Jump to content
Sign in to follow this  
TeMerc

Transponder Gang Chronicles By Webhelper

Recommended Posts

Alibaba & 40 Loopback CWS AboutBlank Hijacker Gang

Updated: 12 February, 2006 09:02:21 AM -0800

 

The Alibaba & 40 Loopback gang date back to 2003 and has been affiliated with Coolwebsearch.com and Umax searchmeup.com/searchadv.com. Their calling cards are the Se.dll

 

A Hijackthis log that shows their files for home page hijackings using the About Blank would be as follows:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
They also infest with a BHO that is random named (kjoa.dll), and makes entries in the Filter: text/html and Filter: text/plain.

 

O2 - BHO: (no name) - {0B4C6427-90F8-4FC8-92A6-05F2C6275D9C} - C:\WINDOWS\system32\kjoa.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\system32\windesktop.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\system32\windesktop.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\symsvcsa.exe
O18 - Filter: text/html - {7FAA2075-F5BE-4769-8A97-33CA499E6978} - C:\WINDOWS\system32\kjoa.dll
O18 - Filter: text/plain - {7FAA2075-F5BE-4769-8A97-33CA499E6978} - C:\WINDOWS\system32\kjoa.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - 
C:\ WINDOWS\system32\dcom_13.dll
This group is also heavily linked to the Umax/searchadv.com Pay Per Click Affiliate group which just began using a new trojan variant to operate a click fraud scam to bilk the searchfeed groups and online advertisers that pay for each click made to their sites
Full Read @ Webhelper

Share this post


Link to post
Share on other sites

March 20 2006

Lots of Updates and More to come

 

Sites Listing Updates

 

http://webhelper4u.com/CWS2/cwslists/cwsalpha.txt

NOTE: As I have over 3500 sites listed,

sometimes a duplicate entry may be found which I am correcting but it will be slow

 

All sites listed here are either linked to sites that run exploits,

are found in the code of CWS files that have been infested on computers,

or their whois with their mostly faked owners and or emails are

registered to other domains that run the CWS exploits.

 

http://webhelper4u.com/CWS2/cwslists/cwsbyip.txt

NOTE: As I have over 1400 sites listed,

sometimes a duplicate entry may be found.

 

All sites listed here are either linked to sites that run exploits,

are found in the code of CWS files that have been infested on computers,

or their whois with their mostly faked owners and or emails are

registered to other domains that run the CWS exploits.

http://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xls

 

http://webhelper4u.com/CWS2/cwslists/groupssites.xls

 

(Group spreadsheet contains the worst of the worst)

Anything in red indicates a zero day exploit

 

 

Whois History Time Line of the Klik Gang and Rogues

Anti Spyware Apps

http://webhelper4u.com/CWSDiaries/Rogues_and_Klik_gang1.pdf

 

Rogues covered are:

Adwarebazooka.com

adwaredelete.com

Adwarepunisher.com

antivirus-gold.com

antivirus-gold.com

Hitvirus.com

razespyware.net

Remedyantispy.com

spydemolisher.com

Spyiblock.com

spysheriff.com

spytrooper.com

spywareno.com

thespyguard.com

 

All call:

traffweb.biz/dl/error.php

 

First zero day exploit:

traffweb.biz/dl/adv799/fillmemadv799.htm

traffweb.biz/dl/adv799/bag.htm

 

Second zero day exploit

traffweb.biz/dl/xpladv799.wmf

 

CHM exploit

traffweb.biz/dl/adv799/x.chm

 

ByteVerify Java Exploit

traffweb.biz/dl/adv799/loaderadv799.jar

 

Main Trojan Installer

traffweb.biz/dl/adv799/win32.exe

 

All these sites belong with the above traffweb and all call the traffweb.biz

 

 

85.249.19.122

wwise.biz

jason coffman

Philadelphia PA US

admin @ iframecash.biz

 

85.249.19.122

8-extreme.biz

Gaylen Goldston

Belle Plaine KS US

admin @ toolbarweb.biz

 

85.249.19.122

Gaylen Goldston

Belle Plaine KS US

abuse @ 8-extreme.biz

 

5-extreme.biz

4-extreme.biz

7-extreme.biz

6-extreme.biz

3-extreme.biz

2-extreme.biz

1-extreme.biz

 

85.249.19.121

extrememoney.biz

Henry Nery

Henderson NV US

darkgt @ mail.ru

 

 

traffbest.biz

traffbucks.biz

traffcool.biz

traffdollars.biz

traffmoney.biz

traffnew.biz

traffsale1.biz

traffweb.biz

 

/progs/

ms1.txt

kl.txt

secure32.html

hosts.txt

toolbar.txt

de.txt

au.txt

us.txt

it.txt

paytime.txt

tool1.txt

tool2.txt

tool3.txt

tool4.txt

tool5.txt

 

 

Replacement for game4all.biz

217.107.217.184

traff4all.biz

D B kog

omsk RU

test @ test.ua

Posted ImageWebhelper

Share this post


Link to post
Share on other sites
:sparkle:Which CWS detector and cleaner should we download and use? :sparkle:

Share this post


Link to post
Share on other sites

Juliet, with the CWS Shredder, you should check for updates and scan only. If you find something, it is important to submit a HJT Log (with the findings noted) to make sure all the other areas are cleaned.

 

It can be found here (pick Tools & Information on the left side menu and then scroll down)

 

http://www.webhelper4u.com/techsupport/index.html

 

There is a link on the left side to Browser Security Test. I'm trying it out now.

 

I posted a feedback topic about it in U2U.

 

http://pcpitstop.invisionzone.com/index.php?showtopic=113405

Edited by faith_michele

Share this post


Link to post
Share on other sites

:sparkle:Which CWS detector and cleaner should we download and use? :sparkle:

 

I don't recommend even using CWShredder in its current state. Since Merjin sold it, it's been passed on again, first from Intermute, now they have been bought out by Trend Micro.

 

The tool has never really been proven effective on more than one or two variants, if even that many(since it was sold by Merjin). More times than not it produces f\ps.

 

JMHO.

Share this post


Link to post
Share on other sites

Webhelper CWS Sites Lists Updates 6 April 2006

 

Text format:

http://webhelper4u.com/CWS2/cwslists/cwsbyip.txt

 

http://webhelper4u.com/CWS2/cwslists/cwsalpha.txt

 

Excel Spreadsheet format: contains complete histories

 

http://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xls Size 972KB

 

In the spreadsheet, I have all new ones under the Sites Added April 2006 tab

 

 

This also includes the highconvert.com/instllme John Miller aka sp2f(word).biz new sites, vip01.biz to vip15.biz. I will go into more detail later but we must block the IP as the files all come from that and is called from traffweb.biz and installs desktop hijack for alfacleaner and drops what we call the BigBlue identity theft keyloggers named for the IBM000#.dll files and transmits to the instme.biz IP via FTP the users email logins, passwords and protected storage data. They are right now in the middle of changing their methods and I have been watching them in real time That is how far ahead of them I am now compared to last year. Like the transponder gang of old, if they sneeze I am going to know it.

 

The JFP Group tab is the John Miller, Nick Fedorov, Vasiliy Pupkin. The cactus tab is the traff4all,game4all aka vxiframe crew.

 

As a treat in August of 2005, we uncovered a document in Russian at instme.biz and just last Friday at highconvert.com we snagged an updated copy of how they operated in Russian (Sunbelt-software has many who speak a lot of languages )

 

August 2005

http://www.webhelper4u.com/CWS2/jcactusdimpy/crims.pdf

April 2006

http://www.webhelper4u.com/CWS2/jcactusdim..._Adware_v01.pdf

 

Anyway, it refers to the yapsearch.com which also includes the yapbrowser.com which they bill it as safe:

 

"..There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities..."

 

The install popup will get you:

 

YapBrowser is FREE,

thanks to Zango. Why? Because it’s paid for by advertising.

 

Now the document in Russian on highconvert that runs the worst exploits and has all the traffweb and james wurster sites and also deals in kiddie porn at their russian sites along with identity theft key loggers and wmf exploits has Zango on board with them.

 

As I use to ssay I am the Keeper of the Internet Histories and the Webhelper sees all!

 

Reprinted with permission by Webhelper

Share this post


Link to post
Share on other sites

Webhelper: Transponder Gang 2006 Final Chapter

 

And so it now begins once again after reading the 5 exhibits of emails referencing me since 2004 by the Transponder Gang............

 

Main Menu

http://webhelper4u.com/transpondergang2006/index.html

Write ups and Spreadsheets of Transponder and their distributors sites.

 

Exhibit e76 24 March 2004. Email from the owners of Cosmicvillage about my finding on 18 March 2004 where an activeX secretly installed the twaintec variant for getting a Free Astrology reading at CosmicVillage.com

 

http://webhelper4u.com/transpondergang2006...dexhibit76.html

Edited by TeMerc

Share this post


Link to post
Share on other sites

Webhelper Sites List Update 18 April 2006

 

CWS Lists

 

By IP

http://webhelper4u.com/CWS/index.html

 

Alpha Sorted

http://webhelper4u.com/CWS2/cwslists/cwsalpha.txt

 

IP Sorted

http://webhelper4u.com/CWS2/cwslists/cwsbyip.txt

 

Excel Spreadsheet

http://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xls

 

Direct Revenue Transponder Gang

 

Transponder gang and Minsetinteractive/vistainteractivemedia

http://webhelper4u.com/transpondergang2006...istributors.xls

 

Direct Revenue Distributors

http://webhelper4u.com/transpondergang2006...istributors.xls

 

Excel Spreadsheets

 

Requirements will be that you either have MS Office Excel or you can download from Microsoft their free Excel Viewer 2003. To get the viewer go to: Microsoft.com and download and install it http://www.microsoft.com/downloads/details...&DisplayLang=en. Installer is 9.97MB

Share this post


Link to post
Share on other sites

Webhelper CWS Sites Update 12 May 2006

 

Sorted by Domain

http://webhelper4u.com/CWS2/cwslists/cwsalpha.txt

 

Sorted by IP

http://webhelper4u.com/CWS2/cwslists/cwsbyip.txt

 

Complete list in Excel Fromat

http://webhelper4u.com/CWS2/cwslists/cwsmasterlist.xls

 

I have added a group Adw.(Name) This is for the types like dollarrevenue that are mixed up with CWS and the traff gangs trojans.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...