A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7363  by nickvth2009
 Mon Jul 18, 2011 9:56 am
I've sent a takedown request to req.ru for gigpornoforfree.ru. Let's bring this malware gang on its knees, I am tired of seeing WinLock.
 #7365  by EP_X0FF
 Mon Jul 18, 2011 11:44 am
Forget about reg.ru. They point to exetel.de as hosting provider.
 #7366  by nickvth2009
 Mon Jul 18, 2011 12:21 pm
EP_X0FF wrote:Forget about reg.ru. They point to exetel.de as hosting provider.
So the domains are registered with reg.ru, and the hosting is being delivered by exetel.de?
 #7368  by EP_X0FF
 Mon Jul 18, 2011 12:34 pm
nickvth2009 wrote:
EP_X0FF wrote:Forget about reg.ru. They point to exetel.de as hosting provider.
So the domains are registered with reg.ru, and the hosting is being delivered by exetel.de?
Code: Select all
DNS servers
ns1.reg.ru
ns2.reg.ru

Answer records
gigpornoforfree.ru		A	46.251.237.240	86400s
gigpornoforfree.ru		NS	ns1.reg.ru	86400s
gigpornoforfree.ru		SOA	
server:	ns1.reg.ru
email:	hostmaster@ns1.reg.ru
serial:	1310913829
refresh:	14400
retry:	3600
expire:	604800
minimum ttl:	43200
86400s
gigpornoforfree.ru		NS	ns2.reg.ru	86400s

domain:     GIGPORNOFORFREE.RU
nserver:    ns1.reg.ru.
nserver:    ns2.reg.ru.
state:      REGISTERED, DELEGATED, UNVERIFIED
person:     Private Person
e-mail:     abatinsan@gmail.com
registrar:  REGRU-REG-RIPN
created:    2011.07.17
paid-till:  2012.07.17
source:     TCI

Last updated on 2011.07.18 16:30:46 MSK/MSD

Network IP address lookup:

Whois query for 46.251.237.240...

NetRange:       46.0.0.0 - 46.255.255.255
CIDR:           46.0.0.0/8
OriginAS:       
NetName:        46-RIPE
NetHandle:      NET-46-0-0-0-0
Parent:         
NetType:        Allocated to RIPE NCC
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        2009-09-29
Updated:        2009-09-30
Ref:            http://whois.arin.net/rest/net/NET-46-0-0-0-0

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:      
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2011-03-15
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444 
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    http://whois.arin.net/rest/poc/RNO29-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Results returned from whois.ripe.net:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '46.251.237.0 - 46.251.237.255'

inetnum:         46.251.237.0 - 46.251.237.255
netname:         EXETEL-DE
descr:           EXETEL ISP
country:         DE
admin-c:         TJ1504-RIPE
tech-c:          TJ1504-RIPE
status:          ASSIGNED PA
mnt-by:          MNT-WHITE
mnt-lower:       MNT-WHITE
mnt-routes:      MNT-WHITE
changed:         medler@optimate-server.de 20110321
source:          RIPE

person:         Tim Joe
address:        Krantzstr 7
address:        DE-52070 Aachen
phone:          +49 2415380891
mnt-by:         MNT-WHITE
e-mail:         abuse@exetel.de
nic-hdl:        TJ1504-RIPE
changed:        medler@optimate-server.de 20110122
source:         RIPE

% Information related to '46.251.224.0/20AS197043'

route:          46.251.224.0/20
descr:          Webtraffic
origin:         AS197043
mnt-by:         MNT-WHITE
changed:        medler@optimate-server.de 20100429
source:         RIPE
 #7369  by nickvth2009
 Mon Jul 18, 2011 12:41 pm
Weird, when I did WHOIS for that domain I didn't get to see the abuse address of exetel.de, nor it gave me the name of the hoster. Anyway, I am sending a takedown request now. Thanks for the help. ;)
 #7485  by kmd
 Thu Jul 21, 2011 3:49 pm
l33t h3ck3rz t3@m will lock the world (shot of WINAD development process - guy at the left packing new locker with Mystic ****, nb 2 generates random domains, l33t h3ck3r at the right connects to server via mice 4 uploading)

Image

:D:D
Last edited by EP_X0FF on Thu Jul 21, 2011 4:19 pm, edited 1 time in total. Reason: Edited, see forum rules #7
 #7489  by EP_X0FF
 Thu Jul 21, 2011 5:22 pm
Yep.

The up stream provider Optimate-Server blocked this bulletproof malware host.

I just got confirmation from cleanmx who did a great job :)
 #7490  by GMax
 Thu Jul 21, 2011 5:35 pm
New URL:
hxxp://pornoarchivesexgood.ru/1/video/porno-rolik1.avi.exe
hxxp://pornoarchivesexgood.ru/2/video/porno-rolik2.avi.exe
hxxp://pornoarchivesexgood.ru/3/video/porno-rolik3.avi.exe
hxxp://pornoarchivesexgood.ru/4/video/porno-rolik4.avi.exe
hxxp://pornoarchivesexgood.ru/6/video/porno-rolik6.avi.exe
hxxp://pornoarchivesexgood.ru/7/video/porno-rolik7.avi.exe
hxxp://pornoarchivesexgood.ru/8/video/porno-rolik8.avi.exe
hxxp://pornoarchivesexgood.ru/9/video/porno-rolik9.avi.exe
hxxp://pornoarchivesexgood.ru/10/video/porno-rolik10.avi.exe
IP: 31.214.145.191
add:
hxxp://sexlifeclubxxx.ru/1/video/porno-rolik1.avi.exe
hxxp://sexlifeclubxxx.ru/2/video/porno-rolik2.avi.exe
hxxp://sexlifeclubxxx.ru/3/video/porno-rolik3.avi.exe
hxxp://sexlifeclubxxx.ru/4/video/porno-rolik4.avi.exe
hxxp://sexlifeclubxxx.ru/6/video/porno-rolik6.avi.exe
hxxp://sexlifeclubxxx.ru/7/video/porno-rolik7.avi.exe
hxxp://sexlifeclubxxx.ru/8/video/porno-rolik8.avi.exe
hxxp://sexlifeclubxxx.ru/9/video/porno-rolik9.avi.exe
hxxp://sexlifeclubxxx.ru/10/video/porno-rolik10.avi.exe
Last edited by GMax on Thu Jul 21, 2011 7:19 pm, edited 2 times in total.
 #7492  by EP_X0FF
 Thu Jul 21, 2011 5:54 pm
Yes I see and can access. Well, everything is far from the end :) Thanks for information.

update: seems all binaries except first are inaccessible for me, at current time.
Last edited by EP_X0FF on Thu Jul 21, 2011 6:02 pm, edited 1 time in total. Reason: see update
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 17