why there is a question mark in the title.
There are a lot of spam mails these days.
Just don't open an unexpected gift from IOBIT.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
If someone wants to research a sample, perhaps with a premium on any.run, write me your mail in pm, I will forward it to you for research. :)
Nope thanks as the main topic is about the IObit forum and it's main site. That people gets all sort of malware in their mail is no automatic proof. I rather close this thread if it starts to get too much of speculation.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
That, is way too little evidence that it actually came from IObit and that IObits forum and main site was/is hacked. Spoofing email addresses is way too common among spammers/scammers. Those files also looks like a very typical crack share so I wouldn't be surprised if they where malicious.

Hi

Thanks for your feedback.

We don't have such an offer. It is a scam! Please do not click any link or download button in it.

We've forwarded it to our relevant team and will solve it asap.

Thanks again.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
Update!
Thanks btw @Gandalf_The_Grey for sending me more information. Much appreciated.

Kaspersky already has an assessment on the 2 reported .js files. Adware. I'm waiting for 2 more vendors and will add that info as soon I have it.

2021-01-18-23-56-57.png
knut-berlin-polar-bear.jpg
 
Status
Not open for further replies.
Top