A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7551  by EP_X0FF
 Sat Jul 23, 2011 3:29 pm
rkhunter wrote:@EP_XOFF:

Maybe it would be logical to create a separate topic specifically for these ISP, which carry hosting blockers? And fill them up gradually. Also, there may include bulletproof ISP.
We are working on this. Probably soon this discussion will move to some other topic in other subforum :)

Currently list is following (regarding to three tracked ransoms):

Amazon WS - LockEmAll
RU-TELE - WinAD Pornorolik
SIA Business Aviation Services (seems bulletproof) - MBRLocker
LeaseWeb - Redirectors to LockEmAll edit: Guys wiped them out, redirectors moved to Latvia, SIA LEMGA, LEMGA-NET
Last edited by EP_X0FF on Sun Jul 24, 2011 9:12 am, edited 1 time in total. Reason: edit:
 #7552  by rkhunter
 Sat Jul 23, 2011 3:38 pm
@EP_XOFF

I am ready to help you in gathering lockers, but unfortunately, I do not know where to collect them and how you doing this. Did you do that automatically or not?
 #7553  by EP_X0FF
 Sat Jul 23, 2011 3:48 pm
For start I can suggest you simple use Yandex (it's preferable search system because it indexing ru-zone match more better than Google or others) and look for "Sveta Bukina PORNO FREE WATCH DOWNLOAD" :) In Russian of course. Then you can simple click in every banner you see on every page - a TONS of fraud/hoaxes, browser blockers, malware, exploits 100% guaranteed. I can't reveal exact places because as you probably know a lot of these script-kiddies lurking here :)
 #7856  by EP_X0FF
 Fri Aug 05, 2011 1:35 pm
Offtopic moved to separate thread
 #8061  by EP_X0FF
 Tue Aug 16, 2011 11:04 pm
WinAD related news :) Starting from yesterday evening, guys moved to all time repacking scheme - they repacking every hour with very good refined crypter. Currently (and for about already tracked 10 hours of repacks) all new generated samples have only 2 non meaningful signature/heur detection's according to VT.

Some stats

15 Aug: server shutdown at 195.226.220.142 (RU-TELE)
16 Aug: moved fast (5 hours delay) to 91.228.160.52 (WebXhost) and kicked out after few hours
16 Aug: currently moved to 95.57.120.140 (Telecom.kz)

migration continues :)

update 18 Aug 2011, 12:50

Crapware generator at 95.57.120.140 was taken down about 14 hours ago, at the moment of this reply they not yet migrated.

update 19 Aug 2011, 11:15

19 August 2011

Kids moved to new server (91.220.90.30)

update 19 Aug 2011, 21:33

Crapware generator at 91.220.90.30 was taken down about 4 hours ago due to abuse.

Kids moved to new host at 109.127.8.249 (Azerbaijan Data Network) less than one hour ago.
Last edited by EP_X0FF on Mon Aug 29, 2011 9:44 am, edited 3 times in total. Reason: merged my several posts in one
 #8277  by kmd
 Thu Aug 25, 2011 5:05 pm
@EP_XOFF
i disappointed in av reaction on this particular malware. i was sending malware samples gathered from MDL few previous weeks, virlabs reacts really slow, in most cases when signatures began available winAD already refined and FUD. I.e. vba32 gives me answers only after 1 day - their signatures already outdated when they released. more effective Kaspersky/Dr.web but new mystic winAD uses easily breaks all their signs
 #8287  by EP_X0FF
 Fri Aug 26, 2011 12:00 pm
kmd wrote:@EP_XOFF
i disappointed in av reaction on this particular malware. i was sending malware samples gathered from MDL few previous weeks, virlabs reacts really slow, in most cases when signatures began available winAD already refined and FUD. I.e. vba32 gives me answers only after 1 day - their signatures already outdated when they released. more effective Kaspersky/Dr.web but new mystic winAD uses easily breaks all their signs
Some stats regarding to WinAD.

Starting from 17 July:

560 domain names allocated for using as pornorolik dropzones
50 domain names allocated for using as pornorolik redirectors
20-28 domain names change per day every day
4 different hosting providers changed
3-4 tel new numbers per day every day
3 times changed crypter (originally mystic, then VBCrypt, next new modified version of Mystic starting from the August).
1-2 unblock codes change per day every day
1-2 minor crypter cleanups per day every day

Regarding to "FUD" crypter they use, well it's incredible stupid piece of crap, however it's enough to fool static analysis. And to be completely honest - none of AV you mentioned never were something to hard fool in case of signs. Most of others VT patients are legalized FakeAV, stealing sings each other and calculating ridiculous hash sums.
 #8313  by EP_X0FF
 Sun Aug 28, 2011 1:57 pm
Crapware generator at 109.127.8.249 was taken down.
Gang moved to new hosting provider and for now located at 31.192.109.210 (Mir Telematiki Ltd)

update

31.192.109.210 were off.
Moved to new location 77.91.231.193 (WEBALTA-AS OAO Webalta)

Image
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17