Bitdefender recently wrote about the seizure of a server used to distribute "ICEPOL trojan":
Icepol MDN - A Server Snapshot http://t.co/s4Qe4KjR3g
— BitDefenderLabs (@BitDefenderLabs) January 30, 2014
They wrote that it looks like a pyramid scheme as sample were downloaded from another server.In the Hacker News :
ICEPOL Ransomware Servers seized by Romanian Police that infected 260,000 Computers 2014-01-29
they talk about it as Reveton.
I had no plan to write about them but it looks like it's now time to do it.
From what i saw it was a SubAffiliate of BestSoft ( Urausy and more) traffing on porn website and operating via Social Engineering (Fake Codecs) : Opener XXX by Sly VIP
Urausy Design last summer :
Urausy - Summer 2013 |
If you want to see traces of their activity in open source data take a look at Malekal's list.
Here :
Opener XXX by MalwareDB from Malekal |
Opener XXX by Urlquery |
Being able to wget the payload makes me lazy :)
The way distribution worked is explained by Bitdefender Labs.
From a user Point of view Malekal wrote also a nice review here (FR)
SocEng by those guys captured by Malekal in April 2013 |
Administration Panel :
Opener XXX 2013-06-29 |
Opener XXX - Monthly Hits by date - June 2013 |
Opener XXX - Monthly install/earning by date - September 2013 |
Opener XXX - Monthly Hits by hours of the day I think it's GMT+4 (not sure - was 10 am in France) |
Opener XXX Monthly Hits by Country |
Opener XXX - TDS (list of pornwebsite for which they could activate the redirection see files at the end ) |
Opener XXX - Activated with Country filtering on 2 websites |
"There is no honor among thieves" |
Opener XXX - 2 days of traffic by Members |
Some of the 15000 referers...(see files at the end) |
|
Opener XXX - Grand Total 2013-06-29 Sf3 paid mean money given by BestSoft |
Opener XXX - Grand Total 2013-09-30 |
Read More :
Urausy is going Regional in United States - 2013-10-15
The missing link - Some lights on "Urausy" affiliate - 2013-05-29 <-- if you want to know more about the upper affiliate.
Urausy Ransomware - July 2013 Design Refresh - "Summer 2013 Collection" 2013-07-28
Urausy Lockscreen: Your computer will remain locked for 3 days, 11 hours and 20 minutes! - 2013-07-24 - Jaromir Horejsi - Avast
Urausy Ransomware - Arab world targeted 2013-04-06