[Striker]

Antivirii 2011



http://truebs1cht.blogspot.com/2011/12/ ... -2011.html

Payment page: hxxp://50.116.98.208/~nstresse/purchase/

[BachMinuetInG]

Seems like Security Defender's fake scanner page is still in operation.
hxxp://yourowndefence.net/

But the download has shutdown.

That's a good sign.

[Xylitol]

for me the landing page work and lead to fake av download correctly
Sample of security defender are from the BTC affiliate.

Code: Select all

hxxp://natimon.com/us/includes/gift.htm
http://62.122.74.109/index.php?9CM=458UJZUB18W9L9Q95K&4VH1q=9RZ2609YZ7Q7LY9LIH3E11POT8Y452&80=1LVU2GG543&Qjy=48F4IgdaUDovUS5mX&rjup=SE3JVgNM1ZKQGYwPkshWBMwXTA5OlwhRFIkED1cJUdaVEUTOzpWIjtUU2xd&3v=KPX34FN7H94EKV&w6Z=UUQhIzcwPk0JKwh9CGFFBzcFRHdIaCRbVTQqS3xFBXZ5ZQ9qbgoPBk08KUM%3D
hxxp://update27.rostets.in/index.php?Q7DhDtT4bYdGm3qbM5pOjS45B3K7uGPbrXr+MBDs5+OCtyDqiLQ+IQOF4lrs5li/sy6nZigKH3U/954ZqQXCMlBaOy6M7+BLPttRhBeRu8kPahq3RaTn3q2Q4JyHwmYnySEmXPHgmk/hL/SJkTR5FvuFjJ+fAw7PWhWMMEbSAuTlL9cjj4jrK0ppETgC33XXpvC4gMkh2SbTe9zyU3XXo+PVDxr3OoXgJI60BA==

Code: Select all

http://rostets.in/ZNVlSbEnuf0Mcpqf0zjASOEX9admT9EYyBvqm3Od8j+1NyqXj0vvv7srWTNwY06Syq5bFYitwF/m3uNvpM8MXoHnUk+2yrm4MoqDh7q+Zq4ZuA07kqvvpr9uwKD+9L2GKB/skEWllWl5cnif2VvTMB0KnZcOlAjs1V5/2F3n4ilCNqY5ftllIQ+UfxN5S5RFc4FK5BMRy1E= | rostets.in | GET | application/force-download | 200 OK

http://rostets.in/PVCjdRchSf6LuJCPmq0EvtruRYkGV/Vrjkh1UeRhw6fXlyZUkOCJ1EKjEvzMjJ/efT28KXa1KrXJdscQOW6rVHdZCVfpEuZ7Dw2KDWgQ4eACjQ== | rostets.in | GET | text/html | 404 Not Found

http://rostets.in/l.php?aff_id=232&u={5129F7AA-8EAF-F8FD-3532-B0D0287A637B}&log_id=12 | rostets.in | GET | text/plain | 200 OK

http://rostets.in/sw/check.php?order_id= | rostets.in | GET | text/html | 200 OK

http://rostets.in/sw/232/1/{5129F7AA-8EAF-F8FD-3532-B0D0287A637B}/f64cba03-0fc9-41b3-a12a-285b918eda18/b.dat | rostets.in | GET | text/html | 200 OK

http://rostets.in/l.php?aff_id=232&u={5129F7AA-8EAF-F8FD-3532-B0D0287A637B}&log_id=9 | rostets.in | GET | text/plain | 200 OK

aff_id=232, mean this sample are from the partner n232
• dns: 1 ›› ip: 94.61.247.181 - adresse: ROSTETS.IN
• dns: 1 ›› ip: 94.61.247.181 - adresse: UPDATE27.ROSTETS.IN
• dns: 1 ›› ip: 94.61.247.181 - adresse: UPDATE58.TOPUPER.IN
BTC affiliate is know for using this IP for malware download, they have many ".in" domains who lead on this ip.

[BachMinuetInG]

Not working. They bring down the sites very quickly.

[EP_X0FF]

It is working. Probably you need proper IP country or referer.

[Xylitol]

FakeAV docs





Original and translated version (thanks to EP_X0FF)

Can be viewed here if you can't read .doc files:
FakeAV SITE: http://www.scribd.com/doc/75543830/Xyli ... cification
FakeAV GUI: http://www.scribd.com/doc/75543843/Xyli ... cification
FakeAV SITE (translated): http://www.scribd.com/doc/75543720/Xyli ... by-EP-X0FF
FakeAV GUI (translated): http://www.scribd.com/doc/75543712/Xyli ... by-EP-X0FF

And a tiny vid found on a recent sample: http://www.youtube.com/watch?v=YUUhcZ4MCn8

[Xylitol]

Trojan.Win32.Scar.fdiz
More infos: http://www.securelist.com/en/blog/20819 ... ed_Fake_AV

24/43 >> 55.8%
http://www.virustotal.com/file-scan/rep ... 1323816182

[Xylitol]

Security Monitor 2012

[BachMinuetInG]

Need format for files
http://www.securelist.com/en/blog/20819 ... ed_Fake_AV
E.g. how to run with fake av selection?

By the way
Uploading malware files to test:
hxxp://scanner-professional.net76.net (My website for testing malware sites)
I uploaded my files there.
hxxp://scanner-professional.net76.net/interface.php

Anyone tell me why it's not working?

[Xylitol]

FTC to refund rogue security software victims: http://blogs.technet.com/b/mmpc/archive ... ctims.aspx

Anyone tell me why it's not working?

Because you don't have php code inside php file ?
anyway that lame as fuck to code.