A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10299  by Striker
 Sun Dec 11, 2011 7:57 pm
Antivirii 2011

Image

http://truebs1cht.blogspot.com/2011/12/ ... -2011.html

Payment page: hxxp://50.116.98.208/~nstresse/purchase/
Attachments
Setup + dropped files ( unpacked ), pass malware
(2.62 MiB) Downloaded 63 times
Last edited by EP_X0FF on Wed Dec 28, 2011 11:16 am, edited 1 time in total. Reason: password added
 #10302  by BachMinuetInG
 Mon Dec 12, 2011 1:35 am
Seems like Security Defender's fake scanner page is still in operation.
hxxp://yourowndefence.net/
Image
But the download has shutdown.
Image
That's a good sign.
 #10309  by Xylitol
 Mon Dec 12, 2011 10:06 am
for me the landing page work and lead to fake av download correctly
Sample of security defender are from the BTC affiliate.
Code: Select all
hxxp://natimon.com/us/includes/gift.htm
http://62.122.74.109/index.php?9CM=458UJZUB18W9L9Q95K&4VH1q=9RZ2609YZ7Q7LY9LIH3E11POT8Y452&80=1LVU2GG543&Qjy=48F4IgdaUDovUS5mX&rjup=SE3JVgNM1ZKQGYwPkshWBMwXTA5OlwhRFIkED1cJUdaVEUTOzpWIjtUU2xd&3v=KPX34FN7H94EKV&w6Z=UUQhIzcwPk0JKwh9CGFFBzcFRHdIaCRbVTQqS3xFBXZ5ZQ9qbgoPBk08KUM%3D
hxxp://update27.rostets.in/index.php?Q7DhDtT4bYdGm3qbM5pOjS45B3K7uGPbrXr+MBDs5+OCtyDqiLQ+IQOF4lrs5li/sy6nZigKH3U/954ZqQXCMlBaOy6M7+BLPttRhBeRu8kPahq3RaTn3q2Q4JyHwmYnySEmXPHgmk/hL/SJkTR5FvuFjJ+fAw7PWhWMMEbSAuTlL9cjj4jrK0ppETgC33XXpvC4gMkh2SbTe9zyU3XXo+PVDxr3OoXgJI60BA==
Code: Select all
http://rostets.in/ZNVlSbEnuf0Mcpqf0zjASOEX9admT9EYyBvqm3Od8j+1NyqXj0vvv7srWTNwY06Syq5bFYitwF/m3uNvpM8MXoHnUk+2yrm4MoqDh7q+Zq4ZuA07kqvvpr9uwKD+9L2GKB/skEWllWl5cnif2VvTMB0KnZcOlAjs1V5/2F3n4ilCNqY5ftllIQ+UfxN5S5RFc4FK5BMRy1E= | rostets.in | GET | application/force-download | 200 OK

http://rostets.in/PVCjdRchSf6LuJCPmq0EvtruRYkGV/Vrjkh1UeRhw6fXlyZUkOCJ1EKjEvzMjJ/efT28KXa1KrXJdscQOW6rVHdZCVfpEuZ7Dw2KDWgQ4eACjQ== | rostets.in | GET | text/html | 404 Not Found

http://rostets.in/l.php?aff_id=232&u={5129F7AA-8EAF-F8FD-3532-B0D0287A637B}&log_id=12 | rostets.in | GET | text/plain | 200 OK

http://rostets.in/sw/check.php?order_id= | rostets.in | GET | text/html | 200 OK

http://rostets.in/sw/232/1/{5129F7AA-8EAF-F8FD-3532-B0D0287A637B}/f64cba03-0fc9-41b3-a12a-285b918eda18/b.dat | rostets.in | GET | text/html | 200 OK

http://rostets.in/l.php?aff_id=232&u={5129F7AA-8EAF-F8FD-3532-B0D0287A637B}&log_id=9 | rostets.in | GET | text/plain | 200 OK
aff_id=232, mean this sample are from the partner n232
• dns: 1 ›› ip: 94.61.247.181 - adresse: ROSTETS.IN
• dns: 1 ›› ip: 94.61.247.181 - adresse: UPDATE27.ROSTETS.IN
• dns: 1 ›› ip: 94.61.247.181 - adresse: UPDATE58.TOPUPER.IN
BTC affiliate is know for using this IP for malware download, they have many ".in" domains who lead on this ip.
Attachments
pw: infected
(336.36 KiB) Downloaded 62 times
pw: infected
(218.77 KiB) Downloaded 67 times
 #10332  by Xylitol
 Tue Dec 13, 2011 9:21 am
FakeAV docs

Image

Image

Original and translated version (thanks to EP_X0FF)

Can be viewed here if you can't read .doc files:
FakeAV SITE: http://www.scribd.com/doc/75543830/Xyli ... cification
FakeAV GUI: http://www.scribd.com/doc/75543843/Xyli ... cification
FakeAV SITE (translated): http://www.scribd.com/doc/75543720/Xyli ... by-EP-X0FF
FakeAV GUI (translated): http://www.scribd.com/doc/75543712/Xyli ... by-EP-X0FF

And a tiny vid found on a recent sample: http://www.youtube.com/watch?v=YUUhcZ4MCn8
Attachments
 #10350  by Xylitol
 Tue Dec 13, 2011 10:53 pm
Attachments
pw: infected
(768.58 KiB) Downloaded 58 times
 #10357  by Xylitol
 Wed Dec 14, 2011 10:58 am
Security Monitor 2012

Image
Attachments
pw: infected
(4.86 MiB) Downloaded 66 times
pw: infected
(4.06 MiB) Downloaded 100 times
pw: infected
(2.63 MiB) Downloaded 71 times
 #10359  by BachMinuetInG
 Wed Dec 14, 2011 1:04 pm
Need format for files
http://www.securelist.com/en/blog/20819 ... ed_Fake_AV
E.g. how to run with fake av selection?

By the way
Uploading malware files to test:
hxxp://scanner-professional.net76.net (My website for testing malware sites)
I uploaded my files there.
hxxp://scanner-professional.net76.net/interface.php

Anyone tell me why it's not working?
 #10386  by Xylitol
 Thu Dec 15, 2011 6:16 pm
FTC to refund rogue security software victims: http://blogs.technet.com/b/mmpc/archive ... ctims.aspx
xwxproductions wrote:Anyone tell me why it's not working?
Because you don't have php code inside php file ?
anyway that lame as fuck to code.
  • 1
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34