They use Security Shield rogue.
Main page
News
Malware download
Redirect
instruction.txt:
Инструкция
----------
1. Создать папку с любым названием
1. Распаковать туда архив redirect.zip
2. Прописать свой урл в конфиг скрипта redirect.php ('url' => 'сюда')
Ссылки брать с раздела Links
3. Установить права на запись в файл link.txt + на папку где он лежит
5. Лить трафик на redirect.php
----------
1. Создать папку с любым названием
1. Распаковать туда архив redirect.zip
2. Прописать свой урл в конфиг скрипта redirect.php ('url' => 'сюда')
Ссылки брать с раздела Links
3. Установить права на запись в файл link.txt + на папку где он лежит
5. Лить трафик на redirect.php
Statistics
Account info
Payement
Contact
Some crap with PECompact 2
Event test
"I'm here"
Infection dropped into
C:\Documents and Settings\(user)\Local Settings\Application Data
Anti vm/sandbox, usual stuff..
Following IP's was identified.
91.223.89.100
31.44.184.62
31.44.184.62
The distribution system seem also got links with Bitcoin mining botnet
[91.223.89.100]
91.223.89.99/loader2.exe
91.223.89.99/loader20_lite.exe
91.223.89.99/ddhttp.exe
91.223.89.99/loader2.exe
91.223.89.99/loader20_lite.exe
91.223.89.99/ddhttp.exe
Edit 09 Sep:
Domain changed:
Statistic temporarily disabled:
Hi Steven,
ReplyDeleteVery interesting stuff again. The links at the end are not TDSS but Delf.QCZ/Trojan.Win32.Miner aka the Bitcoin mining botnet. I blogged about it a couple days ago http://blog.eset.com/2011/08/29/win32delf-qcz-additional-details. When you say those urls were in the distribution system, do you mean on the Golden Ducat website or in one of the dropped files ?
Thanks
Sébastien
erf mistake, thanks for the notice, i've not really looked into these files.
ReplyDeleteThey are not distributed with Golden Ducat, i've just looked for malware on similare IP range and got this.