Resolved tommyslav.name to 91.213.8.52 I saw Malekal tweet that someone was using an exploit kit on adf.ly to distribute andromeda. I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this. Server: tommyslav.name GateRead more...
188.190.126.79 (Silence 5 Winlocker hosted by infiumhost.com)
Server: 188.190.126.79 Gate file: /~rotten/lock1/picture.php First time I’ve seen someone use silence winlocker since the cracked multilocker was released. Hosting infos: http://whois.domaintools.com/188.190.126.79
fbicomputerservices.com (Multilocker 3 winlocker hosted by altushost.com)
Resolved fbicomputerservices.com to 37.46.125.111 Server: fbicomputerservices.com Gate file: /panel/mplock/lending/tds.php I’ve posted a winlocker on this ip before. Looks like he got a new domain and switched the directories up a bit. http://whois.domaintools.com/37.46.125.111
monstercvv.cc (Multilocker 3 winlocker hosted by altushost.com)
Resolved monstercvv.cc to 37.46.125.111 Server: monstercvv.cc Gate file: /mplock/Panel/lending/tds.php Lots of interestingly named zips on the root of the domain. Hosting infos: http://whois.domaintools.com/37.46.125.111
qwer.be (Multilocker winlocker hosted by metrabyte.co.th)
Resolved qwer.be to 119.59.99.200 This domain was previously feature hosting YZF. Server: qwer.be Gate file: /lock/lending/tds.php Admin page is as /lock/index.php with credentials admin:admin Hosting infos: http://whois.domaintools.com/119.59.99.200
a.loader.ws (andromeda http botnet and multi lock winlocker hosted by koddos.net)
Resolved a.loader.ws to 198.144.121.130 Andromeda Server: a.loader.ws Gate file: /ad/image.php Plugins Rootkit: http://a.loader.ws/ad/r.pack Socks: http://a.loader.ws/ad/s.pack Formgrabber: http://a.loader.ws/ad/f.pack Gate file: /ad/fg.php Multilocker Server: a.loader.ws Gate file: /l/lending/tds.php UPDATE: New domain used from the hecker: Resolved : [j87gyuh7uh.org] To [37.143.12.145] the rest is same files paths etc from same guy 2 domains not activated yet j87gyuh7uh.orgRead more...
img197-imageshack.info (Andromeda http botnet and Spyeye banking malware hosted by ecatel.net)
Resolved img197-imageshack.info to 93.174.90.96 Server: img197-imageshack.info Gate file: /panel/image.php Spyeye Server: img197-imageshack.info Gate file: /gate.php Login: /admin.php Bonus silence winlocker crap: img197-imageshack.info/bl/eu.php Hosting infos: http://whois.domaintools.com/93.174.90.96
unlockyourdesktop.info (Winlocker hosted by nerdie.net)
Resolved unlockyourdesktop.info to 199.96.156.208 Yet another survey based winlocker. This one follows the established pattern of ukash and moneypack winlockers by loading a webpage that contains the surveys rather than simply loading the offers like the previous variants. Winlocker site showing offers This version does not appear to do anything to prevent the use ofRead more...
Survey winlocker (FileIce.net)
Here’s another winlocker based around having the victim complete surveys to unlock their computer. This one has the user download a file with a password rather than have them just complete the survey in the locker. It requires .net 4.0 to run. The locker doesn’t block the whole screen, but inserts itself across the middleRead more...
Autoit Survey Winlocker
I found this while looking at the files that the barracuda http bots were downloading. First screen CPA gateway The only survey leads to a parked domain, my computer is locked forever The winlocker is coded in autoit, so I decompiled it to an autoit script here: http://pastebin.com/ayK5QsVD The important parts are the three htmlRead more...