Monday 5 May 2014

Install service for Malware affiliates and individuals

This install service was running since a long time but the server recently died.
People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.

Login:

Statistics by days:
(Date, Unique visits, General visits)

Statistics by countries:
(Countries, Unique visits, Percentage, General visits)

Statistics by version:
(Version, Unique visits, Percentage, General visits)

Statistics by time:
(Time,  Users)

Downloads:
(Date, Already installed, ???? installed, Successfully installed, Copy failed, Modify failed, Register failed)

Updates:
(Date, Begin update, Downloaded update, Executed update, No ATL, Execution failed)

Statistics by tasks:
(Date, Start of xxxx, Searches, Clicks, ???)

Statistics by sites:

Statistics by ads:

Loader, users list:
 (Nickname, ID, Priority, Ban, GEO, Days, General limit, Working conditions, Today, Summary, Size, Time, File)

There is some interesting people in this listing:
Severa (Know for FakeAV, Spam)
Malwox Affiliate (Mayachok.1)
Feodal cash Affiliate (Bitcoin malware)

And if you want to know about the EXE files loaded... all are malwares (Zeus,SpyEye, Russian lockers, Spam bots, Mayachok... etc..)
The x64 Zbot covered by Kaspersky also come from here.

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1363&start=50#p19625
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=648&start=40#p19621
The executables was rotating and was refreshed constantly, from this system, around 400 samples can be pulled per day.

Download statistics for client 191 ( Malwox TEST ):
(Date,  Derved, Executed, Ctr, Create, Exists, Down, Run, Unp)

Edit user:

Add user:

Schedule for user:

FTP:
Menu: users list, add, FTP, Stats.

For the FTP list, most of accounts were with shell on them.

Structure:

From the source:
$useZorkaJob = 0; //схч чрїюфр
$useSputnikJob = 0;
$useRekloJob = 0;
$useSpoiskJob = 0;
$useBegunCheatJob = 0;
Begun is one of the biggest ads services in Russia.

5 comments:

  1. Your move, Russia.

    ReplyDelete
  2. hello, just getting started in Internet security, and I came across your blog.
    You're doing great! I have a question, could you give me some advice at the beginning, regarding what should be taught in computer security?

    ReplyDelete
  3. Странно. Но похоже разработка не русского (странные словосочетания). И часть интерфейса осталась на английском языке.

    ReplyDelete