[Full-disclosure] Domain Angels

[common <common@xxxxxx>]

Hi,

I just hit a great service we all dont want to use

Its called "Domain Engel" and run by some german domain panderer who has
been in dialer buisness before, but as german law changed, and dialers
dont offer that much profit, he became a domain angel.

How it works:
The offer a "internet explorer" plugin called k2.exe on their homepages
and say you have access to various pay only websites by running it.
The "plugin" downloads a crypted list of domains from a webserver and
asks the appropriate registrar if the domain is availible, when the
domain can be registerd, the calls home so that the "domain angel" can
register it.
The list they provide get updated automatically has has mainly domains
with high google rankings (maybe even yours).
Using the united power of many dumb users they hook many many domains
getting free'd by accident, and use them on their own, if you reject to
pay for their 'rescure service' .



The k2.exe 'plugin' can be downloaded here:
http://www.gratis-sex.ag/mpl.html


I guess they have some more locations where to get it.


The predecessor k.exe was analyzed very rough here
http://nepenthes.sourceforge.net/analysis:w32agent.dsi

but the analysis lacks a _very_ important part:
how to decrypt the data the server sends you to get the domain list
without running k.exe at all.

This Information could be quite useful to run 'defense'.


So, if you got some spare time, please have a look at it, setting a
breakpoint on every call to InternetReadFile will get you right to the
point where the url list is downloaded, and afterwards decrypted.


Im not picky when it comes to results, even if you got the decryption in
vb, just put it online.


common
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/