KernelMode.info

remark start

2010 year FakeAV
2011 year FakeAV
2012 year FakeAV
2013 year FakeAV
2014 year FakeAV

remark end

New year, new roguewares.

This one is:

Malware Defender 2015

From the same family:
Antivirus Defender 2015 Spyware Defender (2014)

Security Defender (Defender PRO 2015)

Antivirus Pro 2015

Thanks Blaze! Been looking for this sample.

@Blaze

Such a hello from the past :)

http://www.kernelmode.info/forum/viewto ... 4712#p4712

EP_X0FF wrote:@Blaze

Such a hello from the past :)

http://www.kernelmode.info/forum/viewto ... 4712#p4712

Here is the list of rogues in this family: http://www.bleepingcomputer.com/virus-r ... cdefender/

Yup, last one we saw from this family was AntiVirus Plus 2014 from 12/06/13. This was never a prolific family, with only about 11-12 variants released over a 4 year period.

Antivirus Pro 2017


Original: https://www.virustotal.com/en/file/312f ... 432579379/ > 26/57
Unpacked: https://www.virustotal.com/en/file/5187 ... 432579640/ > 15/56

Fraudulent payment processor for fake Antivirus: secure.billingauto.com 194.54.83.82
FakeAV call home: twinkcam.net 74.86.20.50
Fake site: securerem.com 194.54.83.83

Persistance: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017
Fake Antivirus can be unistalled by using the argument: -uninstall

Unlock key: Y65RAW-T87FS1-U2VQF7A
Vidya: https://www.youtube.com/watch?v=Z_pLtVUCz8c

Thanks to siri for the sample.

Security Defender

Open random visa/xhamster/paypal websites and flash (epilepsy warning).

Network activity: VT: 6/52

Thanks Xylitol. This is a new campaign?

If so they stopped being creative as this was released previously:

http://www.bleepstatic.com/swr-guides/s ... screen.jpg