Wednesday, July 3, 2013

secure.9billing.com & dapav.net

FakeAV - Affiliate
ZBot / ZeroAccess
Advert Panel

dapav.net > 31.184.244.2
secure.9billing.com > 31.184.244.2
rowline.org > 31.184.244.5

31.184.244.2
netname:      TOEN
descr:            TOEN INCORPORATED
descr:            Middle East, U.A.E.

country:         AE



UPDATE 7/12/13 - Still Active
same server, same panel, same stats.

dapav.net


secure.9billing.com 


I took another sample to check out. 

21.1.exe
26/46 
AV detecting up from 22/46
but still..20 vendors don't detect this fucker..WTF 

anyway...



The .pcap file shows a DNS query to find rowline.org > 31.184.244.5

After the DNS lookup, 21.1.exe talks to rowline.org via HTTP and makes some requests like: 
hxxp://rowline.org/api/ping?stage=1&uid=cadeedbb8f779345b6c13d431855a4f&id=21&subid=1&os=1&avf=0
hxxp://rowline.org/api/test
hxxp://rowline.org/load/?uid=cadeedbb8f779345b6c13d431855a4f  (404, LOL) 


After this chatter it downloads a file, "SCC" which appears to be clean

Next, another api/ping GET

And then this: 
hxxp://rowline.org/html/viruslist/?uid=cadeedbb8f779345b6c13d431855a4f

I'll dig into this more when I have time. 





Original Post:

First posted on cybercrime-tracker.net in 2012!




07-11-2012 secure.9billing.com/index.php 91.242.217.24 FakeAV PC Defender Plus



Panel still online





Main

Money: $ 0 
no shit. 



Geo





Sub Acc






Get .exe



This page builds a new binary and associates it with a subaccount for tracking the install.

I build a test .exe (21.21) and submit it to VirusTotal. After I did this, I check the Geo page and see that there is a new install from France (must be VirusTotal sandbox allowing exe to run)

The first two builds (21.1.exe and 21.566.exe) were already in the panel.


21.1.exe
(VT 22/46)
https://www.virustotal.com/en/file/920ceeaa0c3a46373f96cc43cecca20b24cacdb6283ccc656ff999bc92f8244b/analysis/1372861065/

21.566.exe
(VT 22/47)
https://www.virustotal.com/en/file/a0d955ff7033dcf840b220432b0a78d12ccf72225df8692d6dd22cb5aedc8253/analysis/1372861188/

21.21.exe (test build)
(VT 22/47)
https://www.virustotal.com/en/file/c51f7c140e34157e84c67641dd927bbdd6231700438dbbfeae4c9f0ca1bcbc47/analysis/1372862762/

No comments:

Post a Comment