[en] Browlock Ransomware Malvertising Campaign

Browlock is a Fake Police Ransomware, it’s only an HTML Web Page that block the Browser and request for a ransom.
It appears around July 2013 : http://www.malekal.com/2013/07/21/virus-gendarmerie-dlcc-extension-malicieuse/

here some malvertising for it :

http://pu.plugrush.com/t/kce/22669/12e16eea389865e74dafe36aa2e111fb/aHR0cDovL3d3dy5yaG90dWJlLmNvbS9teS13aWZlLWxvdmVzLXN1Y2tpbmctbG90cy1vZi1jb2Nrcy12NDE2Ng==
http://penispaldevice.com/(193.169.87.15) – 0 @ VT https://www.virustotal.com/fr/url/588fc6953a2238063708aafa87eb352fd473a6cac88410e931a16f2e5a0afab7/analysis/
http://fbi.gov.id689865313-1868486492.t5843.com/?flow_id=1441&882623=41696/case_id=11730

PlugRush_Malvertising

PlugRush_Malvertising2

still on plugRush :

http://widget.plugrush.com/p/3bb5/direct?pr=27a91f378e4aed101d6baefdd3b0beb4
http://clickforcams.com/ (193.169.87.15) – 0 @ VT https://www.virustotal.com/fr/url/8993dec96ae012b4a699bc4f3014792e5e9fccc9cfb8ece099723d48e8cc1c6d/analysis/1381129011/

PlugRush_malvertising_Browlock

PlugRush_malvertising_Browlock2

EDIT October 7 2013

popcash malvertising :

http://popcash.net/world/sgo/4159/4648/676cfa24a6f695e6/aHR0cCUzQS8vd3d3Lm15eHZpZHMuY29tL3ZpZGVvcy8xOTU5MC9rYXRzdW1pMi8lMjM=
http://mysecretwebcam.com/ (93.190.142.195)
http://mysecretwebcam.com/style/style.css
http://mysecretwebcam.com/fl.swf
http://stats.mysecretwebcam.com/
http://ukmyu.alohashirtshop.us/video/CVN1m8zNzF8NJrOxPWb9kdrwO_/T9Yioo0cBucKl3WdOD4CAM6QlmAzdOsCOmBLLlD82gJ/Ix5GPORLUI5ivv1_/Q~~/ZmViZTAyZDNjYWViOWU0OWEyZjgxM2U1ZWIwZThkZTE
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/bootstrap.min.css
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/jquery.js
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/main.js
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/style.css
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/close.php?a=0

 

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: MYSECRETWEBCAM.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-03-16 16:23:51
Creation Date: 2006-02-02 14:00:53

Registrar Expiration Date: 2014-02-02 14:00:53
Registrar: GoDaddy.com, LLC
Registrant Name: Tomas Pansky
Registrant Organization:
Registrant Street: Rybna 1064/11
Registrant City: Praha
Registrant State/Province: Praha
Registrant Postal Code: 11000
Registrant Country: Czech Republic

Admin Name: Viktor Feskov
Admin Organization:
Admin Street: Chehov str. 38-34
Admin City: Bataysk
Admin State/Province: Bataysk
Admin Postal Code: 346880
Admin Country: ru
Admin Phone: 786354569443
Admin Fax:
Admin Email: Lothariobxm744@hotmail.com

on this email we also have :

girlfox.com
adultprom.com
livesexplay.com

 

Browlock_popcash_malvertising Browlock_popcash_malvertising2

new skin and URLs :

http://ukmyu.alohashirtshop.us/video/CVN1m8zNzF8NJrOxPWb9kdrwO_/T9Yioo0cBucKl3WdOD4CAM6QlmAzdOsCOmBLLlD82gJ/Ix5GPORLUI5ivv1_/Q~~/ZmViZTAyZDNjYWViOWU0OWEyZjgxM2U1ZWIwZThkZTE
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/bootstrap.min.css
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/jquery.js
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/main.js
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/files/style.css
http://ukmyu.alohashirtshop.us/wdesigns/default/FR/close.php?a=0

Browlock_new_look Browlock_new_look2

EDIT –

Avatraffic malvertising => http://www.bigdicksecret4u.com (193.169.87.15)

Registrant:
Vladimir Nikolaev
Email: wladimirkot@hotmail.com
Organization: Vladimir Nikolaev
Address: ul. Velyaminovskaya, d. 6.
City: Moskva
State: Moskva
ZIP: 105318
Country: RU
Phone: +7.4957254033

bigdicksecret4u.com

EDIT October 8

http://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ace&n=&r=
http://sixtalk.com/ – 0 VT : https://www.virustotal.com/fr/url/6f525b872858134f29b5681e0b72b89c6bcf1370f1b65b8da49cdf39987e8dbd/analysis/1381265060/
http://sixtalk.com/fl.swf
http://stats.sixtalk.com/24b7be1c3be066a62cdb112e1dea8ab9_stat.js
http://sdecfv.alohashirtshop.biz/music/7tOZz74t2pKpMbLOu2eZHFvm2m12GRD-xbeVDvZ0uoNZFxhtOplmbVcUKgKH1fMb92NO3RPl/xpqqge2HzVQSJQ~~/OWNiYzVkNjgwMDgxZTIwMDFhYjVlZWIzNTFh
http://sdecfv.alohashirtshop.biz/wdesigns/default/US/files/jquery.js
http://sdecfv.alohashirtshop.biz/wdesigns/default/US/files/style.css
http://sdecfv.alohashirtshop.biz/wdesigns/default/US/files/main.js
http://sdecfv.alohashirtshop.biz/wdesigns/default/US/files/bootstrap.min.css
http://sdecfv.alohashirtshop.biz/wdesigns/default/US/close.php?a=0

Sample : http://malwaredb.malekal.com/index.php?hash=4db4527c6e4f8cc253487039ca41bb64

Malvertising_Browlock2 Malvertising_Browlock3

EDIT October 14

Avatraffic update :
http://avatraffic.com/in.php?sid=1437&ck=1
http://www.topxxxwebcamsinfo.com/ (196.47.100.2) – 1 @ VT : https://www.virustotal.com/fr/url/c1ef5a57d91537ccedc157ee2ef7266ea59e291c6177bb14c95a172d4b576acb/analysis/1381739591/
http://fbi.gov.id964398687-6950545705.k2310.com/?flow_id=9141&630965=46798/case_id=57068

avatraffic_browlock

EDIT October 20

by clicksvenue this time :

http://service.clicksvenue.com/redirect.php?target=http%3A%2F%2Fassfuckedteenies.com&width=1024&height=768&force_close=0
http://assfuckedteenies.com/ (196.47.100.2) – 2 @ VT : https://www.virustotal.com/fr/url/d57cde45f0dceb20063a8b17be282cf64fd63f91ba047ded9195436eb2d90b91/analysis/1382278183/
http://fbi.gov.id957192741-5133934980.e4203.com/?flow_id=3184&315322=37597/case_id=62622

Administrative Contact:
Semenov Ivan
St. Shukinskaya, e 12
Moscow, Moscow 123182
Russia
cashvxl@hotmail.com
+8 9784218451

with cashvxl@hotmail.com – we also have :
quedusexy.com
mamadasgay.com

assfuckedteenies.com_browlock assfuckedteenies.com_browlock2

EDIT –

removed – Next.

clicksvenue_malvertising

EDIT October 34

http://newt3.adultadworld.com/jsc/fm.html?n=607&c=14228&s=30273&d=15&w=1&h=1&q=Windows_7&z=53632568
http://onhercamz.me/ (80.77.81.47) – 1 @ VT https://www.virustotal.com/fr/url/b8b622f945b52b4f291701665a78b91266ebdcbb9b0d9f04f38d013e826e74fd/analysis/1382630043/
http://onhercamz.me/index.php
http://nakol.my180plan.com/audio/nBqUGBdk9Qo-UIWYZyONWYdHun4oYc6oBKA_/OpJps-eTdpqXdhNDty17NDZnrT/qYWDW5Agt2Pp1s1rGGccavSg~~/YTQ4MTM5MGQ3ODZmN2JhYTRiZDM0MDhmMTdkODAxOTY (50.7.213.131)

browlock_malvertising_adultdaworld browlock_malvertising_adultdaworld2

browlock_malvertising_adultdaworld3
hey bad guys, you have a popup problem – please fix that 😛
browlock_malvertising_adultdaworld5

EDIT 28 October

Avatraffic malvertising freelivemodelchat.com (193.169.86.250)

Seems bad guys are trying to target plugRush with the malvertising at avatraffic.
http://pu.plugrush.com/t/4cmv/24315/4e12e50f932583be3d669aba6fdd342e/aHR0cDovL3J1bWJhdHViZS5jb20v
http://www.pussyhater.com/big.php (69.61.18.234)
http://avatraffic.com/in.php?sid=2075
http://avatraffic.com/in.php?sid=2075&ck=1
http://freelivemodelchat.com/ – 3 @ https://www.virustotal.com/fr/url/dd4c45c188338fe30ff0581b835227d5b595d2813e4390fbfcaa354951296380/analysis/1382962131/
http://m.addthisedge.com/live/t00/300sh.gif?p7ehzo&si=526e53285dd90f83&uid=526e5002b2423a99&pub=xa-4f4395fd110955e5&rev=124254&sh=share&ln=de&pc=tbx%2Cmen&vpc=&dp=rumbatube.com&dr=50den.com
http://polizei.de.id369578855-8971548032.y6970.com/?flow_id=6997&153139=22045/case_id=30975

Why targetting PlugRush ?
Simply, PlugRush is 987 at Alexa instead of avatraffic is 20k.

EDIT – PlugRush have stopped the campaign.

Browlock2

Browlock

EDIT November 3 2013

http://service.clicksvenue.com/redirect.php?target=http%3A%2F%2Ffartxxx.com&width=1024&height=768&force_close=0
http://fartxxx.com/ (193.169.86.250) – 0 @ https://www.virustotal.com/en/url/a01704cb55633a1a99f9434fe09d989eb0448428b1168e33421e436a464daaaa/analysis/1383510930/
http://polizei.de.id888464857-2869289938.h9615.com/?flow_id=1980&403187=91500/case_id=36049 (193.169.86.250)

Browlock_fartxxx.com Browlock_fartxxx.com2

EDIT Novembre 4 2013

avatraffic :

http://xxxldating.com/ (193.169.86.250) – 2 @ https://www.virustotal.com/en/url/8706eee093ec6daa0f6096f46ed48745d92320003b21e070fb078040de501071/analysis/1383575945/
http://polizei.de.id889570370-8055985847.l8508.com/?flow_id=6687&307918=72971/case_id=41740

malvert_xxxldating.com

EDIT November 25 2013

http://www.trafficholder.com/in/in.php?ace
http://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ace&n=&r=
http://www.datingsupreme.com/ – 1 @ VT https://www.virustotal.com/fr/url/c8defd8c5dbd03aab3b544cb0a519177affa1f655a78045159b5f196b67d033f/analysis/1385398859/
http://avatraffic.com/in.php?sid=2276
http://avatraffic.com/in.php?sid=2276&ck=1
http://momsmatureporn.com/ – 1 @ VT https://www.virustotal.com/fr/url/2e94c2919d2cdb6094245047b545e6f44d00f539603def47c84a7f059884ea7c/analysis/1385398844/

datingsupreme malvertising to redirect to avatraffic to load an other malvertising to redirect to browlock ransomware.

datingsupreme is used to get trafficholder traffic via avatraffic.

browlock_malvertising

EDIT 28 November

Target clickvenue.com

http://service.clicksvenue.com/redirect.php?target=http%3A%2F%2Frapidodating.com&width=1024&height=768&force_close=0
http://rapidodating.com/ (198.20.170.210) – 0 @ VT https://www.virustotal.com/fr/url/428a1678bf4a52ee50ef2a92ddc97c6168e554f076a1214ef384c56ac266d627/analysis/1385625949/
http://rapidodating.com/togavdi.js?aHR0cDovL3NlcnZpY2UuY2xpY2tzdmVudWUuY29tL3JlZGlyZWN0LnBocD90YXJnZXQ9aHR0cCUzQSUyRiUyRnJhcGlkb2RhdGluZy5jb20md2lkdGg9MTAyNCZoZWlnaHQ9NzY4JmZvcmNlX2Nsb3NlPTA=

Domain Name: RAPIDODATING.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS75.DOMAINCONTROL.COM
Name Server: NS76.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-mar-2013
Creation Date: 07-feb-2011
Expiration Date: 07-feb-2014

Registry Registrant ID:
Registrant Name: Travis R Constant
Registrant Organization:
Registrant Street: 1595 Geraldine Lane
Registrant City: New York
Registrant State/Province: New York
Registrant Postal Code: 10011
Registrant Country: United States
Registrant Phone: +1.84514388678
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: constanttravis@gmail.com

browlock_clickvenue browlock_clickvenue2 browlock_clickvenue3 browlock_clickvenue4

EDIT –

Malvertising :
http://pu.plugrush.com/t/es5/19651/aa8629e27e913f8bb9c3f48a939f517b/aHR0cDovL3d3dy5idXJuaW5nY2FtZWwuY29tL3ZpZGVvL3NsdXR0eS1jb2xsZWdlLWdpcmxzLWhhdmluZy1hbi1vcmd5
http://camsarena.net (144.76.136.252) – 0 @ VT https://www.virustotal.com/fr/url/59b815f7c7a49059e501ef0ebfa721e58de6ea098c1134fef22050b96f434f8c/analysis/1385643043/
http://kind.boowee.be/?id=665f644e43731ff9db3d341da5c827e1

browlock_plugrush2

EDIT – December 4

New IP – Traffichold malvertising : https://twitter.com/malekal_morte/status/408170292637220864
reemdating.com (144.76.136.253)

twitter_browlock_traffichold

 

and a adultaworld malvertising : interracialparadise.net (178.214.121.21)browlock_adultaworld
browlock_adultaworld2

This last one is very interresting, why ?

this website is spreading by mctcash : http://www.mctcash.com/pages/our-sites.php

mctcash


mctcash2After talking with some ads company, it appears that mctcash is another fake ads company owned by bad guys.

For example, i had already reported ilikeshavedpussy.com, EbonyInvite.com and milf-bitches.com as a malvertising there : http://www.malekal.com/2013/10/14/reveton-malvertising-campaign/

like creoads – Stay away from mctcash

EDIT –

what a surprise http://ebonyview.com/(mctcash) is redirecting to http://electronic-cigarettes-reviews.net/ that is a malvertising => https://twitter.com/malekal_morte/status/408283654155034625

malvert-electronic_cigarettes

ebonyview.com

EDIT December 12

A blog about on dynamo 193.169.87.247 : http://blog.dynamoo.com/2013/12/europol-scareware-something-evil-on.html – 193.169.87.247 is mentioned there : http://www.malekal.com/2013/12/08/malvertising-on-clicksor-via-rapid8-com/

A new IP but still the same netname :

http://www.trafficholder.com/in/in.php?ace
http://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ace&n=&r=
http://liveevoque.com/ (192.232.222.161) – 1 @ VT https://www.virustotal.com/fr/url/8712867a27e1c90212b4460f8b3cfa942141e38b77ac06e5f7b0b09094e48139/analysis/1386836562/
http://avatraffic.com/in.php?sid=2138
http://avatraffic.com/in.php?sid=2138&ck=1
http://excellenthandjob.com/ (176.103.48.11) – 1 @ https://www.virustotal.com/fr/url/83e721758d208494d925758a69aab3e09c442f63c5182e33f17a29d7c06d4183/analysis/1386836577/
http://polizei.de.id933955687-6047838534.g2319.com/?flow_id=3753&295313=67135/case_id=34191 (176.103.48.11)

inetnum: 176.103.48.0 – 176.103.63.255
netname: XServer-IP-Network-6
descr: PE Ivanov Vitaliy Sergeevich
country: UA
org: ORG-IV2-RIPE
admin-c: IV25-RIPE
tech-c: IV25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-IV25
mnt-routes: MNT-IV25
mnt-routes: ITL-MNT
mnt-domains: MNT-IV25
source: RIPE # Filtered

excellenthandjob.com

EDIT December 13

new one, still stealing traffic from trafficholder via avatraffic.

http://it-hk.co.uk/ (192.232.222.161)
http://avatraffic.com/in.php?sid=2138
http://zed.turbonude.ru/5/go.php?sid=7 (88.214.200.190) – 0 @ VT https://www.virustotal.com/fr/url/2bf3bef20372d61dd2887844a43b19cee126032dbdaafece99ce5a30bc50b358/analysis/1386932783/
http://warning.policeviewer.com/?id=c38d8c4800e606e089602ee67e1b14ca (108.162.206.15)

Sample of Browlock page : http://malwaredb.malekal.com/index.php?hash=b8d1870d66160167a74c3b49341bbab3

Browlock

EDIT December 15

http://service.clicksvenue.com/redirect.php?target=http%3A%2F%2Fchaturgreat.com&width=1100&height=850&force_close=0
http://chaturgreat.com/ (188.42.246.252) – 0 @ VT https://www.virustotal.com/fr/url/49ca152b2e16b754e4d1433d07f98b33180e4a1d9b6a7b3d944965d1b18e5d35/analysis/1387114413/
http://error.police-alert-guard.com/?id=[..]

Browlock

EDIT December 23

first, Symantec has published a nice write about Browlock : http://www.symantec.com/connect/blogs/massive-malvertising-campaign-leads-browser-locking-ransomware

It’s big but im not surprised :

The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
 

I don’t blog porn malvertising anymore here but i published some of them in twitter : https://twitter.com/malekal_morte
On the weeks, we works with some ads company to removed it, and i think it works according the last Symantec’s graphs and some DoS attack malekal.com get.
Need to be better on the end of Weeks, as traffer are trying to bruteforce as antivirus/ads support are less active.

Second, got Browlock redirection on two Warez websites that loads Russian Ads : rapid8.com (already spoke about it there http://www.malekal.com/2013/12/08/malvertising-on-clicksor-via-rapid8-com/ ) and Delamusique.com

Here the URLs :

http://mobatory.com/8jxjj7ifv306jtwqpzhdzo7bkqpdvrbcz6b3bbmtg?[…]
http://mobatory.com/img/close/en/flash/close.swf
http://yambotan.ru/13sqh4r4gv0tdh93a8ua114i4617by11y1lk21ad0qj1jhof1116hcurqknw16ve1ggidu18tzgm6amgd39
http://myuniques.ru/10ohlu2r1b18yplko4020ptlyptumv0z7zr9jvgl17oebmegwl0ueehhv4m413r565s4ya0qwkgns5e0n5x
http://news-91587-latest.natsyyaty.ru/[…]
http://cougarplays.com/
http://europol.europe.eu.france.id813965633-2429546816.e327367.com/?flow_id=1087&537478=93901/case_id=[..]
http://moonhappy.ru/6xq9z07h4pl5eauhwxv7dg537a2mnh2df5djsep8k?[..]
http://moonhappy.ru/[…]
http://moonhappy.ru/img/close/en/flash/close.swf
http://news-91587-latest.natsyyaty.ru/[…]
http://cougarplays.com/
http://europol.europe.eu.france.id202719781-8916574562.q468340.com/?flow_id=6500&920646=88491/case_id=[..]

warez_browlock3

warez_browlock

Cougarplays.com is also a malvertising present in Avatraffic : https://twitter.com/malekal_morte/status/414335363012759552
Malware guys are loading other malvertising to trafficholder and trafficbroker that redirect to the Avatraffic’s to load the cougarplays.

Trafficholder / Trafficbroker => Malvert1 => Avatraffic =>Malvert2 => Browlock.

So they are able to load traffic from Trafficholder / Trafficbroker and make it more difficult to find them.

warez_browlock4

seems that natsyyaty.ru is malicious.
One detection on VirusTotal by Dr.Web : https://www.virustotal.com/fr/url/f6444a2fdfdccea18c8952faa864c432ed9a8051a0856eca45f1f3f5f2220fb1/analysis/1387821057/

URL:http://news-91587-latest.natsyyaty.ru/
Ratio de détection :1 / 51
Date d’analyse :2013-12-23 17:50:57 UTC (il y a 0 minute)

EDIT – Janvier 4

back from hollidays, glad to see that most of adult ad network dont have any malvertising. ClickPapa network load some malvertising – here a Browlock one via :

http://www.clickpapa.com/d.php?&id=17&client=pub-27&keywords= » »&count=1&screen_size= »1024×768″&browser= »Netscape-5″&OS= »Windows%207″&lang= »undefined »&cookie= »true »
http://admedia.name/server/loader.js (216.172.56.41)
http://ad-media.name/server/delivery/adm?[..]
http://admedia.name/server/delivery/render/24803773/26516048/get?[..]
http://exceedest.kenneltrucking.com/ads.html?9e6f83f5df1c30ff2b9cc17d7e3dfc2a http://error.policeguardstate.org/?id=

ad-media_name ad-media_name2 Already, came accross it on December 13 :ad-media_name3 ad-media.name / ad-media.biz is new :

Created by Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Last Updated by Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Domain Registration Date: Fri Nov 15 11:23:33 GMT 2013
 Domain Expiration Date: Fri Nov 14 23:59:59 GMT 2014
 Domain Last Updated Date: Fri Nov 15 13:36:18 GMT 2013

They are using the same framework as creoads 😉
There : http://urlquery.net/report.php?id=6762513 admedia.name was 178.214.121.23 – this IP class was also shared by mtccash / creoads shitty.

can be legitim or fake ads company created by bad guys. i will contact them, but i dont expect any reply, will see 🙂

ad-media_name4

EDIT January 5

wow got a reply :

ad-media.biz

 

but :

mail.ad-media.biz has address 216.172.56.41

NetRange: 216.172.48.0 – 216.172.63.255
CIDR: 216.172.48.0/20
OriginAS: AS50245
NetName: SERVEREL
NetHandle: NET-216-172-48-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
RegDate: 2011-07-06
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-216-172-48-0-1

OrgName: Serverel
OrgId: ST-1
Address: 970 Corte Madera ave
City: Sunnyvale
StateProv: CA
PostalCode: 94085
Country: US
RegDate: 2011-03-10
Updated: 2011-05-19
Comment: http://serverel.com
Comment: Standard NOC hours are 7am to 11pm EST
Ref: http://whois.arin.net/rest/org/ST-1

ReferralServer: rwhois://rwhois.serverel.net:4321

According this post, the malvertising at Yahoo was also working on this KUSHN-ARIN Org : https://isc.sans.edu/forums/diary/Malicious+Ads+from+Yahoo/17345

EDIT January 14

Again Clickpapa lead to Ad-media that redirect to malware content :
http://www.clickpapa.com/d.php?&id=17&client=pub-27&keywords= » »&count=1&screen_size= »1024×768″&browser= »Netscape-4″&OS= »Windows 7″&lang= »undefined »&cookie= »true »

http://ad-media.name/server/loader.js
http://ad-media.name/server/delivery/adm?zn[0]=1&size[0]=300×250&sl[0]=above&count=1&time=1389689308146&callback=_adm&uid=24803765&domain=clickpapa.com&st=link%20list&cat=adult&host=clickpapa.com&keywords=&location=http%3A%2F%2Fwww.realgfporn.com%2Fassets%2Fad-spots%2Fbottom_center_300x200.php&referrer=http%3A%2F%2Fwww.realgfporn.com%2Fassets%2Fad-spots%2Fbottom_center_300x200.php&_adm_pop=0
http://ad-media.name/server/delivery/render/24803773/50354396/get?zoneid=24803773&domain=clickpapa.com&cat=adult&st=link%20list&host=clickpapa.com&uid=24803765&crid=50354396&location=http%3A%2F%2Fwww.realgfporn.com%2Fassets%2Fad-spots%2Fbottom_center_300x200.php&referrer=http%3A%2F%2Fwww.realgfporn.com%2Fassets%2Fad-spots%2Fbottom_center_300x200.php

http://dottier.cdngate.biz/ads.html?[..]

http://info.blockads-stop.com/?id=[..]
dottier.cdngate.biz has address 5.45.77.102

person: Neil Young
address: 3NT SOLUTIONS LLP
address: DALTON HOUSE 60, WINDSOR AVENUE
address: LONDON, UK
phone: +442081333030
abuse-mailbox: abuse@3nt.com
nic-hdl: TNTS-RIPE
mnt-by: MNT-3NT
source: RIPE # Filtered

ad-media_browlock ad-media_browlock2

EDIT – January 15

Ad-media still spreading Browlock – domain changed to : ad-medialab.com

http://ads.adgoto.com/adframe.php?n=a4887644&what=zone:199
http://ads.adgoto.com/adframe.php?n=a4887644&what=zone:199
http://ad-medialab.com/server/loader.js

http://ad-medialab.com/server/delivery/adm?zn[0]=1&size[0]=300×250&[…]
http://ad-medialab.com/server/ov.js
http://ad-medialab.com/server/delivery/render/58270790/50354396/get?zoneid=58270790&[…]

http://job.contentgate.org/ads.html?[…]
http://job.contentgate.org/ads.html?[…]

http://police-alert.craftmark.co.uk/?id=[…]

Browlock is also using a new IP Range : police-alert.craftmark.co.uk has address 91.220.131.219

inetnum: 91.220.131.0 – 91.220.131.255
netname: hostpro247-net
descr: teterin Igor Ahmatovich
country: RU
remarks: ############################################
remarks: SPAM noc@rivethost.com
remarks: Network security issues: noc@rivethost.com
remarks: Customer support: noc@rivethost.com
remarks: ############################################
org: ORG-tIA16-RIPE
admin-c: tih12-RIPE
tech-c: tih12-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-HOSTPRO247
mnt-routes: MNT-PIN
mnt-domains: MNT-HOSTPRO247
source: RIPE # Filtered

Browlock_ad_media Browlock_ad_media2

EDIT Juanary 16

got a malicious banner – SWF redirector to lead to Browlock :

http://pornowow777.com/s333.html (37.220.4.11)
http://pornowow777.com/300_rasp.swf
http://cooltd8787.com/jQuery.js?id=AJAX&cache=91654.17894131486 (37.220.4.14)
http://www.neiman-fox-police.com/?id=a8151f97ebff2534b6aa874233de0bee
http://cooltd8787.com/jQuery.js?id=AJAX&cache=64799.40866693972

Domain Name: PORNOWOW777.COM
Registrar: EVOPLUS LTD
Whois Server: whois.evonames.com
Referral URL: http://www.evonames.com
Name Server: NS1.TOPDNS.ME
Name Server: NS2.TOPDNS.ME
Name Server: NS3.TOPDNS.ME
Status: ok
Updated Date: 11-jan-2014
Creation Date: 11-jan-2014
Expiration Date: 11-jan-2015

browlock_SWF_redirector

function init with the code to redirect to http://cooltd8787.com/jQuery.js?id=AJAX&cache=64799.40866693972

SWF sample : http://malwaredb.malekal.com/index.php?hash=b432dde012bf6326133ef409821c3e77
browlock_SWF_redirector_SWF
the code at cooltd8787.com
browlock_SWF_redirector2

decoded, we got the URL to Browlock.
browlock_SWF_redirector3

EDIT – February 27

From this thread (in french) : http://www.commentcamarche.net/forum/affich-29647246-cybercriminalite-paysafecard#9

http://filmvf.net (Rank 13 in France ), a warez streaming website, got a malvertising that redirect to Browlock.

The malvertising is in the hqq.tv streaming player (so can be present in other warez streaming website)

http://hqq.tv/player/embed_player.php
http://sms-mmm.com/script.php?ppage=http%3A%2F%2Fhqq.tv%2Fplayer%2Fembed_player.php&ppref=http%3A%2F%2Ffilmvf.net%2Fcathy-gauthier-100-vache-folle-streaming.html
http://user.sms-mmm.com/733z9xo85ej7hkag4lm79d7pxwsziup931a3f6vpnvd?ppage=http%3A%2F%2Fnetu.tv%2Fplayer%2Fembed_player.php&ppref=http%3A%2F%2Ffilmvf.net%2Fgign-40-ans-dassauts-streaming.html

http://news-132115-latest.ronetu.ru/660j4tatq8o5384txocmc37jo9wy9c5ef8etl4acchl17k2pjbrdk487etctsxjfh75mnmr376mfv8pzhi0a543m8xu1pecxmhe60bvdx2wf7n6vg3tx0lhxv99asntgfdht635pp765noc8se11f3r3ev80cunc1pd018xiceaysytd58rpx1iqplr5kiumw8f9kf7vegxogqc6r6sui6ubxp3p7caxed3yo276mfririx0qpj69
http://www.pornotraxxx.net/ (193.161.87.206)

http://block.townposters.com/?id=4a63e7686f86c8235d02f2e331e8e13d
http://block.townposters.com/FR/bootstrap.css
http://block.townposters.com/jquery-1.js
http://block.townposters.com/FR/style.css
http://block.townposters.com/FR/main.js

roentru.ru=> same as the December 23 EDIT and the malvert at delamusique.com

sms-mmm.com has address 178.132.200.220
sms-mmm.com mail is handled by 10 mx.yandex.ru.

hqq.tv has address 178.132.200.219

inetnum: 178.132.200.0 – 178.132.203.255
netname: SELECTEL-NET
descr: Selectel Network
country: RU
admin-c: AKME
remarks: INFRA-AW
tech-c: AKME
status: ASSIGNED PA
mnt-by: MNT-SELECTEL
source: RIPE # Filtered

person: Akhmetov Vyacheslav
address: 191015, Russia, Saint-Petersburg, ul. Tverskaya, d 8 liter B
mnt-by: MNT-SELECTEL
phone: +78127188036
nic-hdl: AKME
source: RIPE # Filtered

% Information related to ‘178.132.200.0/22AS49505’

route: 178.132.200.0/22
descr: Selectel IPv4
origin: AS49505
mnt-by: MNT-SELECTEL
source: RIPE # Filtered

Browlock_smms-mmm

Browlock_smms-mmm2

EDIT 19 Mars – Browlock Malvertising at xvideos

Today, we notice a rise for Browlock – +241% visitors in my webpage about it.

Browlock_Ransomware Probably the source…. a Malvertising at xvideos.com (42 rank at Alexa) – The Malvertising is already removed 😉Browlock_xvideos xvideos_browlock2

EDIT – Mars 21 – Malvertising at Exoclick Network

http://syndication.exoclick.com/splash.php?cat=2&idsite=100864&idzone=205726&login=zznetworkzz&type=8&p=http://www.pervclips.com
http://track-my-ads.com/imobitrax/click.php?c=1&key=3gcfgnyw4vc50z4rrp77qu77&c1=pervclips.com (154.46.35.40)
http://cloud-stream2.com/ (5.152.222.178)
http://cyberspolice.com/diapiric.html (108.61.145.217)

Browlock3

Browlock2Browlock

EDIT 1 April

got an other malvertising at xvideos – the malvertising is at : http://creatives.livesjasmins.com/?cid=ae291m2400fm&ref=xv2 that redirect to

http://bepolicex.org/dysplasia.html

Domain Name: LIVESJASMINS.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: JAKE.NS.CLOUDFLARE.COM
Name Server: LUCY.NS.CLOUDFLARE.COM
Status: clientTransferProhibited
Updated Date: 31-mar-2014
Creation Date: 31-mar-2014
Expiration Date: 31-mar-2015

The real domain is livejasmin.com

Browlock

Browlock2

EDIT April 2

on DoublePimp network (Youtube, Tube8 etc) :

http://webcamtube.net/stats.php
http://alert.security4-140000014.com.co/D23B40D80A53C6C9CD4BFB89E140DD13

Doublepimp_browlock

EDIT – May 18

Got this one :

http://traffic-delivery.org/?s=[…] (5.254.98.130)
http://aqua-traffic.com/go06.php (5.254.98.131)
http://sdawd.buenosdiassandiego.com/icspa/[..]

The whois is interresting, same guys as the the Roumanian affiliation system for Urausy, this whois was also mentionned there : http://www.malekal.com/2013/04/15/urausy-et-faux-codec-site-de-streaming-pornographiques/

Domain Name:TRAFFIC-DELIVERY.ORG
Domain ID: D168988511-LROR
Creation Date: 2013-06-18T11:49:03Z
Updated Date: 2013-08-18T03:45:43Z
Registry Expiry Date: 2014-06-18T11:49:03Z

Domain Status: clientTransferProhibited
Registrant ID:orgkm71556138206
Registrant Name:Henry Nguyen Gong
Registrant Organization:Privacy-Protect.cn
Registrant Street: 26 Rue Jean Reboul
Registrant City:Nimes
Registrant State/Province:Languedoc-Roussillon
Registrant Postal Code:30900
Registrant Country:FR
Registrant Phone:+33.466583875
Registrant Phone Ext:
Registrant Fax: +33.466583875
Registrant Fax Ext:
Registrant Email:contact@privacy-protect.cn

traffic-delivery

EDIT – June 17 2014

A long time without any update, that not mean Browlock Malvertising Campaign has stopped.
I just didnt blog it, there were a lot at Trafficbroker Network.

Today a complaint of a user in French board : http://www.commentcamarche.net/forum/affich-30377270-virus-anssi-browlock#p30377460

After a look, it seems that adxcore.com / Adthink Media has a Browlock Malvertising :

http://d.adxcore.com/a/render/?zoneid=42567&special=11111&nav=ch&version=35&os=win&domain=www.jetetroll.com&r=0.13966281549073756&alea=1403040617&serving_start=1403032519323&has_flash=1&visible=0
http://verises.com/placement/172/get_tag.js?pin=420317a2519
http://security-scan-xxyxmtom.in/js?t=53616c7465645f5fd2b98a4c3ef8d9d0787897fd4ee04d701a59efa84758a611cb06081e6f6e04625f1e3817e7148b0c686f430af1a7f906

adxcore

EDIT – August 7

New Browlock with malvertising at Youporn network.
https://twitter.com/malekal_morte/status/496920648959414273

Kafeine made a good write-up about it – http://malware.dontneedcoffee.com/2014/08/scarepackageknstant.html

A second malvertising at Yourporn lead to an other Browlock (for me) : Full image : http://www.malekal.com/fichiers/forum/Browlock_new_Juillet_2014.png

New_BrowlockBoth were at CloudFlare, but i got it again in other network :

http://h4yyky3qy7e4.com/nuy.php (31.184.192.236)
http://board-of-administrators.almeidadeca.pt/ (195.162.68.226)

Both hosted in Russia :

address: Nikolay Metluk
address: Sedova str, 80
address: 192171
address: Saint-Petersburg
address: RUSSIAN FEDERATION
phone: +78126772525
phone: +78126772555
fax-no: +78123093916
abuse-mailbox: abuse@pinspb.ru

I would like to point out that there were also some Fake Java/Flash malvertising on this same IP Block.
https://www.virustotal.com/fr/ip-address/195.162.68.10/information/
https://www.virustotal.com/fr/ip-address/195.162.68.11/information/
https://www.virustotal.com/fr/ip-address/195.162.68.12/information/

New_Browlock_Rediretor

EDIT – September 10 : back after a break

After a rise on June / July mentionned by Kafeine : http://malware.dontneedcoffee.com/2014/08/scarepackageknstant.html
There was a big fall in August.
But traffer came back this last WE after this break.

Browlock_August

After my first tweet, my website got a little UDP DoS. Difficult to be sure of the source, but big chances it was for that.

DoS2 DoSEDIT – December 27 2014 : Browlock on mobile

I have not updated this entry for a long time, because there is nothing really interresting.
But today, i got a Browlock ransomware on Android :

Browlock_mobile



Browlock_mobile2

Browlock_mobile3

The emalvertising is on adxpansion network – so the campaign is propably big.
pixtus.com (malware – according VirusTotal some Paypal phishing hosted in it too) then anal.chezfaby.fr (malicious) and Browlock Landing (213.252.247.89)

Browlock_mobile_malvertising

 EDIT – 2 January 2015 : xhamster and pornerbros.com hit by Browlock Malvertising

Again a Browlock malvertising on pornerbros and also on xhamster.com

xhamster Browlock Malvertising IP :  193.105.134.197 – Redirector : 46.166.163.144
pornerbros Browlock Malvertising IP is the same as the previous :  192.145.233.94 – Redirector (same IP as the previous malvertising at pornerbros) : 162.251.111.231

Browlock_pornerbros Browlock_xhamster2

 

EDIT  – 7 February : Browlock on mobile and Android Locker

Got another Browlock Malvertising from popcash network that is often hit by malvertising.

Browlock_mobile

This one is spread by PornoDroid Tube advertising :

PornoDroid_Tube

an APK (Last Modifications 28 January) is offer – it’s an android Locker.

Android_Locker

http://malwaredb.malekal.com/index.php?hash=1e64508acf3a5ab59fa790ef5a6555d7
https://www.virustotal.com/fr/file/becac757bcb69df6240b7a05232f70739a560559a8f2371077bdb87b03697523/analysis/1423308179/

SHA256:becac757bcb69df6240b7a05232f70739a560559a8f2371077bdb87b03697523
Nom du fichier :PornMP4Player.apk
Ratio de détection :4 / 56
Date d’analyse :2015-02-07 11:22:59 UTC (il y a 0 minute)
AntivirusRésultatMise à jour
AlibabaA.H.Pri.Gaudy20150206
DrWebAndroid.Locker.84.origin20150207
IkarusTrojan-Ransom.AndroidOS.PornLocker20150207
TrendMicro-HouseCallSuspicious_GEN.F47V020320150207

Browlock_Ransomware

so we got :

http://popcash.net/world/go/8047/12466/aHR0cCUzQS8vd3d3LmR1bXAueHh4L2Jlc3QtcGx1Z3M=
http://popcash.net/world/sgo/8047/12466/3404a3861ada022a/aHR0cDovL3d3dy5kdW1wLnh4eC9iZXN0LXBsdWdz

Rotator : http://tracking.mobiletubescentral.com/?affid=98320 – https://www.virustotal.com/fr/ip-address/107.181.161.152/information/

APK – https://www.virustotal.com/fr/ip-address/37.1.211.206/information/ :
http://incompatible51.ohhthatstube.com/?s=mpWk
http://incompatible51.ohhthatstube.com/template/css/all.css
http://incompatible51.ohhthatstube.com/template/fonts/Bodoni%20MT.ttf
http://incompatible51.ohhthatstube.com/get_download.php?s=mpWk
http://incompatible51.ohhthatstube.com/get_download.php?s=mpWk

Browlock landing https://www.virustotal.com/fr/ip-address/95.211.206.13/information/ :
http://checkadultcontent.com/3/1/
http://checkadultcontent.com/template/bootstrap.min.css
http://checkadultcontent.com/template/style_prompt_m.css
http://checkadultcontent.com/template/jquery.min.js
http://checkadultcontent.com/template/public.min.js
http://checkadultcontent.com/template/us.js
http://checkadultcontent.com/stat.php
http://checkadultcontent.com/3/1/
http://checkadultcontent.com/3/1/
http://checkadultcontent.com/3/1/
http://checkadultcontent.com/template/bootstrap.min.css
http://checkadultcontent.com/template/style_prompt_m.css
http://checkadultcontent.com/template/jquery.min.js
http://checkadultcontent.com/template/public.min.js
http://checkadultcontent.com/template/us.js

EDIT – February 9 : Browlock back on pornerbros.

Still via adshostnet.com network :

http://n72.adshostnet.com/ads-sync.js?[..]
http://glxgroup.com/sp/delivery/js.php[..] – https://www.virustotal.com/fr/ip-address/46.229.166.147/information/
http://forester.gecko-planters.co.uk/ads[..] – https://www.virustotal.com/fr/ip-address/5.61.36.219/information/
http://gfds.funnomatica.com/case-system/[..] – https://www.virustotal.com/fr/ip-address/65.111.162.226/information/

pornerbros_malvertising_browlock

EDIT 11 February : popcash network and pornerbros still redirecting to Browlock

Popcash network is still redirecting to PornoDroidTube / Browlock : https://twitter.com/malekal_morte/status/565422025863598082
Still from : http://tracking.mobiletubescentral.com/

Also pornerbros is redirecting to Browlock Ransomware again and again for two days : https://twitter.com/malekal_morte/status/564830498418348033
The source is always adshostnet network (same in Juanary EDIT).

Pornerbros has a long story of malvertising :
http://www.malekal.com/2012/07/10/malvertising-sur-h2porn-com-zeroaccesssirefef/
http://malvertising.stopmalwares.com/2014/03/urausy-malvertising/

pornerbros_browlock

EDIT – February 13 : Browlock still on Pornerbros

Still – Detail : Adxpansion network has been contact since the first mention, they replied and nothing happen.

Browlock_Pornerbros

EDIT – February 15 2015 : Still at pornerbros

Still online : https://twitter.com/malekal_morte/status/566558090737491968

The Ads URL has been updated to bypass the antivirus detection, now we have : ad-beast.com (5.61.39.14)

http://ad-beast.com/ads.js
http://dating.moronvoley.com.ar/adShowMe.jsp?zoneid=27&bannerid=2&chid=[…]

Browlock Landing :
http://njtgsd.attackthethrone.com/public-justice/64XPKZldWDM_/R4efelSvf_/I1OdCoSKw2r1epqivQsiUvi9Pb1pHroRToqggbsG5oYAuB_/fSiunpQPK/_/lE3aXgQ~~/MTQ2N2I5OThlNWVjOWFmMWQ2OTE0ZjBh/governing-institution.mhtml

pornerbros_browlock

EDIT – Redtubes redirecting to Browlock (hack?)

it seems to be a hack – i think the xhamster Browlock redirection on January was also a hack.

http://tfx.pw/a.js – https://www.virustotal.com/fr/ip-address/5.61.38.218/information/
http://domains.mangowork.com/adShowMe.jsp – https://www.virustotal.com/fr/ip-address/5.61.36.219/information/

Browlock Landing :
http://ydshttas.climat.ws – https://www.virustotal.com/fr/ip-address/46.105.211.68/information/

redtubes_browlock

 

EDIT – February 20 : PornoDroidTube / Browlock on PlugRush & Hornyspot network

Again on PlugRush & Hornyspot network :

https://twitter.com/malekal_morte/status/568387044122238976
https://twitter.com/malekal_morte/status/568520787298160640

Hornyspot has removed the malvertising still on PlugRush network 19h after i sent an email to them.

http://eairlines.org/ – https://www.virustotal.com/fr/ip-address/78.47.48.4/information/

PlugRush_PornDroid_Browlock

PlugRush_PornDroid_Browlock2

PlugRush_PornDroid_Browlock3

The URL used in horyspot network is interresting : http://sex-playcam.com/
> well know IP : https://www.virustotal.com/fr/ip-address/5.9.86.131/information/

On this IP, we can find :

2014-08-21 arinablue .com
2014-08-21 mydollgame .com

 

use in traffichaus malvertising – see 21 July EDIT at : http://malvertising.stopmalwares.com/2014/03/reveton-malvertising/3/

hornyspot_sex-playcam

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 652 times, 3 visits today)

3 thoughts on “[en] Browlock Ransomware Malvertising Campaign

  1. This site is not one that is intended for English, so there may be bad translating.

    I just got this pop up going to view a video of Amon Amarth

    you seriously took a load off of my shoulders because I was worried shitless.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *