Friday 20 April 2012

Silence Winlocker

And ther answer is... yes!
I continue to keep an eye on these winlocks, here are some interesting cases:

MD5: C7C6735C0A143E54CAAEB38FFF252E49
Sacem, winlock targeting French ppl.


This winlock appeared when i got more important things to do than tracking malwares so i've not investigated alot on this one...
This winlock was deserved via blackhole and the winlock stuff hosted on the same BH server.

The following urls were found:
http://panuniv1.com/universal2/universalbezahlung/frankreich/
http://panuniv1.com/universal2/universalbezahlung/england/
http://panuniv1.com/universal2/universalbezahlung/deutschland/
http://panuniv1.com/universal2/universalbezahlung/holland/
http://panuniv1.com/universal2/universalbezahlung/schweiz/
http://panuniv1.com/4/
http://panuniv1.com/connect/gate.php
http://panuniv1.com/universal2/redirector/redirector.php
http://panuniv1.com/universal2/universalpanel/gate.php?hwid=2140809940&pc=XYLITOL-F12F085&localip=192.168.142.128&winver=Windows%20XP%20Professional%20x32
http://panuniv1.com/server-status/
http://panuniv1.com/phpmyadmin/
http://panuniv1.com/config/
http://panuniv1.com/3467/
http://panuniv1.com/bhadmin.php

C&C fail?:
http://panuniv1.com/universal2/universalbezahlung/frankreich/edit.php
-> Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mfeeling_gema'@'localhost' (using password: YES) in /var/www/html/universal2/universalbezahlung/frankreich/inc/connect.php on line 2
could not connectAccess denied for user 'mfeeling_gema'@'localhost' (using password: YES)

http://panuniv1.com/universal2/universalbezahlung/frankreich/insert.php
-> Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: NO) in /var/www/html/universal2/universalbezahlung/frankreich/insert.php on line 3
Access denied for user 'root'@'localhost' (using password: NO)

---

MD5: F683C185A9EDE59394E163E7FB4C247D
Police nationale, winlock targeting french ppl (the background image change in function of your location)

Control panel (still in brute force)

Install:

The following urls were found:
http://109.236.88.220/Lc6zs7cJ7U/index.php
http://109.236.88.220/Lc6zs7cJ7U/getunlock.php
http://109.236.88.220/Lc6zs7cJ7U/unlock.php
http://109.236.88.220/Lc6zs7cJ7U/install.php
http://109.236.88.220/Lc6zs7cJ7U/picture.php?pin=0123456789123456
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap-responsive.css
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap-responsive.min.css
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap.css
http://109.236.88.220/Lc6zs7cJ7U/css/bootstrap.min.css
http://109.236.88.220/Lc6zs7cJ7U/css/border-radius.css
http://109.236.88.220/Lc6zs7cJ7U/css/jscal2.css
http://109.236.88.220/Lc6zs7cJ7U/css/reduce-spacing.css
http://109.236.88.220/Lc6zs7cJ7U/css/shadow-b.png
http://109.236.88.220/Lc6zs7cJ7U/css/style.css
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg-hard-inv.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg-hard.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg-inv.png   
http://109.236.88.220/Lc6zs7cJ7U/css/img/cool-bg.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/drop-down.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/drop-up.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-left-x2.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-left.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-right-x2.gif   
http://109.236.88.220/Lc6zs7cJ7U/css/img/nav-right.gif
http://109.236.88.220/Lc6zs7cJ7U/css/img/time-down.png
http://109.236.88.220/Lc6zs7cJ7U/css/img/time-up.png
http://109.236.88.220/Lc6zs7cJ7U/css/steel/brushed-steel.jpg
http://109.236.88.220/Lc6zs7cJ7U/css/steel/brushed-steel.png
http://109.236.88.220/Lc6zs7cJ7U/css/steel/coolbg.png
http://109.236.88.220/Lc6zs7cJ7U/css/steel/steel.css
http://109.236.88.220/Lc6zs7cJ7U/css/steel/steel.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/CA.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/DE.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/ES.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/FR.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/GR.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/IT.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/PT.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/UK.jpg
http://109.236.88.220/Lc6zs7cJ7U/upload/default.jpg
http://109.236.88.220/Lc6zs7cJ7U/include/db.php
http://109.236.88.220/Lc6zs7cJ7U/include/config.php
http://109.236.88.220/Lc6zs7cJ7U/include/geoip.inc
http://109.236.88.220/Lc6zs7cJ7U/img/glyphicons-halflings.png
http://109.236.88.220/Lc6zs7cJ7U/img/glyphicons-halflings-white.png
http://109.236.88.220/Lc6zs7cJ7U/img/logo.png
http://109.236.88.220/Lc6zs7cJ7U/img/logo.jpg
http://109.236.88.220/Lc6zs7cJ7U/flags/FR.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/Unknown.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/AR.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/SV.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/RS.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/PE.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/NI.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/LI.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/HT.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/flags/CR.WOA.gif
http://109.236.88.220/Lc6zs7cJ7U/sql/db.sql
http://109.236.88.220/Lc6zs7cJ7U/tmp/get.php

http://109.236.88.220/SE4rFBwKlt/
http://109.236.88.220/wEP3Krh5AE/
http://109.236.88.220/P0sryovk9M/
http://91.217.153.50/adm/

logo.png




db.sql:
-- phpMyAdmin SQL Dump
-- version 3.3.3
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Mar 18, 2012 at 11:28 PM
-- Server version: 5.1.54
-- PHP Version: 5.3.7-ZS5.5.0

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Database: `cp`
--

-- --------------------------------------------------------

--
-- Table structure for table `billing`
--

CREATE TABLE IF NOT EXISTS `billing` (
  `id` int(255) NOT NULL AUTO_INCREMENT,
  `ucash` varchar(999) NOT NULL,
  `psc` varchar(999) NOT NULL,
  `ip` varchar(999) NOT NULL,
  `country` varchar(999) NOT NULL,
  `date` varchar(999) NOT NULL,
  `go` varchar(99) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=45 ;

--
-- Dumping data for table `billing`
--


-- --------------------------------------------------------

--
-- Table structure for table `checklist`
--

CREATE TABLE IF NOT EXISTS `checklist` (
  `id` int(255) NOT NULL AUTO_INCREMENT,
  `ip` varchar(999) NOT NULL,
  `country` varchar(999) NOT NULL,
  `date` varchar(999) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=314 ;

--
-- Dumping data for table `checklist`
--

Silence Winlocker advertising:

And a second 'Silence winlocker' powered winlock (according to the control panel):

MD5: 6D8DB0D28948A4D91A30E51C6901BBA0
Gendarmerie, winlock targeting French ppl.

Stuff usual, remove safe boot registry keys responsible to store services etc... for lead to a BSoD if the user try to remove it in safe mode.

Check the lenghts of pins:

Malware call home:

PSC/Ukash pins:

reports.txt

Richi fake:




That all for the moment, i've no idea if the author of silence winlocker do also fake police design.
Edit: no :)

IRL, no one care but i've just bought a PS3 (:

Also if you don't know already the news.. Phrack issue #68 is out,  fuckyeah!
Many people, including myself, do hacking as a hobby and choose
to participate in a different industry for our living income. If you choose
this path you will realize that as being part of this community will bring
you a lot of happiness.
Quoted from 0x07 Happy Hacking.

Edit 27 Apr 2k12:
- More path added
- ICQ conversation added
+ Checkout this new post by Symantec guys and this

9 comments:

  1. : ) Nice, you motivate a lot off young people like my self. And GL with you ps3 :) and the new house

    ReplyDelete
  2. Remember avoid sony's rootkits and botnets.

    ReplyDelete
  3. Congratulations for the PS3 ;)

    ReplyDelete
  4. Xyli <_< passe ton ID psn pour faire un match sur Call of :b

    ReplyDelete
  5. Nice post. Tnx.
    ps. Coooool phrack rel!!! Thx

    ReplyDelete
  6. Can you tell us where you find sales threads like that? I can't seem to find any.

    ReplyDelete
  7. combien t'as acheter cette ps3 ? :p

    ReplyDelete
  8. 300eur a la fnac avec une garantie de 2 ans a 39eur et call of a 70eur, le type ma fais une remise de 10... environ 400eur en total.

    ReplyDelete
  9. merci pour la réponse et félicitation pour la console ^^ mais surtout ne joue pas trop avec, sinon on aura pas beaucoup de tes postes ^^

    ReplyDelete