[EP_X0FF]

@EP_XOFF:

Maybe it would be logical to create a separate topic specifically for these ISP, which carry hosting blockers? And fill them up gradually. Also, there may include bulletproof ISP.

We are working on this. Probably soon this discussion will move to some other topic in other subforum :)

Currently list is following (regarding to three tracked ransoms):

Amazon WS - LockEmAll
RU-TELE - WinAD Pornorolik
SIA Business Aviation Services (seems bulletproof) - MBRLocker
LeaseWeb - Redirectors to LockEmAll edit: Guys wiped them out, redirectors moved to Latvia, SIA LEMGA, LEMGA-NET

[rkhunter]

@EP_XOFF

I am ready to help you in gathering lockers, but unfortunately, I do not know where to collect them and how you doing this. Did you do that automatically or not?

[EP_X0FF]

For start I can suggest you simple use Yandex (it's preferable search system because it indexing ru-zone match more better than Google or others) and look for "Sveta Bukina PORNO FREE WATCH DOWNLOAD" :) In Russian of course. Then you can simple click in every banner you see on every page - a TONS of fraud/hoaxes, browser blockers, malware, exploits 100% guaranteed. I can't reveal exact places because as you probably know a lot of these script-kiddies lurking here :)

[EP_X0FF]

Offtopic moved to separate thread

[Xylitol]

ParetoLogic guys wrote an article about WinAd ~ http://blogs.paretologic.com/malwaredia ... re-attack/
nothing really informative, article for the masses

[EP_X0FF]

WinAD related news :) Starting from yesterday evening, guys moved to all time repacking scheme - they repacking every hour with very good refined crypter. Currently (and for about already tracked 10 hours of repacks) all new generated samples have only 2 non meaningful signature/heur detection's according to VT.

Some stats

15 Aug: server shutdown at 195.226.220.142 (RU-TELE)
16 Aug: moved fast (5 hours delay) to 91.228.160.52 (WebXhost) and kicked out after few hours
16 Aug: currently moved to 95.57.120.140 (Telecom.kz)

migration continues :)

update 18 Aug 2011, 12:50

Crapware generator at 95.57.120.140 was taken down about 14 hours ago, at the moment of this reply they not yet migrated.

update 19 Aug 2011, 11:15

19 August 2011

Kids moved to new server (91.220.90.30)

update 19 Aug 2011, 21:33

Crapware generator at 91.220.90.30 was taken down about 4 hours ago due to abuse.

Kids moved to new host at 109.127.8.249 (Azerbaijan Data Network) less than one hour ago.

[kmd]

@EP_XOFF
i disappointed in av reaction on this particular malware. i was sending malware samples gathered from MDL few previous weeks, virlabs reacts really slow, in most cases when signatures began available winAD already refined and FUD. I.e. vba32 gives me answers only after 1 day - their signatures already outdated when they released. more effective Kaspersky/Dr.web but new mystic winAD uses easily breaks all their signs

[EP_X0FF]

@EP_XOFF
i disappointed in av reaction on this particular malware. i was sending malware samples gathered from MDL few previous weeks, virlabs reacts really slow, in most cases when signatures began available winAD already refined and FUD. I.e. vba32 gives me answers only after 1 day - their signatures already outdated when they released. more effective Kaspersky/Dr.web but new mystic winAD uses easily breaks all their signs

Some stats regarding to WinAD.

Starting from 17 July:

560 domain names allocated for using as pornorolik dropzones
50 domain names allocated for using as pornorolik redirectors
20-28 domain names change per day every day
4 different hosting providers changed
3-4 tel new numbers per day every day
3 times changed crypter (originally mystic, then VBCrypt, next new modified version of Mystic starting from the August).
1-2 unblock codes change per day every day
1-2 minor crypter cleanups per day every day

Regarding to "FUD" crypter they use, well it's incredible stupid piece of crap, however it's enough to fool static analysis. And to be completely honest - none of AV you mentioned never were something to hard fool in case of signs. Most of others VT patients are legalized FakeAV, stealing sings each other and calculating ridiculous hash sums.

[kmd]

new xylitol blogpost regarding winad sh**

Tracking Cyber Crime: WinAD gang (Ransom.DN/Win32.Timer)

[EP_X0FF]

Crapware generator at 109.127.8.249 was taken down.
Gang moved to new hosting provider and for now located at 31.192.109.210 (Mir Telematiki Ltd)

update

31.192.109.210 were off.
Moved to new location 77.91.231.193 (WEBALTA-AS OAO Webalta)