Message of this year searching a web designer:
25 Sept:
26 Sept:
'mrs' ask for 5k minimum.
Yambaprivate like the url says is private, it's a fake.HDD affil.
Profile:
EXE download:
XML tools:
Stats:
Country stats:
News:
Payout:
yambaclick.com (the 'public' program):
Profile:
EXE download:
Stats:
News:
Payout:
The exe i got from yambaclick.com, unpacking
VirusTotal:
27 Sept, first detections happen for my unpacked file:
vm detection, destruction of the mbr:
Payloads in ressource
For malware-analysts/av guys i can provid you 117 Fake.HDD x), just write me a mail.
Fake.HDD Data recovery
Even found some weird names on the server like 'test', 'new'
searchwrong.org is used for malware download and searchwink.org has redirect for Fake.HDD billing.
And about Alureon, The Microsoft Malware Protection Center written a post on this recently:
https://blogs.technet.com/b/mmpc/archive/2011/09/25/a-tale-of-grannies-chinese-herbs-tom-cruise-alureon-and-steganography.aspx
Yeah, dumped.
Got busted on the night, but too late for him.
All your base are belong to us.
Edit: how to get Alureon samples from the server (thanks to S!Ri for the little script)
Add wget.exe into /system32/ and rulz :þ
set target=searchwrong.org/pima1/
set filename=-direct.exe
set droppath=www
set start=1
set end=1000
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%filename%" -O "%droppath%/%%G%filename%"
echo.
echo Done.
pause
set filename=-direct.exe
set droppath=www
set start=1
set end=1000
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%filename%" -O "%droppath%/%%G%filename%"
echo.
echo Done.
pause
Another russian cought :)
ReplyDeleteAll Russian Criminal base belong to MalwareInt. Grt job again Xyli :d
ReplyDelete