Showing posts with label life. Show all posts
Showing posts with label life. Show all posts

Friday, 20 April 2012

Silence Winlocker

And ther answer is... yes!
I continue to keep an eye on these winlocks, here are some interesting cases:

MD5: C7C6735C0A143E54CAAEB38FFF252E49
Sacem, winlock targeting French ppl.


This winlock appeared when i got more important things to do than tracking malwares so i've not investigated alot on this one...
This winlock was deserved via blackhole and the winlock stuff hosted on the same BH server.

The following urls were found:
http://panuniv1.com/universal2/universalbezahlung/frankreich/
http://panuniv1.com/universal2/universalbezahlung/england/
http://panuniv1.com/universal2/universalbezahlung/deutschland/
http://panuniv1.com/universal2/universalbezahlung/holland/
http://panuniv1.com/universal2/universalbezahlung/schweiz/
http://panuniv1.com/4/
http://panuniv1.com/connect/gate.php
http://panuniv1.com/universal2/redirector/redirector.php
http://panuniv1.com/universal2/universalpanel/gate.php?hwid=2140809940&pc=XYLITOL-F12F085&localip=192.168.142.128&winver=Windows%20XP%20Professional%20x32
http://panuniv1.com/server-status/
http://panuniv1.com/phpmyadmin/
http://panuniv1.com/config/
http://panuniv1.com/3467/
http://panuniv1.com/bhadmin.php

C&C fail?:
http://panuniv1.com/universal2/universalbezahlung/frankreich/edit.php
-> Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mfeeling_gema'@'localhost' (using password: YES) in /var/www/html/universal2/universalbezahlung/frankreich/inc/connect.php on line 2
could not connectAccess denied for user 'mfeeling_gema'@'localhost' (using password: YES)

http://panuniv1.com/universal2/universalbezahlung/frankreich/insert.php
-> Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: NO) in /var/www/html/universal2/universalbezahlung/frankreich/insert.php on line 3
Access denied for user 'root'@'localhost' (using password: NO)

---

MD5: F683C185A9EDE59394E163E7FB4C247D
Police nationale, winlock targeting french ppl (the background image change in function of your location)

Control panel (still in brute force)

Install:

The following urls were found:
http://109.236.88.220/Lc6zs7cJ7U/index.php
http://109.236.88.220/Lc6zs7cJ7U/getunlock.php
http://109.236.88.220/Lc6zs7cJ7U/unlock.php
http://109.236.88.220/Lc6zs7cJ7U/install.php
http://109.236.88.220/Lc6zs7cJ7U/picture.php?pin=0123456789123456
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap-responsive.css
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap-responsive.min.css
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap.css
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap.min.css
http://109.236.88.220/Lc6zs7cJ7U/css/border-radius.css
http://109.236.88.220/Lc6zs7cJ7U/css/jscal2.css
http://109.236.88.220/Lc6zs7cJ7U/css/reduce-spacing.css
http://109.236.88.220/Lc6zs7cJ7U/css/shadow-b.png
http://109.236.88.220/Lc6zs7cJ7U/css/style.css
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg-hard-inv.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg-hard.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg-inv.png   
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/drop-down.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/drop-up.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-left-x2.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-left.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-right-x2.gif   
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-right.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/time-down.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/time-up.png
http://109.236.88.220/Lc6zs7cJ7U/css/steel/brushed-steel.jpg
http://109.236.88.220/Lc6zs7cJ7U/css/steel/brushed-steel.png
http://109.236.88.220/Lc6zs7cJ7U/css/steel/coolbg.png
http://109.236.88.220/Lc6zs7cJ7U/css/steel/steel.css
http://109.236.88.220/Lc6zs7cJ7U/css/steel/steel.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/CA.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/DE.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/ES.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/FR.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/GR.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/IT.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/PT.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/UK.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/default.jpg
http://109.236.88.220/Lc6zs7cJ7U/include/db.php
http://109.236.88.220/Lc6zs7cJ7U/include/config.php
http://109.236.88.220/Lc6zs7cJ7U/include/geoip.inc
http://109.236.88.220/Lc6zs7cJ7U/img/glyphicons-halflings.png
http://109.236.88.220/Lc6zs7cJ7U/img/glyphicons-halflings-white.png
http://109.236.88.220/Lc6zs7cJ7U/img/logo.png
http://109.236.88.220/Lc6zs7cJ7U/img/logo.jpg
http://109.236.88.220/Lc6zs7cJ7U/flags/FR.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/Unknown.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/AR.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/SV.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/RS.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/PE.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/NI.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/LI.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/HT.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/CR.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/sql/db.sql
http://109.236.88.220/Lc6zs7cJ7U/tmp/get.php

http://109.236.88.220/SE4rFBwKlt/
http://109.236.88.220/wEP3Krh5AE/
http://109.236.88.220/P0sryovk9M/
http://91.217.153.50/adm/

logo.png




db.sql:
-- phpMyAdmin SQL Dump
-- version 3.3.3
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Mar 18, 2012 at 11:28 PM
-- Server version: 5.1.54
-- PHP Version: 5.3.7-ZS5.5.0

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Database: `cp`
--

-- --------------------------------------------------------

--
-- Table structure for table `billing`
--

CREATE TABLE IF NOT EXISTS `billing` (
  `id` int(255) NOT NULL AUTO_INCREMENT,
  `ucash` varchar(999) NOT NULL,
  `psc` varchar(999) NOT NULL,
  `ip` varchar(999) NOT NULL,
  `country` varchar(999) NOT NULL,
  `date` varchar(999) NOT NULL,
  `go` varchar(99) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=45 ;

--
-- Dumping data for table `billing`
--


-- --------------------------------------------------------

--
-- Table structure for table `checklist`
--

CREATE TABLE IF NOT EXISTS `checklist` (
  `id` int(255) NOT NULL AUTO_INCREMENT,
  `ip` varchar(999) NOT NULL,
  `country` varchar(999) NOT NULL,
  `date` varchar(999) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=314 ;

--
-- Dumping data for table `checklist`
--

Silence Winlocker advertising:

And a second 'Silence winlocker' powered winlock (according to the control panel):

MD5: 6D8DB0D28948A4D91A30E51C6901BBA0
Gendarmerie, winlock targeting French ppl.

Stuff usual, remove safe boot registry keys responsible to store services etc... for lead to a BSoD if the user try to remove it in safe mode.

Check the lenghts of pins:

Malware call home:

PSC/Ukash pins:

reports.txt

Richi fake:




That all for the moment, i've no idea if the author of silence winlocker do also fake police design.
Edit: no :)

IRL, no one care but i've just bought a PS3 (:

Also if you don't know already the news.. Phrack issue #68 is out,  fuckyeah!
Many people, including myself, do hacking as a hobby and choose
to participate in a different industry for our living income. If you choose
this path you will realize that as being part of this community will bring
you a lot of happiness.
Quoted from 0x07 Happy Hacking.

Edit 27 Apr 2k12:
- More path added
- ICQ conversation added
+ Checkout this new post by Symantec guys and this
Posted by at 21:26 9 comments
Labels: , , ,
Subscribe to: Posts (Atom)