A forum for reverse engineering, OS internals and malware analysis 

Trojan.Winlock - Lock Em All

Forum for analysis and discussion about malware.

Re: Trojan.Winlock - Lock Em All

 #7166  by EP_X0FF
 Sat Jul 09, 2011 2:18 pm
Xylitol wrote:404 ransom but sites online:
hxxp://d2smebh8xqlt3a.cloudfront.net/
hxxp://d1fn4ouynx0ffn.cloudfront.net/
GET /xxx_video.exe HTTP/1.1
Host: d1fn4ouynx0ffn.cloudfront.net

HTTP/1.0 403 Forbidden
x-amz-request-id: 07F3B8843B8E17D4
x-amz-id-2: my8o5MFxMzHNQ+O8l23ORveO+gHwZAz3+U3oxrzbjCaVrJ7gDMcGRytd93+HresK
Content-Type: text/html; charset=utf-8
Content-Length: 291
Date: Sat, 09 Jul 2011 14:13:59 GMT
Server: AmazonS3
X-Cache: Error from cloudfront
X-Amz-Cf-Id: 426fbe64514667eedea8710813651a3471be0d51722e190e6d01df378ae6f1f52bc
d23e26aca1309,f8210af52b2433666d25669f8760bfebb9b1933442b34eb3e1fdc1dd4b24e46a27
9a0144a67435bf
Via: 1.0 a5dd7270846a000392d2981b8c28634f.cloudfront.net:11180 (CloudFront), 1.0
0316586b8fd7e325258707448d98d7cd.cloudfront.net:11180 (CloudFront)
Connection: close
They spawning new site every 8-10 hours.

New location, just few minutes alive. Each new location have new recrypted Winlock.
hxxp://clucessnor.client.jp/xxx_video.exe

All hosted by http://www.ninja.co.jp

If someone willing to give them abuse, it will be cool.

Re: Trojan.Winlock - Lock Em All

 #7180  by EP_X0FF
 Sun Jul 10, 2011 6:56 am
New domains are added to the list on the first page, and corresponding abuse messages were sent.
If you have any other URL's not listed here, please add.

update 11 Jul 2011, 00:14

New domains detected.

hxxp://gutfmulti.client.jp/xxx_video.exe
hxxp://lecwovil.client.jp/xxx_video.exe
hxxp://farsioce.client.jp/xxx_video.exe

Abuse sent.

update 11 Jul 2011, 14:24

All ninja.co.jp domains deleted.

Lock'Em'All moved to other host. Abuse sent.

hxxp://fimsporn.s3.amazonaws.com/xxx_video.exe DELETED

EDIT:

hxxp://xvidcoms.s3.amazonaws.com/xxx_video.exe DELETED

EDIT2:

hxxp://zzporrno.s3.amazonaws.com/xxx_video.exe DELETED

EDIT3:

hxxp://mixntrd.s3.amazonaws.com/xxx_video.exe DELETED

EDIT4:

hxxp://llzxzt.s3.amazonaws.com/xxx_video.exe DELETED

EDIT5:

hxxp://hnkporn.s3.amazonaws.com/xxx_video.exe DELETED

EDIT6:

hxxp://qqyygf.s3.amazonaws.com/xxx_video.exe DELETED

EDIT7:

hxxp://z4porn.s3.amazonaws.com/xxx_video.exe DELETED

update 13 Jul 2011, 18:04

New domain at Amazon Web Services.

hxxp://1biporn.s3.amazonaws.com/xxx_video.exe

Lock'Em'All is now multipacked also (UPX->VBInject->UPX).

Amazon looks like a paradise for these guys :)

Original
http://www.virustotal.com/file-scan/rep ... 1310550784

Unpacked
http://www.virustotal.com/file-scan/rep ... 1310550476

update 13 Jul 2011, 20:48

The following narod.ru hosted sites have been closed.
hxxp://racviphossotu.narod.ru/
hxxp://northvalgikacen.narod.ru/
hxxp://glitiheslynchea.narod.ru/
hxxp://nievialansscharen.narod.ru/
hxxp://brazunengavi.narod.ru/
hxxp://caropesiter.narod.ru/
hxxp://penfbaddisctranev.narod.ru/
hxxp://mobejustita.narod.ru/
Hello,

Thank you for your report. The reported accounts have been closed.

--
Sincerely yours,
Yandex customer support
http://company.yandex.com/
update 15 Jul 2011, 00:58

New domain

hxxp://rim2bi.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://new3porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w1porka.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w2yporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w3vporn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://us1porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://2bioko.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://gnpotk.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://w3nixx.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://sv2porn.s3.amazonaws.com/xxx_video.exe DELETED
hxxp://ffporm.s3.amazonaws.com/xxx_video.exe DELETED
Last edited by EP_X0FF on Mon Jul 25, 2011 7:01 am, edited 4 times in total. Reason: merged my several posts in one

Re: Trojan.Winlock - Lock Em All

 #7359  by EP_X0FF
 Mon Jul 18, 2011 3:05 am
New domain(s).

hxxp://4youporn.s3.amazonaws.com/xxx_video.exe

Number to call:
909-650-73-60
965-389-00-46
909-161-48-28
965-397-99-18
909-161-46-38
hxxp://wq1porm.s3.amazonaws.com/xxx_video.exe

Number to call:
909-650-77-92
909-161-85-17
909-986-39-72
906-096-70-65
909-155-97-23
hxxp://2tipornn.s3.amazonaws.com/xxx_video.exe

Number to call:
909-157-53-73
965-368-63-11
909-650-76-68
906-798-24-05
909-161-84-39

Re: Trojan.Winlock - Lock Em All

 #7393  by mc0blck
 Mon Jul 18, 2011 8:42 pm
Blocker: hxxp://hhn3por.s3.amazonaws.com/index.htm (72.21.211.174) -> hxxp://hhn3por.s3.amazonaws.com/xxx_video.exe (72.21.211.174)

Re: Trojan.Winlock - Lock Em All

 #7409  by EP_X0FF
 Tue Jul 19, 2011 1:06 pm
mc0blck wrote:Blocker: hxxp://hhn3por.s3.amazonaws.com/index.htm (72.21.211.174) -> hxxp://hhn3por.s3.amazonaws.com/xxx_video.exe (72.21.211.174)
Number to call:
906-095-97-09
964-726-14-49
962-931-07-83
909-161-44-86
965-265-90-84
update

xrvid-porno.com redirection domain has been killed.
Domain Name: XRVID-PORNO.COM
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM
Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 18-jul-2011
Creation Date: 03-jul-2011
Expiration Date: 03-jul-2012

Registrant:
Privat Person
Oleg Markov (poslezavtra@bk.ru)
ul.Vavilova, 63, kv. 176
Moscow
Moscow Region,119264
RU
Tel. +7.9163389020
Corresponding redirector also killed.
Domain Name: LTIZZ.COM
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM
Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 18-jul-2011
Creation Date: 26-apr-2011
Expiration Date: 26-apr-2012
update
Moved to new domain and now using other redirector.

hxxp://s3.amazonaws.com/freepornx/index.html -> hxxp://s3.amazonaws.com/freepornx/video.htm -> hxxp://pornokiska.com/go.php?sid=1 -> hxxp://sukporn1.s3.amazonaws.com/ -> hxxp://sukporn1.s3.amazonaws.com/xxx_video.exe

Numbers to call:
903-203-10-62
909-157-50-61
909-156-37-13
906-797-74-78
965-265-90-70
update The redirector has been killed. DNS records should updates in a few hours.

Moved to new redirector.

hxxp://s3.amazonaws.com/freepornx/index.html (72.21.194.15) -> hxxp://s3.amazonaws.com/freepornx/video.htm (72.21.194.15) -> hxxp://pornomamaebet.com/in.cgi?2 (95.211.111.86) -> hxxp://1qporka.s3.amazonaws.com/index.htm (72.21.194.23) -> hxxp://1qporka.s3.amazonaws.com/xxx_video.exe (72.21.194.23)

Redirector DELETED

Number to call:
8965-410-18-33
8965-368-62-88
8909-161-19-32
8909-161-20-31
8909-986-39-73
hxxp://hnyporka.s3.amazonaws.com/xxx_video.exe DELETED

Number to call:
8906-096-70-77
8964-564-39-18
8905-708-52-40
8909-161-25-62
8965-376-03-05
hxxp://llkzporn.s3.amazonaws.com/xxx_video.exe DELETED
8909-156-06-02
8965-361-10-89
8909-156-14-36
8967-102-13-81
8965-377-16-21
hxxp://4tporl.s3.amazonaws.com/xxx_video.exe DELETED
8906-097-13-75
8906-797-81-68
8965-329-97-11
8909-151-50-45
8909-650-81-53
New domain and new redirector (previous suspended, however it will need some time to update all DNS records).
Domain Name: PORNOMAMAEBET.COM
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM

Updated Date: 20-jul-2011
Creation Date: 26-apr-2011
Expiration Date: 26-apr-2012

Registrant:
Privat Person
Oleg Markov (admin@pornomamaebet.com)
ul.Vavilova, 63, kv. 176
Moscow
Moscow Region,119264
RU
Tel. +7.4991291467
Full trace path.
hxxp://freepornx.s3.amazonaws.com/index.html -> hxxp://freepornx.s3.amazonaws.com/video.htm -> hxxp://ebiporka.com/in.cgi?2 -> hxxp://4tporl.s3.amazonaws.com/index.htm -> hxxp://4tporl.s3.amazonaws.com/xxx_video.exe
update: redirector and host deleted
Last edited by EP_X0FF on Mon Jul 25, 2011 6:54 am, edited 4 times in total. Reason: merged posts in one

Re: Trojan.Winlock - Lock Em All

 #7466  by mc0blck
 Wed Jul 20, 2011 8:36 pm
hxxp://comruporn.s3.amazonaws.com/index.html (72.21.214.42) -> hxxp://livepornohd.ru/in.cgi?2 (95.211.111.80) -> hxxp://5uporn.s3.amazonaws.com/index.htm (72.21.214.42) -> hxxp://5uporn.s3.amazonaws.com/xxx_video.exe (72.21.214.42)
hxxp://comruporn.s3.amazonaws.com/index.html (72.21.211.200) -> hxxp://comruporn.s3.amazonaws.com/video.htm (72.21.211.200) -> hxxp://livepornohd.ru/in.cgi?2 (95.211.111.80) -> hxxp://ebpoino.s3.amazonaws.com/index.htm (72.21.211.200) -> hxxp://ebpoino.s3.amazonaws.com/xxx_video.exe (72.21.211.200)
Last edited by EP_X0FF on Thu Jul 21, 2011 11:54 am, edited 1 time in total. Reason: "Do not automatically parse URLs" enabled

Re: Trojan.Winlock - Lock Em All

 #7472  by EP_X0FF
 Thu Jul 21, 2011 2:57 am
mc0blck wrote:
hxxp://ebpoino.s3.amazonaws.com/xxx_video.exe (72.21.211.200)
Numbers to call:
8909-157-33-62
8906-798-28-03
8965-288-40-22
8965-388-32-69
8906-097-08-90

Webroot posted about Amazon LockEmAll Ransoms.
Criminals Abuse Amazon Hosting with Rogues, Ransomware
http://blog.webroot.com/2011/07/20/crim ... ansomware/

One of the redirectors has been killed.
Domain Name: EBIPORKA.COM
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM

Updated Date: 20-jul-2011
Creation Date: 26-apr-2011
Expiration Date: 26-apr-2012

Administrative Contact:
Privat Person
Oleg Markov (poslezavtra@bk.ru)
ul.Vavilova, 63, kv. 176
Moscow
Moscow Region,119264
RU
Tel. +7.9163389020

Technical Contact:
Privat Person
Oleg Markov (poslezavtra@bk.ru)
ul.Vavilova, 63, kv. 176
Moscow
Moscow Region,119264
RU
Tel. +7.9163389020

Billing Contact:
Privat Person
Oleg Markov (poslezavtra@bk.ru)
ul.Vavilova, 63, kv. 176
Moscow
Moscow Region,119264
RU
Tel. +7.9163389020
update: ebpoino.s3.amazonaws.com taken down
Last edited by EP_X0FF on Thu Jul 21, 2011 11:55 am, edited 1 time in total. Reason: update
 Return to “Malware”