Same here, EP_X0FF. Looks like WinAD gang is on it's knees for a while.
A forum for reverse engineering, OS internals and malware analysis
IP null routed by up stream provider. As far now we are looking to get in EXETEL ISP directly. Regarding to their redirectors - they have been killed by the registrar. Also killed any other domains registered with the same credentials.
Ring0 - the source of inspiration
hxxp://terabytepornovideo.ru/11/video/porno-rolik11.avi.exeIP: 195.226.220.141
hxxp://terabytepornovideo.ru/12/video/porno-rolik12.avi.exe
hxxp://terabytepornovideo.ru/13/video/porno-rolik13.avi.exe
hxxp://terabytepornovideo.ru/16/video/porno-rolik16.avi.exe
hxxp://terabytepornovideo.ru/17/video/porno-rolik17.avi.exe
hxxp://terabytepornovideo.ru/18/video/porno-rolik18.avi.exe
hxxp://terabytepornovideo.ru/20/video/porno-rolik20.avi.exe
organisation: ORG-IVK1-RIPENumber to call:
org-name: Igor Vladimirovich Kanaev
org-type: OTHER
descr: Igor Vladimirovich Kanaev
address: Russia, Suvorov city, Tula Region,
address: Kirovskaya str., 14, app. 110
phone: +79037492322
abuse-mailbox: abuse@ru-tele.com
9687639596
9057860783
9057860628
9057860638
9032809254
9057860324
Unlock code: VERONIKA
add:
hxxp://davaypornosei4as.ru/11/video/porno-rolik11.avi.exe
hxxp://davaypornosei4as.ru/12/video/porno-rolik12.avi.exe
hxxp://davaypornosei4as.ru/13/video/porno-rolik13.avi.exe
hxxp://davaypornosei4as.ru/16/video/porno-rolik16.avi.exe
hxxp://davaypornosei4as.ru/17/video/porno-rolik17.avi.exe
hxxp://davaypornosei4as.ru/18/video/porno-rolik18.avi.exe
hxxp://davaypornosei4as.ru/20/video/porno-rolik20.avi.exe
To GMax:
What service do you use to get such detailed information?
I have some links:
hxxp://rating-2011.ru/xxxvideo.avi.exe
hxxp://erotic-a.ru/xxx_porno_video.avi.exe
For both host ISP: FOP Opria Ruslan Dmitrievich
Server Location: Ukraine
But full address not present.
Useful Russian service - http://hostnadzor.ru - reputation of ISP.
UPD: service info
What service do you use to get such detailed information?
I have some links:
hxxp://rating-2011.ru/xxxvideo.avi.exe
hxxp://erotic-a.ru/xxx_porno_video.avi.exe
For both host ISP: FOP Opria Ruslan Dmitrievich
Server Location: Ukraine
But full address not present.
Useful Russian service - http://hostnadzor.ru - reputation of ISP.
UPD: service info
Last edited by rkhunter on Sat Jul 23, 2011 11:36 am, edited 2 times in total.
@rkhunter
all "who is" services will give this information
I use: domaintools.com
all "who is" services will give this information
I use: domaintools.com
rkhunter wrote: I have some links:link not work
hxxp://rating-2011.ru/xxxvideo.avi.exe
hxxp://erotic-a.ru/xxx_porno_video.avi.exe
please attach the files
rating-2011.ru shows the text: icq 611 700 123 if u need to speak
Maybe sites already taken down. Unfortunately, I did not keep the samples.
@GMax
Thank you for notification.
Yes they moved to new hosting for about 20 hour ago. If you have working methods/resources in Ukraine/Russia to take down this new host - please do it. Also if you have any info about redirectors they use - please share. As for now we gonna to blacklist this host and all spawned domains as soon as they will be created. And of course please continue to post unlock codes.
Thank you for notification.
Yes they moved to new hosting for about 20 hour ago. If you have working methods/resources in Ukraine/Russia to take down this new host - please do it. Also if you have any info about redirectors they use - please share. As for now we gonna to blacklist this host and all spawned domains as soon as they will be created. And of course please continue to post unlock codes.
Ring0 - the source of inspiration
@EP_XOFF:
Maybe it would be logical to create a separate topic specifically for these ISP, which carry hosting blockers? And fill them up gradually. Also, there may include bulletproof ISP.
Maybe it would be logical to create a separate topic specifically for these ISP, which carry hosting blockers? And fill them up gradually. Also, there may include bulletproof ISP.