Tuesday 27 September 2011

Tracking Cyber Crime: Yamba network - yambaclick.com/yambaprivate.com (Alureon/Fake.HDD)

I received an e-mail from one of my readers, about an affiliate, i decided to give a try.


Message of this year searching a web designer:

~

25 Sept:

26 Sept:

'mrs' ask for 5k minimum.
Yambaprivate like the url says is private, it's a fake.HDD affil.


Profile:

EXE download:

XML tools:

Stats:

Country stats:

News:

Payout:

yambaclick.com (the 'public' program):

Profile:

EXE download:

Stats:

News:

Payout:

The exe i got from yambaclick.com, unpacking

VirusTotal:

27 Sept, first detections happen for my unpacked file:



vm detection, destruction of the mbr:

Payloads in ressource

For malware-analysts/av guys i can provid you 117 Fake.HDD x), just write me a mail.


Fake.HDD Data recovery

Even found some weird names on the server like 'test', 'new'
 Fake.HDD detection:

searchwrong.org is used for malware download and searchwink.org has redirect for Fake.HDD billing.


And about Alureon, The Microsoft Malware Protection Center written a post on this recently:
https://blogs.technet.com/b/mmpc/archive/2011/09/25/a-tale-of-grannies-chinese-herbs-tom-cruise-alureon-and-steganography.aspx

Yeah, dumped.


Got busted on the night, but too late for him.
All your base are belong to us.

Edit: how to get Alureon samples from the server (thanks to S!Ri for the little script)
Add wget.exe into /system32/ and rulz :þ



set target=searchwrong.org/pima1/
set filename=-direct.exe
set droppath=www
set start=1
set end=1000
set step=1
if not exist %droppath% (
mkdir %droppath% )
FOR /L %%G IN (%start%, %step%, %end%) DO wget -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" -S -t 100 -P / "%target%%%G%filename%" -O "%droppath%/%%G%filename%"
echo.
echo Done.
pause

2 comments:

  1. Another russian cought :)

    ReplyDelete
  2. All Russian Criminal base belong to MalwareInt. Grt job again Xyli :d

    ReplyDelete