tag:blogger.com,1999:blog-8371275769923656244.post8565580968774229664..comments2023-10-30T05:16:21.233-11:00Comments on Leecher Mods: Malicious BitTorrent Clients: New Coat of Paint, Same Bad StoryReconhttp://www.blogger.com/profile/06503028238011791604noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-8371275769923656244.post-1768683180346274392007-08-06T13:26:00.000-11:002007-08-06T13:26:00.000-11:00internet is full of this stuff:http://spywarefiles...internet is full of this stuff:<BR/>http://spywarefiles.prevx.com/RRGDEI038108841/BITDOWNLOAD+-+SOMASEX.EXE.html<BR/>http://www.bluetack.co.uk/forums/index.php?s=33d607c7f7ccd35f07b398c2b800f45c&showtopic=17080&pid=82316&st=0&#entry82316<BR/>Torrent101-3.1.0.1-setup-0283.exe<BR/>TorrentQ-2.1.0.0-setup-0350.exe<BR/>BitDownload-3.2.0.0-setup-0310.exe<BR/>Looks exactly like the "BitDownload" and "fastest_BitTorrent_downloader.zip" stuff I've been tracking for the<BR/>past three months on gnutella. Looks like they just tweaked their name a bit but the filenames are still in the<BR/>same pattern, e.g: "BitDownload-3.0.0.0-setup-0273.exe" <BR/>hxxp://www.get-torrent.com/index.php<BR/><BR/>detected: adware not-a-virus:AdWare.Win32.Lop.bo URL: hxxp://67.15.107.166/get-torrent/070520/Get-Torrent-2.0.0.0-setup-0350.exe//data0002<BR/><BR/>detected: Trojan program Trojan.Win32.Obfuscated.en URL: hxxp://67.15.107.166/get-torrent/070520/Get-Torrent-2.0.0.0-setup-0350.exe//data0013<BR/>Malware Bittorrent client:67.15.107.166-67.15.107.166<BR/>Wakenet P2P Malware:67.15.107.160 67.15.107.191<BR/><BR/>Company Name: WakeNet AB<BR/>http://www.spywareguide.com/creator_show.php?id=419<BR/><BR/><BR/>ev1s-67-15-107-160.ev1servers.net - 67.15.107.160<BR/><BR/>OrgName: WakeNet AB<BR/>OrgID: WAKEN<BR/>Address: Tanneforsv 17<BR/>City: Stockholm<BR/>StateProv:<BR/>PostalCode: S-122 47<BR/>Country: SE<BR/>NetRange: 67.15.107.160 - 67.15.107.191<BR/><BR/>OrgTechHandle: JWE65-ARIN<BR/>OrgTechName: Wennberg, Johan<BR/>OrgTechPhone: 46707756006<BR/>OrgTechEmail: johan@wakenet.se<BR/><BR/>RTechHandle: CNE36-ARIN<BR/>RTechName: Newcomb, Chris<BR/>RTechPhone: +1-713-579-2850<BR/>RTechEmail: ipadmin@ev1servers.net <BR/><BR/>main distribution nodes:<BR/><BR/>Malware Bittorrent client - DINSA, Ministry of Defence (in the UK) (25.34.12.6):25.0.0.0-25.255.255.255<BR/>(Maybe they're spoofing this address, but I'm blocking all military ranges anyway)<BR/><BR/>Malware Bittorrent client - Merit Network Inc. (Large .edu range, apparently):35.34.12.6-35.34.12.6<BR/>(I'm not going to block all of 35.0.0.0-35.255.255.255 just for this, which is probably a spoof)<BR/><BR/>Malware Bittorrent client - Saudi Data VSAT Project:62.149.120.134-62.149.120.134<BR/>(I'm not going to block all of 62.149.120.0-62.149.127.255 just for this either)<BR/><BR/>Malware Bittorrent client - Hostway Corporation (66.113.139.56):66.113.139.56-66.113.139.56<BR/>(Hosting range is 66.113.128.0-66.113.255.255)<BR/><BR/>Malware Bittorrent client - FDC Servers.net, LLC FDCSERVERS:67.159.44.3-67.159.44.4<BR/>Malware Bittorrent client - FDC Servers.net, LLC FDCSERVERS:67.159.44.100-67.159.44.129<BR/>Malware Bittorrent client - FDC Servers.net, LLC FDCSERVERS:67.159.44.160-67.159.44.190<BR/>(As for me, I block all of 67.159.44.0-67.159.44.255)<BR/><BR/>Malware Bittorrent client - FIBER TECHNOLOGIES NETWORKS BRW-15171-FIBER:67.99.176.30-67.99.176.30<BR/>(I block all of 67.99.176.0-67.99.176.255 already)<BR/><BR/>Malware Bittorrent client - Syrian Telecommunication Establishment STE ISP Network 1:82.137.205.249-82.137.205.249<BR/>82.137.200.0-82.137.207.255 <BR/><BR/>Malware Bittorrent client - NTT America, Inc. NTTA-128-121:128.121.3.81-128.121.3.81<BR/><BR/>Malware Bittorrent client - Filasteen al-Muslimah (Palestinian website hosted in Myanmar):202.71.103.178-202.71.103.178<BR/><BR/>Malware Bittorrent client - IPORTENT-LAN on Bezeq International range (using 212.179.133.218):212.179.133.216-212.179.133.223<BR/><BR/>Malware Bittorrent client - PALNET INTERNAL NETWORK (using 217.66.226.15):217.66.224.0-217.66.231.127<BR/><BR/>http://forum.securitycadets.com/index.php?showtopic=2063<BR/>http://forum.securitycadets.com/index.php?showtopic=1584<BR/><BR/>http://www.bitdownload.biz/<BR/>http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=bitdownloadAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-15826152895362124652007-08-06T09:09:00.000-11:002007-08-06T09:09:00.000-11:00look at this:http://www.scroogle.org/cgi-bin/nbbw....look at this:<BR/>http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=bitgrabber.com<BR/>Results:<BR/><BR/>TorrentPortal<BR/>(forums.torrentportal.com)<BR/><BR/>and<BR/>http://forums.spybot.info/archive/index.php/t-10259.html<BR/><BR/>+<BR/>3wplayer : hxxp://www.3wplayer.com - BitDownload : hxxp://www.bitdownload.org - BitGrabber : hxxp://www.bitgrabber.com - BitRoll : hxxp://www.bitroll.com .. ..."<BR/>www.needforspeedcarbon.fr/recherche/google-3wplayer.html<BR/>...<BR/>BitGrabber is an adware bundler that is bundled with adware components and uses aggressive, deceptive advertising. BitGrabber is an adware bundler that is bundled with adware components and uses aggressive, deceptive advertising.0<BR/>http://www.spywaresignatures.com/details.php?spyware=bitgrabberAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-1432310064369348562007-08-06T08:58:00.000-11:002007-08-06T08:58:00.000-11:00All of this clients and hosts are Registered throu...All of this clients and hosts are Registered through: GoDaddy.com, <B>India</B>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-16354524926141598092007-08-06T08:05:00.000-11:002007-08-06T08:05:00.000-11:001. Domain alerts to all possible website filter in...1. Domain alerts to all possible website filter include Google's Firefox, McAfee,...<BR/>2. Send in the file to all Antivirus, Antispyware/Antimalware... Companies to update/include them signatures in coming updates.<BR/>3. See them websites visitors almost Venezuela on top (Alexa and other traffic measurement sites). Write on blogs and others in them Language a warning of these BitTorrent clients.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-4641759483689418232007-08-06T07:55:00.000-11:002007-08-06T07:55:00.000-11:00"There are several advanced and much better BitTor...<I>"There are several advanced and much better BitTorrent clients available today, but we still feel there is something missing in them. They don't show any ads. The other clients have tons of features and great functionality, but they all are overly complex to configure and to understand for a stupid user.<BR/><BR/>BitDownload´s and BitGrabber's purpose is to provide users with a great BitTorrent client that is clean, just some Adware and Malware will appear in the Web browser but it's easy to use, and great to get started with. While you download with this client pop up windows advertisements shown up from self. We prefer good quality Ads over quantity -- less features that work better.<BR/><BR/>With BitDownload and BitGrabber, everyone can use and enjoy BitTorrent technology without being a computer newbee to reverse engineering it's code and see the truth.<BR/><BR/>Happy downloading by automatic browser advertising pop ups!"</I><BR/><BR/>Team ZA Reversing Product Description correctionsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-68907291532509479482007-08-06T07:25:00.000-11:002007-08-06T07:25:00.000-11:00I'm gona download them all and install one by one ...I'm gona download them all and install one by one to look into the code. Will post a comment with all ip's, url's in the code of these clients include the User Agent strings. Maybe a batch file can be done to uninstall easy this sh1t complete after the examinations is done.<BR/><BR/>Greez<BR/>Gerd<BR/><BR/>P.S.<BR/>Done it on my blog tooAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8371275769923656244.post-54061085610756144262007-08-06T06:20:00.000-11:002007-08-06T06:20:00.000-11:00They are registered to GoDaddy. Report them to GoD...They are registered to GoDaddy. Report them to GoDaddy who have a policy against hosting spam/malware and their domains will get pulled.<BR/><BR/>Registrant:<BR/> Domains by Proxy, Inc.<BR/> DomainsByProxy.com<BR/> 15111 N. Hayden Rd., Ste 160, PMB 353<BR/> Scottsdale, Arizona 85260<BR/> United States<BR/><BR/> Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)<BR/> Domain Name: BITGRABBER.COM<BR/> Created on: 12-Dec-06<BR/> Expires on: 12-Dec-07<BR/> Last Updated on: <BR/><BR/> Administrative Contact:<BR/> Private, Registration Whois Privacy and Spam Prevention by DomainTools.com<BR/> Domains by Proxy, Inc.<BR/> DomainsByProxy.com<BR/> 15111 N. Hayden Rd., Ste 160, PMB 353<BR/> Scottsdale, Arizona 85260<BR/> United States<BR/> (480) 624-2599 Fax -- (480) 624-2599<BR/><BR/> Technical Contact:<BR/> Private, Registration Whois Privacy and Spam Prevention by DomainTools.com<BR/> Domains by Proxy, Inc.<BR/> DomainsByProxy.com<BR/> 15111 N. Hayden Rd., Ste 160, PMB 353<BR/> Scottsdale, Arizona 85260<BR/> United States<BR/> (480) 624-2599 Fax -- (480) 624-2599<BR/><BR/> Domain servers in listed order:<BR/> NS1.ZONEEDIT.COM<BR/> NS7.ZONEEDIT.COM<BR/>ref: http://whois.domaintools.com/bitgrabber.com<BR/><BR/><BR/>------------<BR/><BR/><BR/>Whois Record<BR/><BR/>Domain ID:D134326448-LROR<BR/>Domain Name:BITDOWNLOAD.ORG<BR/>Created On:04-Dec-2006 15:52:20 UTC<BR/>Last Updated On:03-Feb-2007 03:47:09 UTC<BR/>Expiration Date:04-Dec-2007 15:52:20 UTC<BR/>Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)<BR/>Status:CLIENT DELETE PROHIBITED<BR/>Status:CLIENT RENEW PROHIBITED<BR/>Status:CLIENT TRANSFER PROHIBITED<BR/>Status:CLIENT UPDATE PROHIBITED<BR/>Registrant ID:GODA-025742519<BR/>Registrant Name:Registration Private<BR/>Registrant Organization:Domains by Proxy, Inc.<BR/>Registrant Street1:DomainsByProxy.com<BR/>Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353<BR/>Registrant Street3:<BR/>Registrant City:Scottsdale<BR/>Registrant State/Province:Arizona<BR/>Registrant Postal Code:85260<BR/>Registrant Country:US<BR/>Registrant Phone:+1.4806242599<BR/>Registrant Phone Ext.:<BR/>Registrant FAX:+1.4806242599<BR/>Registrant FAX Ext.:<BR/>Registrant Email:Whois Privacy and Spam Prevention by DomainTools.com<BR/>Admin ID:GODA-225742519<BR/>Admin Name:Registration Private<BR/>Admin Organization:Domains by Proxy, Inc.<BR/>Admin Street1:DomainsByProxy.com<BR/>Admin Street2:15111 N. Hayden Rd., Ste 160, PMB 353<BR/>Admin Street3:<BR/>Admin City:Scottsdale<BR/>Admin State/Province:Arizona<BR/>Admin Postal Code:85260<BR/>Admin Country:US<BR/>Admin Phone:+1.4806242599<BR/>Admin Phone Ext.:<BR/>Admin FAX:+1.4806242599<BR/>Admin FAX Ext.:<BR/>Admin Email:Whois Privacy and Spam Prevention by DomainTools.com<BR/>Tech ID:GODA-125742519<BR/>Tech Name:Registration Private<BR/>Tech Organization:Domains by Proxy, Inc.<BR/>Tech Street1:DomainsByProxy.com<BR/>Tech Street2:15111 N. Hayden Rd., Ste 160, PMB 353<BR/>Tech Street3:<BR/>Tech City:Scottsdale<BR/>Tech State/Province:Arizona<BR/>Tech Postal Code:85260<BR/>Tech Country:US<BR/>Tech Phone:+1.4806242599<BR/>Tech Phone Ext.:<BR/>Tech FAX:+1.4806242599<BR/>Tech FAX Ext.:<BR/>Tech Email:Whois Privacy and Spam Prevention by DomainTools.com<BR/>Name Server:NS1.ZONEEDIT.COM<BR/>Name Server:NS7.ZONEEDIT.COM<BR/><BR/>http://whois.domaintools.com/bitdownload.orgAnonymousnoreply@blogger.com