Author Topic: Trojan Ransom  (Read 63137 times)

0 Members and 1 Guest are viewing this topic.

July 14, 2011, 04:09:16 pm
Read 63137 times

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Hello,

the following links lead to malicious software known as

Trojan Ransom (Kaspersky)
Trojan Winlock (Dr.Web)
Trojan LockScreen (ESET)
TR/Ransom (Avira)

Quote
hxxp://archivpornovideo.info/1/video/porno-rolik1.avi.exe
hxxp://archivpornovideo.info/2/video/porno-rolik2.avi.exe
hxxp://archivpornovideo.info/3/video/porno-rolik3.avi.exe
hxxp://archivpornovideo.info/4/video/porno-rolik4.avi.exe
hxxp://archivpornovideo.info/6/video/porno-rolik6.avi.exe
hxxp://archivpornovideo.info/7/video/porno-rolik7.avi.exe
hxxp://archivpornovideo.info/8/video/porno-rolik8.avi.exe
hxxp://archivpornovideo.info/9/video/porno-rolik9.avi.exe

Domain name frequency mutates (10-15 times per day) but host IP always the same - 46.251.237.239

Another ransom known as Lock'Em'All - updates every day.

Quote
hxxp://4xrubin.s3.amazonaws.com/xxx_video.exe

Kind Regards.

July 14, 2011, 04:50:51 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Thanks for submission and welcome to MDL.

We will forward those domain names to GoDaddy abuse desk.
Ruining the bad guy's day

July 14, 2011, 05:03:18 pm
Reply #2

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Thanks.

Here are some other fresh links to ransoms

Quote
hxxp://rim2bi.s3.amazonaws.com/xxx_video.exe

and this is link to current MBR lock trojan.

Quote
hxxp://ssssaniedirki.ru/xxxvideo.avi.exe

Regards.

July 15, 2011, 07:05:48 am
Reply #3

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
New ransoms.

MBRLocker hosts on one IP for a long time (only name changing constantly, 3-4 per day).

Quote
hxxp://govnobakovkaxxx.ru/xxxvideo.avi.exe
hxxp://vaginudetrhr.ru/xxxvideo.avi.exe

new one on amazon

Quote
hxxp://new3porn.s3.amazonaws.com/xxx_video.exe

July 15, 2011, 09:08:18 am
Reply #4

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
New ransoms, on the same 46.251.237.239

Quote
hxxp://love-devushkivseti.info/1/video/porno-rolik1.avi.exe
hxxp://love-devushkivseti.info/2/video/porno-rolik2.avi.exe
hxxp://love-devushkivseti.info/3/video/porno-rolik3.avi.exe
hxxp://love-devushkivseti.info/4/video/porno-rolik4.avi.exe
hxxp://love-devushkivseti.info/6/video/porno-rolik6.avi.exe
hxxp://love-devushkivseti.info/7/video/porno-rolik7.avi.exe
hxxp://love-devushkivseti.info/8/video/porno-rolik8.avi.exe
hxxp://love-devushkivseti.info/9/video/porno-rolik9.avi.exe
hxxp://love-devushkivseti.info/10/video/porno-rolik10.avi.exe

July 15, 2011, 04:09:36 pm
Reply #5

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
ransoms from Amazon

Quote
hxxp://w2yporn.s3.amazonaws.com/xxx_video.exe
hxxp://w1porka.s3.amazonaws.com/xxx_video.exe

pornorolik ransoms

Quote
hxxp://kiss-lublutebya.info/1/video/porno-rolik1.avi.exe
hxxp://kiss-lublutebya.info/2/video/porno-rolik2.avi.exe
hxxp://kiss-lublutebya.info/3/video/porno-rolik3.avi.exe
hxxp://kiss-lublutebya.info/4/video/porno-rolik4.avi.exe
hxxp://kiss-lublutebya.info/6/video/porno-rolik6.avi.exe
hxxp://kiss-lublutebya.info/7/video/porno-rolik7.avi.exe
hxxp://kiss-lublutebya.info/8/video/porno-rolik8.avi.exe
hxxp://kiss-lublutebya.info/9/video/porno-rolik9.avi.exe
hxxp://kiss-lublutebya.info/10/video/porno-rolik10.avi.exe


MBRLocker fresh

Quote
hxxp://fatrmutrfaker.ru/xxxvideo.avi.exe

July 16, 2011, 02:47:29 pm
Reply #6

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon (all different samples)

Quote
hxxp://us1porn.s3.amazonaws.com/xxx_video.exe
hxxp://2bioko.s3.amazonaws.com/xxx_video.exe

Pornorolik

Quote
hxxp://xxxfilmaviforyou.info/1/video/porno-rolik1.avi.exe
hxxp://xxxfilmaviforyou.info/2/video/porno-rolik2.avi.exe
hxxp://xxxfilmaviforyou.info/3/video/porno-rolik3.avi.exe
hxxp://xxxfilmaviforyou.info/4/video/porno-rolik4.avi.exe
hxxp://xxxfilmaviforyou.info/6/video/porno-rolik6.avi.exe
hxxp://xxxfilmaviforyou.info/7/video/porno-rolik7.avi.exe
hxxp://xxxfilmaviforyou.info/8/video/porno-rolik8.avi.exe
hxxp://xxxfilmaviforyou.info/9/video/porno-rolik9.avi.exe
hxxp://xxxfilmaviforyou.info/10/video/porno-rolik10.avi.exe

MBRLocker (each address gives different sample)
 
Quote
hxxp://utubexxxvideo.ru/xxxvideo.avi.exe
hxxp://gigosporno.ru/xxxvideo.avi.exe

July 17, 2011, 11:19:54 am
Reply #7

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Amazon (all different samples)

Quote
hxxp://gnpotk.s3.amazonaws.com/xxx_video.exe
hxxp://w3nixx.s3.amazonaws.com/xxx_video.exe
hxxp://sv2porn.s3.amazonaws.com/xxx_video.exe

Pornorolik

Quote
hxxp://hardsexfilmavi.info/1/video/porno-rolik1.avi.exe
hxxp://hardsexfilmavi.info/2/video/porno-rolik2.avi.exe
hxxp://hardsexfilmavi.info/3/video/porno-rolik3.avi.exe
hxxp://hardsexfilmavi.info/4/video/porno-rolik4.avi.exe
hxxp://hardsexfilmavi.info/6/video/porno-rolik6.avi.exe
hxxp://hardsexfilmavi.info/7/video/porno-rolik7.avi.exe
hxxp://hardsexfilmavi.info/8/video/porno-rolik8.avi.exe
hxxp://hardsexfilmavi.info/9/video/porno-rolik9.avi.exe
hxxp://hardsexfilmavi.info/10/video/porno-rolik10.avi.exe

MBRLocker

Quote
hxxp://dikiesu4ki.ru/xxxvideo.avi.exe
hxxp://RUSSIANSUKAVOM.ru/xxxvideo.avi.exe
hxxp://geffkiudaff.ru/xxxvideo.avi.exe
hxxp://udaffkom.ru/xxxvideo.avi.exe

July 17, 2011, 01:02:16 pm
Reply #8

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Hope I'm not flooding very often  :)

This is malware redirector used by Pornorolik ransom. It leads to new domains.

Quote
hxxp://dokoler-w.info/gischematest.cgi?14

by changing last id number you can go to different malware samples pages.

Hot Amazon ransom

Quote
hxxp://ffporm.s3.amazonaws.com/xxx_video.exe

July 17, 2011, 01:17:12 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Hope I'm not flooding very often  :)
No, it's ok. I appreciate your submissions.

This is malware redirector used by Pornorolik ransom. It leads to new domains.

Code: [Select]
hxxp://dokoler-w.info/gischematest.cgi?14
by changing last id number you can go to different malware samples pages.

I can't find malware. Can you give me an example what you see ?
Ruining the bad guy's day

July 17, 2011, 01:23:27 pm
Reply #10

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Currently it can't redirect to new domains because they all suspended (very fast response I see).

Perhaps we should just wait few hours :)

July 17, 2011, 04:38:08 pm
Reply #11

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Pornorolik

Quote
hxxp://gigpornoforfree.ru/1/video/porno-rolik1.avi.exe
hxxp://gigpornoforfree.ru/2/video/porno-rolik2.avi.exe
hxxp://gigpornoforfree.ru/3/video/porno-rolik3.avi.exe
hxxp://gigpornoforfree.ru/4/video/porno-rolik4.avi.exe
hxxp://gigpornoforfree.ru/6/video/porno-rolik6.avi.exe
hxxp://gigpornoforfree.ru/7/video/porno-rolik7.avi.exe
hxxp://gigpornoforfree.ru/8/video/porno-rolik8.avi.exe
hxxp://gigpornoforfree.ru/9/video/porno-rolik9.avi.exe
hxxp://gigpornoforfree.ru/10/video/porno-rolik10.avi.exe

Redirector now works :)

For example
Quote
hxxp://dokoler-w.info/gischematest.cgi?13
redirects to
Quote
hxxp://gigpornoforfree.ru/3/porno.html

July 17, 2011, 04:46:50 pm
Reply #12

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Pornorolik

Redirector now works :)

For example
Quote
hxxp://dokoler-w.info/gischematest.cgi?13
redirects to
Quote
hxxp://gigpornoforfree.ru/3/porno.html

Doesn't work here. It always redirects to

Code: [Select]
hxxp://nightdate.ru/?tid=727&fo=1&gender=2
Target url probably depends on country.
Ruining the bad guy's day

July 17, 2011, 05:35:53 pm
Reply #13

EP_X0FF

  • Special Members
  • Hero Member

  • Offline
  • *

  • 254
    • KernelMode.info
Quote
Target url probably depends on country.

Likely :)

Here is fresh Amazon sample

Quote
hxxp://3vvporn.s3.amazonaws.com/xxx_video.exe

MBRLocker

Quote
hxxp://fukudafcom.ru/xxxvideo.avi.exe

July 17, 2011, 09:00:28 pm
Reply #14

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Redirection still doesn't work for me. I have tried different user agents and from different countries.

Have you used a referrer ? What was your user agent ? From what country did you send requests ?

If you don't want to publish details, then please send me a PM.

Thanks.
Ruining the bad guy's day