Trojan Ransom

[MysteryFCM]

Cheers

[mc0blck]

Amazon

hxxp://mansboxporn.ru/ (95.211.111.80) -> hxxp://mansboxporn.ru/video.htm (95.211.111.80) -> hxxp://bhtdsnz.ru/in.cgi?2 (95.211.111.80) -> hxxp://ttedhoki.s3.amazonaws.com/index.htm (72.21.214.144) -> hxxp://ttedhoki.s3.amazonaws.com/xxx_video.exe (72.21.214.144)

MBRLocker

New Blocker: hxxp://ALISSSASEX.ru/ (91.220.0.35) -> hxxp://valaskor.ru/in.cgi?5 (212.124.110.134) -> hxxp://mossdamozxxx.ru/ (91.220.0.35) -> hxxp://mossdamozxxx.ru/xxxvideo.avi.exe (91.220.0.35)
Blocker: hxxp://SOKIZSOSOK.ru/xxxvideo.avi.exe (91.220.0.35)
Blocker: hxxp://ANUSANALZHOPA.ru/xxxvideo.avi.exe (91.220.0.35)

[EP_X0FF]

Pornorolik back to business

hxxp://terabytepornovideo.ru/11/video/porno-rolik11.avi.exe
hxxp://terabytepornovideo.ru/12/video/porno-rolik12.avi.exe
hxxp://terabytepornovideo.ru/13/video/porno-rolik13.avi.exe
hxxp://terabytepornovideo.ru/16/video/porno-rolik16.avi.exe
hxxp://terabytepornovideo.ru/17/video/porno-rolik17.avi.exe
hxxp://terabytepornovideo.ru/18/video/porno-rolik18.avi.exe
hxxp://terabytepornovideo.ru/20/video/porno-rolik20.avi.exe

hxxp://davaypornosei4as.ru/11/video/porno-rolik11.avi.exe
hxxp://davaypornosei4as.ru/12/video/porno-rolik12.avi.exe
hxxp://davaypornosei4as.ru/13/video/porno-rolik13.avi.exe
hxxp://davaypornosei4as.ru/16/video/porno-rolik16.avi.exe
hxxp://davaypornosei4as.ru/17/video/porno-rolik17.avi.exe
hxxp://davaypornosei4as.ru/18/video/porno-rolik18.avi.exe
hxxp://davaypornosei4as.ru/20/video/porno-rolik20.avi.exe

hxxp://kakpravilnotrahattelok.ru/11/video/porno-rolik11.avi.exe
hxxp://kakpravilnotrahattelok.ru/12/video/porno-rolik12.avi.exe
hxxp://kakpravilnotrahattelok.ru/13/video/porno-rolik13.avi.exe
hxxp://kakpravilnotrahattelok.ru/16/video/porno-rolik16.avi.exe
hxxp://kakpravilnotrahattelok.ru/17/video/porno-rolik17.avi.exe
hxxp://kakpravilnotrahattelok.ru/18/video/porno-rolik18.avi.exe
hxxp://kakpravilnotrahattelok.ru/20/video/porno-rolik20.avi.exe

[EP_X0FF]

Amazon (previous locations dead)

hxxp://3rewporn.s3.amazonaws.com/xxx_video.exe

trace path including redirector

hxxp://ninnporno.ru/ -> hxxp://ninnporno.ru/video.htm -> hxxp://jjkpornoz.ru/in.cgi?2 (95.211.111.80) -> hxxp://3rewporn.s3.amazonaws.com/index.htm -> hxxp://3rewporn.s3.amazonaws.com/xxx_video.exe

where redirector -> jjkpornoz.ru is domain that always on the same IP: 95.211.111.80, so they are basically just generating new domains.

created:    2011.07.22
paid-till:  2012.07.22

Abuse response from LeaseWeb told me (regarding few previous domain working as redirectors) they will inform their customer about the problem and this is reply to all abuses.


Pornorolik

hxxp://smotripornomnogoxxx.ru/11/video/porno-rolik11.avi.exe
hxxp://smotripornomnogoxxx.ru/12/video/porno-rolik12.avi.exe
hxxp://smotripornomnogoxxx.ru/13/video/porno-rolik13.avi.exe
hxxp://smotripornomnogoxxx.ru/16/video/porno-rolik16.avi.exe
hxxp://smotripornomnogoxxx.ru/17/video/porno-rolik17.avi.exe
hxxp://smotripornomnogoxxx.ru/18/video/porno-rolik18.avi.exe
hxxp://smotripornomnogoxxx.ru/20/video/porno-rolik20.avi.exe

[EP_X0FF]

Pornorolik

hxxp://bestvideopornoxxx.ru/11/video/porno-rolik11.avi.exe
hxxp://bestvideopornoxxx.ru/12/video/porno-rolik12.avi.exe
hxxp://bestvideopornoxxx.ru/13/video/porno-rolik13.avi.exe
hxxp://bestvideopornoxxx.ru/14/video/porno-rolik14.avi.exe
hxxp://bestvideopornoxxx.ru/16/video/porno-rolik16.avi.exe
hxxp://bestvideopornoxxx.ru/17/video/porno-rolik17.avi.exe
hxxp://bestvideopornoxxx.ru/18/video/porno-rolik18.avi.exe
hxxp://bestvideopornoxxx.ru/20/video/porno-rolik20.avi.exe

MBRLocker

hxxp://soskisoskii.ru/xxxvideo.avi.exe

[MysteryFCM]

Dropped my friends at Leaseweb an e-mail, IP should hopefully be down within the hour.

[EP_X0FF]

Seems it's already down Thanks so much!

[mc0blck]

Porno-rolik redirector ( + replace 13 on 11-20):

hxxp://asi-top.ru/gierqwwn.cgi?13 (88.208.33.154)
Blocker: hxxp://traxxxpornoavi.ru/13/ (195.226.220.141) -> hxxp://traxxxpornoavi.ru/13/video/porno-rolik13.avi.exe (195.226.220.141)

Amazon

Blocker: hxxp://scdporno.ru/ (91.221.99.241) -> hxxp://uiupoba12.ru/go.php?sid=1 (91.221.99.241) -> hxxp://porn4tow.s3.amazonaws.com/index.htm (72.21.214.42) -> hxxp://porn4tow.s3.amazonaws.com/xxx_video.exe (72.21.214.42)
Blocker: hxxp://pornpojpor.ru/ (95.211.111.80) -> hxxp://nixposdss.ru/in.cgi?2 (95.211.111.80) -> hxxp://3rewporn.s3.amazonaws.com/index.htm (72.21.203.149) -> hxxp://3rewporn.s3.amazonaws.com/xxx_video.exe (72.21.203.149)
Blocker: hxxp://xxxbuxc.s3.amazonaws.com/index.htm (72.21.214.144) -> hxxp://xxxbuxc.s3.amazonaws.com/xxx_video.exe (72.21.214.144)
Blocker: hxxp://ninnporno.ru/ (95.211.111.80) -> hxxp://ninnporno.ru/video.htm (95.211.111.80) -> hxxp://movhpornd.ru/in.cgi?2 (95.211.111.80) -> hxxp://3rewporn.s3.amazonaws.com/index.htm (72.21.203.149) -> hxxp://3rewporn.s3.amazonaws.com/xxx_video.exe (72.21.203.149)
Blocker: hxxp://fingopas.s3.amazonaws.com/index.htm (72.21.194.23) -> hxxp://fingopas.s3.amazonaws.com/xxx_video.exe (72.21.194.23)

[EP_X0FF]

Amazon ransom trace

hxxp://scdporno.ru/ -> hxxp://scdporno.ru/video.htm -> hxxp://uiupoba12.ru/go.php?sid=1 -> hxxp://ebatporkas.s3.amazonaws.com/index.htm -> hxxp://ebatporkas.s3.amazonaws.com/xxx_video.exe

update ebatporkas.s3.amazonaws.com taken down, 404.

New trace

hxxp://amkkporno.ru/ -> hxxp://amkkporno.ru/video.htm -> hxxp://uiupoba12.ru/go.php?sid=1 -> hxxp://azxpoixx.s3.amazonaws.com/index.htm -> hxxp://azxpoixx.s3.amazonaws.com/xxx_video.exe

update azxpoixx.s3.amazonaws.com taken down, 404

Redirectors seems moved to Latvia.

Pornorolik domain

hxxp://zapretnoepornokruto.ru/11/video/porno-rolik11.avi.exe
hxxp://zapretnoepornokruto.ru/12/video/porno-rolik12.avi.exe
hxxp://zapretnoepornokruto.ru/13/video/porno-rolik13.avi.exe
hxxp://zapretnoepornokruto.ru/16/video/porno-rolik16.avi.exe
hxxp://zapretnoepornokruto.ru/17/video/porno-rolik17.avi.exe
hxxp://zapretnoepornokruto.ru/18/video/porno-rolik18.avi.exe
hxxp://zapretnoepornokruto.ru/20/video/porno-rolik20.avi.exe

hxxp://megabytespornovideo.ru/11/video/porno-rolik11.avi.exe
hxxp://megabytespornovideo.ru/12/video/porno-rolik12.avi.exe
hxxp://megabytespornovideo.ru/13/video/porno-rolik13.avi.exe
hxxp://megabytespornovideo.ru/16/video/porno-rolik16.avi.exe
hxxp://megabytespornovideo.ru/17/video/porno-rolik17.avi.exe
hxxp://megabytespornovideo.ru/18/video/porno-rolik18.avi.exe
hxxp://megabytespornovideo.ru/20/video/porno-rolik20.avi.exe

Redirector to MBRLocker (likely Russian IP required to make it work)

hxxp://valaskor.ru/in.cgi?5 (212.124.110.134)

hxxp://212.124.110.134/in.cgi?5 <- working well for me.

Regarding to this redirector. This is another mutant, that previously was named habrmabrt.ru, tdschtotakoetds.ru, all hosts on the same IP. And all used to be MBRLock redirectors.
DigitalOne AG has ignored abuse we've sent 4 days ago.

inetnum:        212.124.108.0 - 212.124.111.255
netname:        DIGITALONE-NET
descr:          DigitalOne AG Colocation and Dedicated Servers
remarks:        --------------------------------------------------
remarks:        Please, send abuse reports to abuse@digitalone.com
remarks:        --------------------------------------------------
country:        US
admin-c:        DA440-RIPE
tech-c:         DA440-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TRI
changed:        noc@digitalone.com 20091111
source:         RIPE

role:           DigitalOne AG
address:        12100 Sunrise Valley Drive
address:        Reston, VA 20191, United States
e-mail:         noc@digitalone.com
abuse-mailbox:  abuse@digitalone.com
admin-c:        SO1294-RIPE
tech-c:         SO1294-RIPE
nic-hdl:        DA440-RIPE
mnt-by:         MNT-TRI
changed:        noc@digitalone.com 20091111
source:         RIPE

% Information related to '212.124.108.0/22AS47328'

route:          212.124.108.0/22
descr:          True Records Inc.
remarks:        ------------------------------------------------------
remarks:        Routing, peering and security:         noc@truerec.com
remarks:        Spam reports and abuse:              abuse@truerec.com
remarks:        ------------------------------------------------------
origin:         AS47328
mnt-by:         MNT-TRI
changed:        noc@truerec.com 20090630
source:         RIPE

[EP_X0FF]

Some other redirector revealed.

hxxp://asi-top.ru/gifeesdccz.cgi?12 (88.208.33.154, ADVANCEDHOSTERS-NET) it will redirect you to pornorolik domains (all on the 195.226.220.141)
Changing the id used in as param of gifeesdccz.cgi?id gives the following locations

hxxp://domatolkodetixxx.ru/11/video/porno-rolik11.avi.exe
hxxp://domatolkodetixxx.ru/12/video/porno-rolik12.avi.exe
hxxp://domatolkodetixxx.ru/13/video/porno-rolik13.avi.exe
hxxp://domatolkodetixxx.ru/16/video/porno-rolik16.avi.exe
hxxp://domatolkodetixxx.ru/17/video/porno-rolik17.avi.exe
hxxp://domatolkodetixxx.ru/18/video/porno-rolik18.avi.exe
hxxp://domatolkodetixxx.ru/20/video/porno-rolik20.avi.exe

[MysteryFCM]

DigitalOne AG has ignored abuse we've sent 4 days ago.

DigitalOne have a US address but are a Swiss company, and known to be bulletproof (just like their upstream). I'll have another word with True Records upstream and see what we can do about this.

[EP_X0FF]

Thanks

Fresh pornoroliks (binaries updating with new unlock codes, tel numbers)

hxxp://lolkorussiangirlsporno.ru/11/video/porno-rolik11.avi.exe
hxxp://lolkorussiangirlsporno.ru/12/video/porno-rolik12.avi.exe
hxxp://lolkorussiangirlsporno.ru/13/video/porno-rolik13.avi.exe
hxxp://lolkorussiangirlsporno.ru/16/video/porno-rolik16.avi.exe
hxxp://lolkorussiangirlsporno.ru/17/video/porno-rolik17.avi.exe
hxxp://lolkorussiangirlsporno.ru/18/video/porno-rolik18.avi.exe
hxxp://lolkorussiangirlsporno.ru/20/video/porno-rolik20.avi.exe

Amazon

hxxp://tix3porn.s3.amazonaws.com/xxx_video.exe

[EP_X0FF]

Amazon update site down, 404

hxxp://rim5tporn.s3.amazonaws.com/xxx_video.exe

Pornorolik

hxxp://russkieebutteloknaprirode.ru/11/video/porno-rolik11.avi.exe
hxxp://russkieebutteloknaprirode.ru/12/video/porno-rolik12.avi.exe
hxxp://russkieebutteloknaprirode.ru/13/video/porno-rolik13.avi.exe
hxxp://russkieebutteloknaprirode.ru/16/video/porno-rolik16.avi.exe
hxxp://russkieebutteloknaprirode.ru/17/video/porno-rolik17.avi.exe
hxxp://russkieebutteloknaprirode.ru/18/video/porno-rolik18.avi.exe
hxxp://russkieebutteloknaprirode.ru/20/video/porno-rolik20.avi.exe

[EP_X0FF]

Amazon ransom starts spreading through their new hosting previously used only for redirectors.

hxxp://PORNBIJJIN.ru/ (91.221.99.241) -> hxxp://PORNBIJJIN.ru/xxx_video.exe (91.221.99.241)
hxxp://PORNODAPORN.ru/ (91.221.99.241) -> hxxp://PORNODAPORN.ru/xxx_video.exe (91.221.99.241)
hxxp://XRASVIXPORN.ru/ (91.221.99.241) -> hxxp://XRASVIXPORN.ru/xxx_video.exe (91.221.99.241)

hxxp://z4nixxxi.s3.amazonaws.com/index.htm (72.21.211.171) -> hxxp://z4nixxxi.s3.amazonaws.com/xxx_video.exe (72.21.211.171)

this list is courtesy of mc0blck

[EP_X0FF]

I've done some research in case of Amazon ransom and found their sites actually contains obfuscated redirection code that leads to another server, full of exploits.

Below is the links I've gathered from there.

Page with exploit pack, gives fake 404 error, code obfuscated

hxxp://6g12w.ru/indexx.php?tp=8b797d0916c09fa8

6g12w.ru
IP: 85.15.231.110

inetnum:        85.15.231.107 - 85.15.231.122
netname:        LE_Collocation
mnt-by:         latvenergo-mnt
descr:          SIA "Projektam.lv" clients
country:        LV
admin-c:        SL666
tech-c:         SL666
status:         ASSIGNED PA
mnt-by:         projektamlv-mnt
changed:        meistars@projektam.lv 20110308
source:         RIPE

person:         Solution Solution6
address:        SL666
abuse-mailbox:  solutionsolution6@gmail.com
phone:          +37126546676
nic-hdl:        SL666
mnt-by:         projektamlv-mnt
changed:        meistars@projektam.lv 20110308
source:         RIPE

Trojan ransom similar to that located on Amazon WS

hxxp://6g12w.ru/d.php?f=236&e=2

There can be more files, I just deobfuscated page and quickly looked inside.

Amazon ransom I've examined to get this results

hxxp://kinvivifas.s3.amazonaws.com/index.htm

Binary itself

hxxp://kinvivifas.s3.amazonaws.com/xxx_video.exe

Exploit PDF (Exploit.JS.Pdfka.eka) extracted from sploit pack code:

hxxp://6g12w.ru/games/2fdp.php?f=236

Some malware Java package (Exploit.Java.229)

hxxp://6g12w.ru/games/worms.jar

+ some other stuff for Java

hxxp://6g12w.ru/games/java_trust.php?f=236