[Full-disclosure] Domain Angels

From: common <common@xxxxxx>
Date: Tue, 20 Dec 2005 18:01:50 +0100

Hi,

I just hit a great service we all dont want to use

Its called "Domain Engel" and run by some german domain panderer who has
been in dialer buisness before, but as german law changed, and dialers
dont offer that much profit, he became a domain angel.

How it works:
The offer a "internet explorer" plugin called k2.exe on their homepages
and say you have access to various pay only websites by running it.
The "plugin" downloads a crypted list of domains from a webserver and
asks the appropriate registrar if the domain is availible, when the
domain can be registerd, the calls home so that the "domain angel" can
register it.
The list they provide get updated automatically has has mainly domains
with high google rankings (maybe even yours).
Using the united power of many dumb users they hook many many domains
getting free'd by accident, and use them on their own, if you reject to
pay for their 'rescure service' .

The k2.exe 'plugin' can be downloaded here:
http://www.gratis-sex.ag/mpl.html

I guess they have some more locations where to get it.

The predecessor k.exe was analyzed very rough here
http://nepenthes.sourceforge.net/analysis:w32agent.dsi

but the analysis lacks a _very_ important part:
how to decrypt the data the server sends you to get the domain list
without running k.exe at all.

This Information could be quite useful to run 'defense'.

So, if you got some spare time, please have a look at it, setting a
breakpoint on every call to InternetReadFile will get you right to the
point where the url list is downloaded, and afterwards decrypted.

Im not picky when it comes to results, even if you got the decryption in
vb, just put it online.

common
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Domain Angels
  - From: coderman

Prev by Date: Re: [Full-disclosure] Re: RLA ("Remote LanD Attack")
Next by Date: Re: [Full-disclosure] Firewall (The Movie) -http://firewallmovie.warnerbros.com/cmp/trailer.html?id=trailer
Previous by thread: [Full-disclosure] Firewall (The Movie) - http://firewallmovie.warnerbros.com/cmp/trailer.html?id=trailer
Next by thread: Re: [Full-disclosure] Domain Angels
Index(es):
- Date
- Thread

Relevant Pages

Re: EFS private key on slaved drive
... the master and private key. ... but dont know how to utilize to decrypt. ...
(microsoft.public.windowsxp.security_admin)
Re: Encrypted file
... I have got a very big problem in by office.I dont know who but s/b ... encrypted one of my files with another user i want to decrypt it and im ... Do you have anymore information on how it was encrypted, ...
(microsoft.public.windowsxp.help_and_support)
Bad Data while decrypting message
... How to decrypt a message using Asymmetric Algorithm (RSA ... I have successfully sent an encrypted message using ... recepient's public key but dont know how to decrypt the ...
(microsoft.public.dotnet.security)